Page 1 of 1

filesize info in header

Posted: Sun May 10, 2009 5:51 am
by estarapapax
I'm building a website which allows users to put the URL of their text files in a querry parameter. Ex:
process.php?loc=http://domain.com/user/filename.txt

My PHP scripts always load the contents of these textfiles and that's why I need to check the filesize of these files, to prevent my site from crashing. But now, I got a bigger question. What if a hacker is able to change the filesize header info but in actuality the file is still extra large? Will Apache (I am using Apache) stop downloading the bits in excess of the declared filesize in the header or it will load the entire large file regardless of the the filesize header info?

Re: filesize info in header

Posted: Sun May 10, 2009 9:24 am
by kaisellgren
How are you exactly doing this limitation?

My guess is that the file is downloaded to a temporary location, checked for its size and then either deleted permanently or moved into the final destination.

Are you using default PHP upload capabilities?

Re: filesize info in header

Posted: Sun May 10, 2009 12:14 pm
by jazz090
why are you making this comlicated? just read the file with get_file_contents() and equal it to a var
use strlen() to get its length instead of the filesize(), this way filesize and contents are always in the same level.

Re: filesize info in header

Posted: Sun May 10, 2009 12:23 pm
by kaisellgren

Code: Select all

filesize($a) == strlen(file_get_contents($a,FILE_BINARY))