Can you trust file size given by $_FILES array in PHP?

Asked 3/5, 2015 at 13:23 Answered 3/5, 2015 at 14:36

Sorry if it is trivial or obvious, but I could not find the answer by googling it.

From where does the size value in $_FILES['name'] array come from? Could you trust the value of it ($_FILES['name']['size']) or should you still check it using the filesize() function?

In other words, is it necessary to check actual file size by filesize function to notice if it is properly uploaded?

Rooks answered 3/5, 2015 at 13:23 Comment(1)

possible duplicate of Can $_FILES[...]['size'] be forged? – Apogee 20/5, 2015 at 13:47

If the file is uploaded correctly and everything is fine, you can use the info provided by PHP superglobal $_FILES. Using filesize() adds small overhead since OS needs to inspect the file for the size. It's up to you, but checking PHP source on how it does all this indicates clearly that it correctly calculates the file size in the HTTP multipart request. Basically, you'd be doing the same job again if you were to filesize() the file.

The reason you can trust this directly from superglobal variable is the fact that multipart requests supply a boundary between which the data resides. By definition, it's not possible to obtain corrupt data if the protocol for extracting the data isn't followed. In other words, it means that browser sends a "delimiter" and PHP simply finds it and starts checking the text for data between that delimiter. To do this, it accurately allocates required memory and it can immediately cache the number allocated - and that number is the file size. If anything is wrong along the way, you will get errors. Therefore, if the file uploaded correctly, the information about the size is trusted.

Saiga answered 3/5, 2015 at 14:36 Comment(0)

PHP does seem to recalculate the size of the file after it is uploaded. Although the client does send a header specifying the content-length of the file, based on tests (with PHP 5.5) this header is simply ignored and, instead, the length is measured. Personally, I would always use filesize() to get the file size since you can be more confident about which measurement is being used, but it is ultimately up to you. Either way, $_FILES['file_name']['size'] appears to be a safe value to use.

Machellemachete answered 3/5, 2015 at 13:32 Comment(3)

Are you sure? From my understanding reading the source code responsible for parsing multipart HTTP requests, the resulting size reflects the number of bytes read from the multipart part body. – Acquiescent 3/5, 2015 at 14:0

@Acquiescent Interesting, from what I read, it is specified by the client while upload_max_filesize uses the measured count as it is being uploaded. I'll try to do some tests and get back to you. – Machellemachete 3/5, 2015 at 14:7

@Acquiescent Yup, you're absolutely right. PHP seems to recalculate it after it is uploaded. – Machellemachete 3/5, 2015 at 14:29

You should rather check if the client-reported $_FILES['file_name']['size'] equals the value given by filesize(). A difference may indicate an error during transmission of the uploaded file.

Arraign answered 3/5, 2015 at 13:49 Comment(0)

Recommended topics

Hot tags