RE: [PHP] Secure File Upload

2002-06-06 Thread Miguel Cruz 

On Thu, 6 Jun 2002, Christoph Starkmann wrote:
> Yes. In fact, i would like to prevent having users upload too 
> big files. There are two reasons:
> First, I don't want my server space to be consumed by files too big.
> Second, I want to be able to prevent my (limited) traffic to
> be "exhausted". Simple reason: I pay for anything above let's say
> 10 GB of traffic. So what PHP offers to me AFAIK enables me to
> protect my space, but not my traffic. That's where my question
> comes from.

Depending on your server environment, you may be able to get the firewall
code to drop a connection after a certain amount of traffic in one
direction. That would effectively and unceremoniously cut off the rogue
uploads. Beyond the scope of this mailing list, though.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Secure File Upload

2002-06-06 Thread Christoph Starkmann 

Hi again, Dan!

> But you still have to rely on your visitors as they could simply use
> another web browser should they wish to DoS your site. 
> Security measures
> such as logging in before allowing a file upload can come in 
> useful here.

I think I have to agree at this point. I was just hoping I 
was simply missing some point, but then a login wil have to do.

Thanks for all your help...

Cheers,

Kiko

-- 
It's not a bug, it's a feature.
christoph starkmann
mailto:[EMAIL PROTECTED]
http://www.gruppe-69.com/
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-06 Thread Dan Hardiker 

>> I know this, not this new to CGI... ;) The only thing I
>> thought/hoped was that maybe there's a way to recieve the file size
>> information before upping the entire file.
>
> It is possible with some browsers:
> http://marc.theaimsgroup.com/?l=php-general&m=102079018906224&w=2


But you still have to rely on your visitors as they could simply use
another web browser should they wish to DoS your site. Security measures
such as logging in before allowing a file upload can come in useful here.

-- 
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-06 Thread Jason Wong 

On Thursday 06 June 2002 17:53, Christoph Starkmann wrote:

> I know this, not this new to CGI... ;) The only thing I thought/hoped
> was that maybe there's a way to recieve the file size information before
> upping the entire file. 

It is possible with some browsers:

 http://marc.theaimsgroup.com/?l=php-general&m=102079018906224&w=2

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

/*
jogger, n.:
An odd sort of person with a thing for pain.
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Secure File Upload

2002-06-06 Thread Christoph Starkmann 

Hi Dan!

> >> A)  Do you want to place a limit on the size of a single file being
> >> uploaded?
> [...]
> > Second, I want to be able to prevent my (limited) traffic to
> > be "exhausted". Simple reason: I pay for anything above let's say
> > 10 GB of traffic. So what PHP offers to me AFAIK enables me to
> > protect my space, but not my traffic.
> You are absolutly correct. Welcome to the client/server 
> relationship. Your
> PHP is *entirely* server side, meaning that (in a HTTP[S] PUT 
> or POST) the
> entire file is sent to PHP before it can work out if its too 
> big or not.

I know this, not this new to CGI... ;) The only thing I thought/hoped
was that maybe there's a way to recieve the file size information before
upping the entire file. Like with email or news, where I can download
headers
seperated from the message body... But as far as I can see, this is not
possible. Sad but true ;)

So I have to trust my visitors ;)

Cheers,

Kiko

-- 
It's not a bug, it's a feature.
christoph starkmann
mailto:[EMAIL PROTECTED]
http://www.gruppe-69.com/
ICQ: 100601600
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Secure File Upload

2002-06-06 Thread Dan Hardiker 

>> A)  Do you want to place a limit on the size of a single file being
>> uploaded?
[...]
> Second, I want to be able to prevent my (limited) traffic to
> be "exhausted". Simple reason: I pay for anything above let's say
> 10 GB of traffic. So what PHP offers to me AFAIK enables me to
> protect my space, but not my traffic.


You are absolutly correct. Welcome to the client/server relationship. Your
PHP is *entirely* server side, meaning that (in a HTTP[S] PUT or POST) the
entire file is sent to PHP before it can work out if its too big or not.

