I'm getting some variables with $_POST, mainly inputted by the user on a form.
To prevent huge values to be inserted in the form, I can check those variables and return an error to the user if they're to long.
However, I can't do that if the user input a REALLY long value because, in this case, the entire script crash before I can even refuse to process that variable. Is this a threat to the security of my server?
How can I fix this without increasing the default memory limit? Is it possible?
Restraining user input with a javascript could be an option, but the user may easily overcome that limit by disabling javascript.
You can limit the maximum size of a post body using the ini directive post_max_size. However its defaults to 8M. If it is unchanged it should be ok as the default memory_limit is 128M. (php 5.3)
But of course this depends on what you are about to do with the data and how much memory PHP will consume for this. In extreme speak, it would be even possible to create an example script that reaches the memory limit with a 1 byte input. So you'll have to find the proper value for your application.
From the documentation
Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. If memory limit is enabled by your configure script, memory_limit also affects file uploading. Generally speaking, memory_limit should be larger than post_max_size. When an integer is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. , and then checking if $_GET['processed'] is set.
Do you have access to php.ini? You can set upload_max_filesize / post_max_size
See here for details: http://php.net/manual/en/ini.core.php#ini.sect.file-uploads
(p.s. setting maxlength in the HTML form is easily circumvented by a malicious user)
Divides the data on the client into parts and download in parts via Ajax, then save the downloaded part on the disc or in the database. Maybe this way?
Related
This question already has answers here:
PHP post_max_size vs upload_max_filesize, what is the difference?
(2 answers)
Closed last month.
Im actually confused both upload_max_size and post_max_size.
I searched on the google. but all the results show about how to increase size. but my question is what is post_max_size.
Post_max_size
Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize.
Generally speaking, memory_limit should be larger than post_max_size. When an int is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty.
This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. , and then checking if $_GET['processed'] is set.
Just literately from PHP.net
According to official PHP manual:
Sets max size of post data allowed. This setting also affects file
upload. To upload large files, this value must be larger than
upload_max_filesize. Generally speaking, memory_limit should be larger
than post_max_size. When an int is used, the value is measured in
bytes. Shorthand notation, as described in this FAQ, may also be used.
If the size of post data is greater than post_max_size, the $_POST and
$_FILES superglobals are empty. This can be tracked in various ways,
e.g. by passing the $_GET variable to the script processing the data,
i.e. , and then checking if
$_GET['processed'] is set.
https://www.php.net/manual/en/ini.core.php#ini.post-max-size
Is upload_max_filesize for one single file or for multiple files?
For example, if the property is set to upload_max_filesize: 5M, is it possible to upload three single files which are 2 MB each (for a total of 6MB)? Or will that not work because upload_max_filesize is set to 5MB?
I've been doing some tests but I would like to know the community's perspective.
Use post_max_size to set the total and upload_max_filesize for max per file.
Check: https://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize
upload_max_filesize int - The maximum size of an uploaded file. When an int is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used.
And https://www.php.net/manual/en/ini.core.php#ini.post-max-size
post_max_size int - Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. Generally speaking, memory_limit should be larger than post_max_size. When an int is used, the value is measured in bytes. Shorthand notation, as described in this FAQ, may also be used. If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. <form action="edit.php?processed=1">, and then checking if $_GET['processed'] is set.
I can confirm that upload_max_filesize is the maximum size per file.
e.g. with upload_max_filesize=2M, you can upload 3 files of 1.5M.
I just confirmed this by testing.
Limits you should care about:
upload_max_filesize (default 2M): max size per individual file;
max_file_uploads (default 20): max number of files you can send per request;
post_max_size (default 8M): max raw POST data size per request;
post_max_size must be greater than the sum of the sizes of:
all uploaded files
all data in other POST fields
a few extra KB to account for the multipart/form-data overhead (headers/boundaries) that wrap every single file and every single POST field in the payload.
Be really careful with these limits, as PHP will not error if you exceed one of them; instead, you'll end up with partial or empty $_POST or $_FILES and might have a hard time debugging the issue.
For example, max_file_uploads will silently ignore any file past the nth uploaded file, and you'll end up with a truncated list of files with no warning whatsoever.
Web browsers have a limit to how much data (characters) can be posted to prevent attacks. In IE its roughly 2000 characters, and in Chrome its around 65,000.
I'm trying to post a form that has a field containing 200,000+ characters (a json strong of vectors to be precise).
This is way more than any browser will allow, so the PHP page that receives the post only sees about 40% of the data.
The only way I can think of getting around this is to stream the form post so that PHP can receive it incrementally.
