Menu
I was having an interesting discussion with a fellow co-worker about security in PHP.
Let's say a person has a PHP site running with a standard HTML form. An attacked decides to use Chrome Developer tools and add in the DOM enctype="multipart/form-data" and a file input.
The attacker uploads a file, it probably won't execute if it were a virus yet it's still using bandwidth/storage for that moment. Would the file go into the PHP /tmp directory just by doing this? Wouldn't this make every form some-what insecure as a user can upload a file in any form?
On a bigger scale what if 100,000 people added that to the DOM and uploaded a random gigabyte file? Wouldn't that temporarily make them hit their bandwidth and/or storage mark?
490
The upload itself happens, no matter what. The file gets stored in the upload temp dir, and then the PHP script is started. If the script does not handle the uploaded file, the file is deleted from the temp dir automatically when the script has finished executing.
Whether the server will abort the request when a maximum size is exceeded, is a matter of configuration.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
