Limiting size of uploads

Andre_br has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: Limiting size of uploads by jZed (Prior) on Jun 01, 2006 at 00:47 UTC
See $CGI::POST_MAX in theCGI docs.	[reply]
Re: Limiting size of uploads by monkfan (Curate) on Jun 01, 2006 at 05:38 UTC
Just another possible alternatives. If what you want to test is a filehandle size you can use Perl's -s function. `my $q = new CGI; my $filehandle = $q->upload("file"); my $fsize = -s $filehandle; my $fsize_limit = 1000; # Then you use conditional to check them: if ($fsize > $fsize_limit) { # do whatever you want }` [download] If it the file is tied to a variable you can simply use length function: `# let's say you have a data captured in textrea textarea( -name => 'sequence', -rows => 10, -columns => 50, -wrap => 'physical' ),br # then you would need to store it into a variable my $seq_var = param('sequence'); # Size of the variable is captured this way: my $fsize = length($seq_var); if ($fsize > $fsize_limit) { # Do whatever you want }` [download] Regards, Edward	[reply] [d/l] [select]
Re: Limiting size of uploads by TedPride (Priest) on Jun 01, 2006 at 05:03 UTC
As I understand it, you just want to do a quick file size check before having your script go to all the trouble of processing the input. If so, why does it have to be accurate? Give yourself a wide margin of error - like say 20K for all text fields - then do another, exact check after the file has been processed. This way you stop huge inputs immediately, but still don't cut off users who are making valid requests.	[reply]
Re: Limiting size of uploads by qbxk (Friar) on Jun 02, 2006 at 22:27 UTC
[id://Andre_br] let me just chime in with an observation, as I was deeply immersed in the internals of CGI.pm recently, and specifically the file upload portions of the code. Previous comment about using $CGI::POST_MAX is pretty correct, but the next reply about using $ENV{CONTENT_LENGTH} is far better in my opinion. What you need to know is that merely instanstiating a CGI object will cause the CGI module to read all of <STDIN> (which is what apache passes the post data to your script via) - what this means is: before you continue execution beyond that line you utter `new CGI`, the entire upload is written to a temp file on your disk. Therefore, preventing file uploads of a too-large-size is kind of useless after that happens, if you're trying to save on bandwidth. Saving on diskspace for storing that file, yes, but you'll still read and write the whole thing to disk before you even begin asking questions about it if the first thing you do is `my $q = new CGI;` [download] so to save processing time and bandwidth and temp disk space, don't instantiate that until you're sure you want to. Also note, setting $CGI::POST_MAX will force CGI to stop reading from STDIN when it reaches that max, so any post variables that are in the stream AFTER the file upload (and HTTP defines no contraints as to what order variables ought be POSTed in, though in my experience most browsers POST in html form order) will not be exposed to you. also note that `my $filehandle = $q->upload("file");` [download] is a trivial function call, it's just handing back a file handle to the already existant file. I think this goes against most peoples expectations my final words: use $ENV{CONTENT_LENGTH}, s'what it's there for. and CGI isn't as perfect as ~~you think~~ i thought it is was. It's not what you look like, when you're doin' what you’re doin'. It's what you’re doin' when you’re doin' what you look like you’re doin'! - Charles Wright & the Watts 103rd Street Rhythm Band	[reply] [d/l] [select]
Re^2: Limiting size of uploads by Andre_br (Pilgrim) on Jun 05, 2006 at 18:18 UTC
Hello dear jZed, TedPride, monkfan and qbxk! I entered the code world a couple years ago, and while the language keeps proving itself one of the most powerfull available, the Perl community just couldn´t be more supporting! Happy to have you guys with me! I went with the most simple one, the -s monkfan suggested. Monkfan, this was just what I was looking for! Thanks! You guys also mentioned the $CGI::POST_MAX variable, wich is an extra security I have added. I wan´t bothering with users landing huge files on my disk, as long as I could get rid of them after checking the handle size. But it sure is a good thing to do. Also thanks a lot for the important info you provided on the CGI.pm internals, qbxk! Very interessting this detail, that the ->upload function is not the one triggering the upload, as I expected too. I'll keep that in mind now. Well, all implemented. Thanks a lot folks! André	[reply]


Perl-Sensitive Sunglasses
	PerlMonks