PHP File Uploading Limits. security and performance.

Forum Moderators: coopster

Message Too Old, No Replies

PHP File Uploading Limits. security and performance.

Discussing the security and performance implications of PHP's file uploads

apacheMan

6:47 pm on Sep 27, 2008 (gmt 0)

I have some scripts on a new website that allow people to upload photos. These days, photos are so large, these upload scripts absolutely LAUGH at php's default 2MB upload_max_filesize limit.

It is not out of the ordinary for people to want to upload 100-200mb of photos with each post in my scripts. I know I can allow this by putting the following in each .htaccess for each script's directory:

php_value max_execution_time 200
php_value upload_max_filesize 175M
php_value post_max_size 200M
php_value memory_limit 100M

So my question is:

Is this acceptable? Is it acceptable on the security front? And is it acceptable on the performance front? What is one to do in a situation like mine where I want my users to be able to upload 5-10 full resolution photos?

NOTE: Due to time constraints... I cannot utilize FTP do upload these photos. I need to stick with php's built-in file uploading $_FILE method. Thanks for your help.

grallis

3:39 am on Sep 29, 2008 (gmt 0)

Are you on a dedicated server, virtual-dedicated or completely shared hosting? The issue I see is mainly performance issues. If you're allowing your clients the ability to upload such large photos, which is definitely acceptable in this day and age, ou have to consider there may be a time when a large amount of people are uploading larger file sizes, thus eating bandwidth and slowing PHP down.

dreamcatcher

9:01 am on Sep 29, 2008 (gmt 0)

You might want to consider allowing images to be uploaded in zip files and then using something like exec [uk2.php.net] to unzip the files on the server?

You should definitely have a dedicated server as mentioned by grallis.