PHP.INI PHP_MAX_UPLOAD, etc.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

PHP.INI PHP_MAX_UPLOAD, etc.

Post by seodevhead »

Hey guys...

I have a lot of forms on my site that allow file uploads, be it pictures, pdf documents, etc. I want to allow up to 100mb uploads per form submission, and thus far have been altering .htaccess files on a per-dir context to allow up to 100mb with the PHP.INI configuration parameters such as PHP_MAX_UPLOAD, etc. (I think these are the params).

Anyways... would you guys see any problem in me just altering the global php.ini and allowing the max post size and upload size to be 100 mb? Would 100 mb max size globally be opening me up to trouble from a security standpoint? Or am I way too paranoid? I think my current php.ini has the max post size at like 2mb... which is way too small.

Any opinions I'd love to hear. Thanks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If someone wanted to severely affect your server they need only upload several hundred megabyte files to it then. With the limit set in most locations to a small size, it's a bit (although only slightly) more difficult to exploit.
Post Reply