I recently worked on a project on a 3rd party server (e.g. one I have no control over) and much to my amazement, found that PHP was set to allow 3/4 terabyte of file uploads. This makes no sense to me, as a hacker could fill up the tmp directory pretty quickly with massive amounts of post data. Finding this inspired me to write a quick tidbit about file upload sizes in PHP.
There are several php.ini parameters that control file uploads;
- file_uploads - this is a boolean value which determines whether or not file uploading is enabled.
- upload_max_filesize -the maximum file size that the server will accept (e.g. 8M). NOTE: setting this in conjunction with post_max_size (see below) is important.
- max_input_time - the maximum amount of time that PHP will allow input to be passed.
- memory_limit - the maximum amount of memory that PHP may use (e.g. 32M)
- max_execution_time - the maximum number of seconds that a script may run
- post_max_size - the maximum amount of data that can be uploaded to the server in a single post (e.g. 8M)
When setting these parameters, there are a few things to take into consideration. For example, if you want to be able to accept 50M file uploads, you will want to be sure the max_input_time and max_execution_time are high enough to run long enough to process that data. (Think of how long it takes to upload a 50M file.)
