Security issues of let users save files from URL

Question

I'm developing a script to grab small sized files (less than 1 MB) from user given a URLs and save them on my server.

My main concern is what if someone tried to upload large files like 1 GB files or even bigger? How do I control the file grabbing if it is a large file?

I tried some of the answers on the web but all of them process the whole file. For a 700 MB video file, it took couple of minutes, does that mean the process taking my server resources?

What if a hacker keep posting URLs to large files so those process will eat up my server resources and I will loose visitors.

Can someone advice me on this?

PHP has [`upload_max_filesize`](http://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize) and [`post_max_size`](http://www.php.net/manual/en/ini.core.php#ini.post-max-size) settings which will solve your problem - the biggest issue is making sure the user isn't posting anything malicious - executable code that could be run on your server. — Emissary, Nov 16 '13 at 18:12
That's a great point! All I have to do is change max upload size, then take care of file types in PHP. Thanks. — Naveen Gamage, Nov 16 '13 at 18:17

score 1 · Answer 1 · answered Nov 16 '13 at 18:18

1

You can set your upload file size here. Like this

<?php
ini_set('post_max_size', '20K'); // If you need it like 10 MB , Set is as 10M
ini_set('upload_max_filesize', '20K');

answered Nov 16 '13 at 18:18

Shankar Narayana Damodaran

68,075
43
96
126

score 1 · Accepted Answer · answered Nov 16 '13 at 18:27

This should do the trick. No file bigger than 1 megabyte can be uploaded

if($_FILES['file']['size'] < 1048576) { // This is one megabyte (in bytes)
    // the file is within size restriction, continue
} else {
    // File is too large, return an error
}

Then you could use some javascript to test the file size before upload, but just remember you can't rely on it for security.

score -1 · Answer 3 · edited May 23 '17 at 12:28

-1

Ninja edit: Not a good answer for security purposes

you can check the file size in javascript so you don't need to send it to the server. You can find the full explanation here: JavaScript file upload size validation

edited May 23 '17 at 12:28

Community

1
1

answered Nov 16 '13 at 18:14

Daniel Ruiz

11
4

2

When the question concerns security, client-side validation isn't a good answer :/ – Emissary Nov 16 '13 at 18:19
True, you could just evade the filecheck and send any file with an easy script – Daniel Ruiz Nov 16 '13 at 18:24

Security issues of let users save files from URL

3 Answers3