Page 1 of 1

Increasing Upload Limits and Security...

Posted: Sat Sep 27, 2008 1:46 pm
by seodevhead
I have some scripts on a new website that allow people to upload photos. These days, photos are so large, these upload scripts absolutely LAUGH at php's default 2MB upload_max_filesize limit.

It is not out of the ordinary for people to want to upload 100-200mb of photos with each post in my scripts. I know I can allow this by putting the following in each .htaccess for each script's directory:

php_value max_execution_time 200
php_value upload_max_filesize 175M
php_value post_max_size 200M
php_value memory_limit 100M

So my question is:

Is this acceptable? Is it acceptable on the security front? And is it acceptable on the performance front? What is one to do in a situation like mine where I want my users to be able to upload 5-10 full resolution photos?

NOTE: Due to time constraints... I cannot utilize FTP do upload these photos. I need to stick with php's built-in file uploading $_FILE method. Thanks for your help.

Re: Increasing Upload Limits and Security...

Posted: Mon Sep 29, 2008 3:54 am
by Mordred
Wow, that's a lot of porn!

It definitely puts strain on your server. I'm not sure of the security implications, apart from the usual ones related to file uploads (in short: make sure they won't upload PHPs :)
Set this up on a lab machine (try a virtual appliance with ram and CPU limits similar to your hosting) and write some curl scripts to upload huge files and see for yourself how long it will take to bring it down.

Re: Increasing Upload Limits and Security...

Posted: Mon Sep 29, 2008 12:41 pm
by kaisellgren
175 MB max upload filesize? Why? I mean... the biggest JPEG picture that I can find from my family photoalbum is around 5 MB in size. How can anyone ever reach that size if you are only accepting photos? From what I understand, that is the limit for a single file, not all files combined together what you might be thinking? For example, most picture hosts allow sizes around 1-4 MB per file... what you are doing is that you allow sizes of 175 MB per picture ? :/

Your settings a kind of suck, really. Look at the max execution time = 200 seconds.

Well, in my country, I have pretty fast Internet connection. My download rate is around 1000 kBps, and upload rate is 100 kBps. Let's do some calculations.

100 kB * 200 = 20 000 kB, or 20 MB. What if the user has a 256k DSL? He is able to barely upload a file of at most 5 MB. Remember, we are talking about theoretical limits here. If the uploader is surfing the Internet or uploading something else at the same moment, his upload rate will go down even more - aka takes longer to upload.

My suggestions: lower your max filesize a lot and put the execution time higher.