However, there are some client side effects you can induce (such as the
browser limiting the file size, this can be set in the HTML FORM) - but as
this is client side there is no gaurentee that this request will be
honoured (still leaving you open for a custom / noncompliant browser to
upload giga-huge files to you).

In my experiance its best to give people access to FTP upload but thats
not always an option... I hope the information has helped you. The
following URL might be worth researching.

http://www.php.net/manual/en/features.file-upload.php

Look for information on "MAX_FILE_SIZE" and READ the user comments. The
manual + user comments usually holds the answers you seek. ;)
-- 
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Secure File Upload

2002-06-06 Thread Christoph Starkmann 

Hi Jim!

> ok, here are a few questions for you to clarify things.

> A)  Do you want to place a limit on the size of a single file being
> uploaded?
Yes. In fact, i would like to prevent having users upload too 
big files. There are two reasons:
First, I don't want my server space to be consumed by files too big.
Second, I want to be able to prevent my (limited) traffic to
be "exhausted". Simple reason: I pay for anything above let's say
10 GB of traffic. So what PHP offers to me AFAIK enables me to
protect my space, but not my traffic. That's where my question
comes from.

> B)  Do you want to place a restriction that says after n'th 
> number of files that have been uploaded equal 'X' ammount 
> of space on the  server disable file uploads? (this is what 
> it sounds like you are asking, to me anyways)

Nope. This would be quite easy, I guess. But that's not the
problem, it's about traffic.
> 
> Answer these two questions and it will help me alot

Hope this did ;) Can you help me now? ;)

Cheers,

Kiko

-- 
It's not a bug, it's a feature.
christoph starkmann
mailto:[EMAIL PROTECTED]
http://www.gruppe-69.com/
ICQ: 100601600
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-05 Thread Jim lucas 

ok, here are a few questions for you to clarify things.

A)  Do you want to place a limit on the size of a single file being
uploaded?
B)  Do you want to place a restriction that says after n'th number of files
that have been uploaded equal 'X' ammount of space on the server disable
file uploads? (this is what it sounds like you are asking, to me anyways)

Answer these two questions and it will help me alot

Jim Lucas
- Original Message -
From: "Christoph Starkmann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 04, 2002 8:34 AM
Subject: [PHP] Secure File Upload


> Hi There!
>
> When uploading a file with PHP, AFAIK I can only control what will be
stored
> on the server. So if someone sends me 100 MB, these will be deleted
> immediately. But, unfortunately, the traffic is produced nevertheless. Is
> there any way to check the file size before uploading the file or any
other
> way to keep the traffic under a certain limit? Last think I would like to
> have is a script that disables all uploads after a certain traffic has
been
> produced, I would like to be able to really PREVENT uploads, let's say
> bigger than 10 MB?!
>
> Cheers,
>
> Kiko
>
> --
> It's not a bug, it's a feature.
> christoph starkmann
> mailto:[EMAIL PROTECTED]
> http://www.gruppe-69.com/
> ICQ: 100601600
> --
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-05 Thread Rodolfo Gonzalez 

On Wed, 5 Jun 2002, Lowell Allen wrote:

> Add this to your HTML form:
> 

The manual says this can be easily bypassed.

Regards.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-05 Thread Lowell Allen 

> From: "andy" <[EMAIL PROTECTED]>
> 
> // original question:
> 
> 
> I would like to be able to really PREVENT uploads, let's say
>>> bigger than 10 MB?!
>>> 
>> Add this to your HTML form:
>> 
>> 
>> 
>> HTH
> 
> 
> 
> I tryed this, too. But this does not work at all! I use IE 5.5 and it did
> not make any difference. Is there something else we have to take care off?
> 
What doesn't work for you? You're saying that you can upload a file size
beyond the limit specified by this setting in your form?

The manual says:

"The MAX_FILE_SIZE is advisory to the browser. It is easy to circumvent this
maximum. So don't count on it that the browser obeys you (sic) wish! The
PHP-settings for maximum-size, however, cannot be fooled."

