[thelist] Web-Based Hidden Image Optimization
Matt Warden
mwarden at gmail.com
Mon Jan 24 14:10:50 CST 2005
Rob,
On Mon, 24 Jan 2005 09:23:48 -0600, Rob Smith <rob.smith at thermon.com> wrote:
> > but you can't stop them uploading a large file in the first place.
>
> On the contrary...
> from the form:
> <form method="post" name="whatever" action="page.php"
> enctype="multipart/form-data">
> <input type="file" name="ProductPicture" size="12">
> <input type="hidden" name="MAX_FILE_SIZE" value="4194304" />
> </form>
>
> from the parsing page:
> $disk_quota = mysql_result($results_file,0,"CustDiskQuota");
> if (($_FILES['ProductPicture']['size'] + $disk_quota) >
> $_POST["MAX_FILE_SIZE"]) {
> unlink($uploaddir . $ProductPicture);
> // where $ProductPicture = aboslute path to image itself
> // stop right here; quota exceeded. delete if uploaded.
> exit;
>
> :-) cool stuff
Firstly, as someone has already pointed out, this doesn't keep them
from uploading the file -- it allows you to delete it from temporary
storage after it has been uploaded (meaning your bandwidth is still
used).
But, more importantly, what happens if I edit the value of the hidden
form field (this is very easy to do with Firefox and a plugin)? I
could make it a couple gigabytes and your script would never know the
difference. At the *very least* don't name it MAX_FILE_SIZE (that will
maybe keep an honest man honest). Really, though, you should have the
MAX_FILE_SIZE determined directly in your code or from your database
(i.e., something the control of which you don't hand over to your
users).
--
Matt Warden
Miami University
Oxford, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the thelist
mailing list