Is this possible to do with $raw = file_get_contents('php://input'); in combination with a form encoding type of "application/octet-stream" for example?
Many thanks,
Seb
If you're working with PHP under Linux or similar, you can control these using .htaccess, like so:
#set max post size
php_value post_max_size 50M
Hope this will allow you to send more data rather than messing up with coding.
The url portion of a request (GET and POST) can be limited by both the
browser and the server - generally the safe size is 2KB as there are
almost no browsers or servers that use a smaller limit.
The body of a request (POST) is normally* limited by the server on a
byte size basis in order to prevent a type of DoS attack (note that
this means character escaping can increase the byte size of the body).
The most common server setting is 10MB, though all popular servers
allow this to be increased or decreased via a setting file or panel.
You're confusing URL length limits with upload limits. Data passed via URLs is a GET query, and those ARE length-limited on a per-browser basis.
If you need to pass arbitrary "large" data, then you use POST, which has no arbitrary client-side length limits and is subject only to the server configured limits.
Ok - found what the problem was. Data was travelling through a WAF filter before reaching Apache. This is running mod_security which had a post limit of 64Kb.
I read http://www.php.net/manual/en/ini.core.php#ini.post-max-size.
memory_limit must > post_max_size . Then if user upload a file 500MB then how much total RAM use ?
does it use >500MB ?
No, memory_limit need not be greater than post_max_size.
PHP has different POST readers and handlers depending on the content type of the request. In case of "multipart/form-data" (what is used for sending files), rfc1867_post_handler acts as a mixed reader/handler. It populates both $_POST and $_FILES. What goes into $_POST counts towards the memory limit, what goes into $_FILES also counts.
However, $_FILES has just meta-data about the files, not the files themselves. Those are just written into the disk and hence don't count towards the memory limit.
I have a PHP form for uploading files and it works fine and displays an error message if something went wrong. This is all good.
The problem is when I test with a really big file, it just refreshes the page as if I hadn't sent a file at all, and none of the $_POST variables from the form are even sent to the server.
I want to display an error to the user, letting them know that the file is too big. However, I can't do this.
Does anyone know what is happening?
Check your PHP ini file, which governs how large a file PHP will allow to be uploaded. These variables are important:
max upload filesize (upload_max_filesize)
max post data size (post_max_size)
memory limit (memory_limit)
Any uploads outside these bounds will be ignored or errored-out, depending on your settings.
This section in the docs has the best summary: http://ca3.php.net/manual/en/features.file-upload.common-pitfalls.php
EDIT: Also note that most browsers won't send uploads over 2GB in size. This link is outdated, but gives an idea: http://www.motobit.com/help/scptutl/pa98.htm. Anyone have a better source of info on this?
There are also limits that can be imposed by the server, such as Apache: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody
To truly see what's going on, you should probably check your webserver logs, check the browser upload limit (if you're using firefox), and try seeing if print_r($_FILES) generates any useful error numbers. If all else fails, try the net traffic monitor in firebug. The key is to determine if the request is even going to the server, and if it is what the request (including headers) looks like. Once you've gotten that far in the chain, then you can go back and see how PHP is handling the upload.
Your $_POST is most likely empty because the upload exceeded the post_max_size directive:
From PHP's directives page:
If the size of post data is greater
than post_max_size, the $_POST
and $_FILES superglobals are empty.
This can be tracked in various ways,
e.g. by passing the $_GET variable to
the script processing the data, i.e.
<form
action="edit.php?processed=1">, and
then checking if $_GET['processed']
is set.
you can not know the size of the file that is being uploaded, until it gets fully uploaded. so if you want to determine the file size, and then show an error for large files, first you must have the file uploaded, then check the file size. inorder to have a large file uploaded, you should set 2 settings in your php configuration file, php.ini.
open it up and search for "upload_max_filesize" and set the value to maximum value you want. then you must set the maximum value for POST parameters, because uploaded files are recieved via HTTP POST method. find "post_max_size" and set it to a large value to.
apart form the options as the former users answered:
max upload filesize (upload_max_filesize)
max post data size (post_max_size)
memory limit (memory_limit)
there is also one, when the file is very large, or the line is busy, there need to much time to execute this operation, which will hit to ceil of the script execution limit.
max_execution_time
I would implement a simple script that does regular ajax calls to know how much of the upload has been done. You can then implement some sort of progress bar. There are a couple of examples on the net:
http://martinjansen.com/2007/04/28/file-upload-progress-bars-with-php/
max upload filesize (upload_max_filesize)
max post data size (post_max_size)
are the directives you need to set. I have tested it with multiple OS, browsers etc and these are the only two thing you need be worried about.