The main controls are the ini-settings for post_max_size and
upload_max_filesize. If you haven't already, check out the manual:



I read the original question to be asking what can be done to prevent tying
up the server with large uploads -- that the too-large files will be
successfully rejected, but the person was asking if there was a way to avoid
using system resources in these cases. From my limited experience, it seems
that the script for checking the upload and copying the file somewhere
doesn't run until the upload is completed -- that the real tie-up is on the
client machine during upload. For example, I did a site where uploads of 24
Mb are possible, but the max_execution_time is only set to 50 (and I'm
pretty sure it could be lower).

HTH

--
Lowell Allen


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-05 Thread Jason Wong 

On Wednesday 05 June 2002 16:41, andy wrote:
> // original question:
> 
>
>  I would like to be able to really PREVENT uploads, let's say
>
> > > bigger than 10 MB?!
> >
> > Add this to your HTML form:
> >
> > 
> >
> > HTH
>
> 
>
> I tryed this, too. But this does not work at all! I use IE 5.5 and it did
> not make any difference. Is there something else we have to take care off?

Not all browsers respect this setting so basically it is useless as a 
'security' measure.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

/*
It is far better to be deceived than to be undeceived by those we love.
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re [PHP] Secure File Upload

2002-06-05 Thread Stephen Phillips 



Hi,
Not sure if this would work in limiting the file size of an 
upload or not, but I noticed a line in my php.ini file which seems to limit the 
size of any data sent by a POST, of course this would be a serverwide setting I 
guess.
 
the line is;
post_max_size = 8M;
 
I'm assuming this would be set to less and would restrict 
uploads, however there must be a better way of doing it since this seems a bit 
brutal.
 
__Steve 
PhillipsMrICQ#: 37350686

  
  
Current ICQ status:  
 
  +  More ways to contact me 
__

Re: [PHP] Secure File Upload

2002-06-05 Thread andy 

// original question:


 I would like to be able to really PREVENT uploads, let's say
> > bigger than 10 MB?!
> >
> Add this to your HTML form:
>
> 
>
> HTH



I tryed this, too. But this does not work at all! I use IE 5.5 and it did
not make any difference. Is there something else we have to take care off?

Andy








"Lowell Allen" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > From: Christoph Starkmann <[EMAIL PROTECTED]>
> >
> > Hi There!
> >
> > When uploading a file with PHP, AFAIK I can only control what will be
stored
> > on the server. So if someone sends me 100 MB, these will be deleted
> > immediately. But, unfortunately, the traffic is produced nevertheless.
Is
> > there any way to check the file size before uploading the file or any
other
> > way to keep the traffic under a certain limit? Last think I would like
to
> > have is a script that disables all uploads after a certain traffic has
been
> > produced, I would like to be able to really PREVENT uploads, let's say
> > bigger than 10 MB?!
> >
> Add this to your HTML form:
>
> 
>
> HTH
>
> --
> Lowell Allen
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Secure File Upload

2002-06-04 Thread Lowell Allen 

> From: Christoph Starkmann <[EMAIL PROTECTED]>
> 
> Hi There!
> 
> When uploading a file with PHP, AFAIK I can only control what will be stored
> on the server. So if someone sends me 100 MB, these will be deleted
> immediately. But, unfortunately, the traffic is produced nevertheless. Is
> there any way to check the file size before uploading the file or any other
> way to keep the traffic under a certain limit? Last think I would like to
> have is a script that disables all uploads after a certain traffic has been
> produced, I would like to be able to really PREVENT uploads, let's say
> bigger than 10 MB?!
>
Add this to your HTML form:
 


HTH

--
Lowell Allen


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Secure File Upload

2002-06-04 Thread Christoph Starkmann 

Hi There!

When uploading a file with PHP, AFAIK I can only control what will be stored
on the server. So if someone sends me 100 MB, these will be deleted
immediately. But, unfortunately, the traffic is produced nevertheless. Is
there any way to check the file size before uploading the file or any other
way to keep the traffic under a certain limit? Last think I would like to
have is a script that disables all uploads after a certain traffic has been
produced, I would like to be able to really PREVENT uploads, let's say
bigger than 10 MB?!

Cheers,

Kiko

-- 
It's not a bug, it's a feature.
christoph starkmann
mailto:[EMAIL PROTECTED]
http://www.gruppe-69.com/
ICQ: 100601600
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php