Can you trust file size given by $_FILES array in PHP?

Question

Sorry if it is trivial or obvious, but I could not find the answer by googling it.

From where does the size value in $_FILES['name'] array come from? Could you trust the value of it ($_FILES['name']['size']) or should you still check it using the filesize() function?

In other words, is it necessary to check actual file size by filesize function to notice if it is properly uploaded?

Answer 1

If the file is uploaded correctly and everything is fine, you can use the info provided by PHP superglobal $_FILES. Using filesize() adds small overhead since OS needs to inspect the file for the size. It's up to you, but checking PHP source on how it does all this indicates clearly that it correctly calculates the file size in the HTTP multipart request. Basically, you'd be doing the same job again if you were to filesize() the file.

The reason you can trust this directly from superglobal variable is the fact that multipart requests supply a boundary between which the data resides. By definition, it's not possible to obtain corrupt data if the protocol for extracting the data isn't followed. In other words, it means that browser sends a "delimiter" and PHP simply finds it and starts checking the text for data between that delimiter. To do this, it accurately allocates required memory and it can immediately cache the number allocated - and that number is the file size. If anything is wrong along the way, you will get errors. Therefore, if the file uploaded correctly, the information about the size is trusted.