file upload size limits in PHP
I recently worked on a project on a 3rd party server (e.g. one I have no control over) and much to my amazement, found that PHP was set to allow 3/4 terabyte of file uploads. This makes no sense to me, as a hacker could fill up the tmp directory pretty quickly with massive amounts of post data. Finding this inspired me to write a quick tidbit about file upload sizes in PHP.
There are several php.ini parameters that control file uploads;
- file_uploads - this is a boolean value which determines whether or not file uploading is enabled.
- upload_max_filesize -the maximum file size that the server will accept (e.g. 8M). NOTE: setting this in conjunction with post_max_size (see below) is important.
- max_input_time - the maximum amount of time that PHP will allow input to be passed.
- memory_limit - the maximum amount of memory that PHP may use (e.g. 32M)
- max_execution_time - the maximum number of seconds that a script may run
- post_max_size - the maximum amount of data that can be uploaded to the server in a single post (e.g. 8M)
When setting these parameters, there are a few things to take into consideration. For example, if you want to be able to accept 50M file uploads, you will want to be sure the max_input_time and max_execution_time are high enough to run long enough to process that data. (Think of how long it takes to upload a 50M file.)
handy .htaccess trick - restrict by IP address
AuthName "whatever"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from [whatever ip address]
</Limit>
Today I was working on a project for my day job which involved an ajax call to a database. A user inputs a zip code into a form text box and once 3 digits are entered, Javascript fires off a request to a PHP script which fires off a call to a MySQL database to see if there is a match.
I decided to look around the Internet for some example code to jump start. I found the following PHP code. Seeing sample code like this makes me not only cringe, but makes me want to reach out and slap the developer that wrote it.
if(isset($_POST[queryString]))
{
$queryString = $_POST[queryString];
if(strlen($queryString) >0)
{
$query = "SELECT blog_tags FROM blog_entry WHERE blog_tags LIKE $queryString% LIMIT 10";
$result = mysql_query($query) or die("There is an error in database please contact support");
while($row = mysql_fetch_array($result))
{
echo $row[blog_tags];
}
}
}
This code would allow any attacker to inject SQL code into the query string, thus allowing them to run commands in your MySQL database. They can do so simply by sending POST data like:
' OR 1; SELECT * FROM mysql.User
Scary, eh? Using this code I can easily view all users in your MySQL database.
#1 Rule of Web Application Programming: NEVER trust user input.
This includes POST data, GET data, COOKIES, etc --- basically anything that your script is reading from the client side.
SQL injection is simple to protect against. PHP has built in functions to do so (addslashes(), mysql_real_escape_string(), etc.) PHP also has the ability to use prepared statements, which automatically escape/filter any user input.
Simply put, if you take on the mindset that any one sending any sort of data to your program is a potential hacker, you will write more secure code.
More information on SQL injections can be found at OWASP's website
