I have a website that allows users to upload files up to 50 megs in size via PHP. I have configured my PHP to allow for this, and in doing so, had to raise my max_execution_time and max_input_time to 15 minutes. I'm afraid my site will get bogged down if too many people start uploads for large files and just close the window, leaving the script in limbo for 15 minutes until it times out. I think this could lead to easily disabling my site if people caught on to this vulnerability.
Are my assumptions correct? And is there anyway for PHP to detect that the upload form was closed or unloaded and timeout that connection?
Sorry, this more of a hybrid code/security question.
Forced connection timeouts on browser unloads
Moderator: General Moderators
-
monkeynest
- Forum Newbie
- Posts: 2
- Joined: Mon Jan 30, 2006 4:21 pm
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
I believe your assumptions are correct. I personally wouldn;t have raised the max_execution_time in the ini file since that's a global change. There is a function called set_time_limit() which you can use on a per-script basis.
As for detecting if the browser has closed I'm not 100% how easy it would be using PHP if there is an upload in progress at the time but perhaps something with sockets or ajax might be of use.... I'm not 100% on that though.
As for detecting if the browser has closed I'm not 100% how easy it would be using PHP if there is an upload in progress at the time but perhaps something with sockets or ajax might be of use.... I'm not 100% on that though.
Re: Forced connection timeouts on browser unloads
Yes.monkeynest wrote:Are my assumptions correct?
Not reliably. You can set the idle timeout up (can be problematic on some connections), you can script a javascript event (many users disable it, the trigger isnt widely supported, etc), and you can do garbage collection, but in the end, they are bandaids. They arent reliable.monkeynest wrote:And is there anyway for PHP to detect that the upload form was closed or unloaded and timeout that connection?
-
monkeynest
- Forum Newbie
- Posts: 2
- Joined: Mon Jan 30, 2006 4:21 pm
Thank you so much, that sounds extremely useful and should explain why my site is a little bogged down at the moment from just browsing the site. I think that's just what I was looking for.d11wtq wrote: There is a function called set_time_limit() which you can use on a per-script basis.
http://us2.php.net/manual/en/features.c ... ndling.php
This does not apply to file uploads I don't think though, worth the read. If it is worth the trouble there are ways to compile in libraries that would let you handle the uploads, another option is to use perl (I think it allows raw request header access for things such as uploading files), and have the perl script call your PHP script with the path of the uploaded file, it may be easy to accomplish this in perl.. I wouldn't know for sure. Maybe someone can shed some light
This does not apply to file uploads I don't think though, worth the read. If it is worth the trouble there are ways to compile in libraries that would let you handle the uploads, another option is to use perl (I think it allows raw request header access for things such as uploading files), and have the perl script call your PHP script with the path of the uploaded file, it may be easy to accomplish this in perl.. I wouldn't know for sure. Maybe someone can shed some light
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
what about max_input_time?
I don't think that's the answer, that would cut out legitimate uploads that are going slow, he wants to end scripts if the user aborts the upload. Something like that would require raw handling of the uploads (the user abort functions work with data being sent back to the client, not before the server sends it's 200 OK)