stackoom
  简体   繁体   中英

Can you trust file size given by $_FILES array in PHP?

 原文  2015-05-03 13:23:23       php/ security/ post/ filesize

Question

Sorry if it is trivial or obvious, but I could not find the answer by googling it.

From where does the size value in $_FILES['name'] array come from? Could you trust the value of it ( $_FILES['name']['size'] ) or should you still check it using the filesize() function?

In other words, is it necessary to check actual file size by filesize function to notice if it is properly uploaded?

3 answers

solution1
 13 ACCPTED  2015-05-03 14:36:39

If the file is uploaded correctly and everything is fine, you can use the info provided by PHP superglobal $_FILES . Using filesize() adds small overhead since OS needs to inspect the file for the size. It's up to you, but checking PHP source on how it does all this indicates clearly that it correctly calculates the file size in the HTTP multipart request. Basically, you'd be doing the same job again if you were to filesize() the file.

The reason you can trust this directly from superglobal variable is the fact that multipart requests supply a boundary between which the data resides. By definition, it's not possible to obtain corrupt data if the protocol for extracting the data isn't followed. In other words, it means that browser sends a "delimiter" and PHP simply finds it and starts checking the text for data between that delimiter. To do this, it accurately allocates required memory and it can immediately cache the number allocated - and that number is the file size. If anything is wrong along the way, you will get errors. Therefore, if the file uploaded correctly, the information about the size is trusted.

solution2
 9  2015-05-03 13:32:03

PHP does seem to recalculate the size of the file after it is uploaded. Although the client does send a header specifying the content-length of the file, based on tests (with PHP 5.5) this header is simply ignored and, instead, the length is measured. Personally, I would always use filesize() to get the file size since you can be more confident about which measurement is being used, but it is ultimately up to you. Either way, $_FILES['file_name']['size'] appears to be a safe value to use.

solution3
 4  2015-05-03 13:49:04

You should rather check if the client-reported $_FILES['file_name']['size'] equals the value given by filesize() . A difference may indicate an error during transmission of the uploaded file.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP create from one array multiple json files of given size Can I trust the file type from $_FILES? Can you do a loop to change array size depending on the number of photos in a file in javascript/php? php create file with given size Can you do move_uploaded_file by $_FILES['name'] instead of $_FILES['tmp_name'] in php Can you set a max file size to download using PHP's built in Curl functions? Deleting all files of a directory over a given file size each PHP unable to take files of specified file size PHP Sorting files by Date/time and file size Reduce file size of pptx files using PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM