2

I am providing a facility to my web users that they can upload their profile image from a url rather than uploading it from computer. I see here a mischievous user can provide url of a huge file or may be some url which is tailed to /dev/random, very unlikely but can happen. Is there a way I can determine the size of file before fetching it completely to my server?

Improve this question
3
  • Exact duplicate: stackoverflow.com/questions/2602612/… Commented Feb 29, 2012 at 9:26
  • @Topener: that topic wouldn't help OP to solve the original issue. Sometimes it's worth to read the whole question. Commented Feb 29, 2012 at 9:31
  • @Topener I could never have figured out what I should use to I search. Commented Feb 29, 2012 at 9:33

2 Answers 2

Reset to default
1

Depending on what you are doing to grab that remote file, there are different things you can do.

  • While file_get_contents('http://foobar.com') is quite convenient, it gives you the least amount of control. I don't see how you could do a HEAD request to grab the Content-Length header up front.
  • fsockopen() will make you cry when dealing with HTTPS.

  • curl is, well, curl. It's just as ugly as powerful. There are other options, like the HTTP Pecl (basically wrapping curl) as well.

    1. check if the resource provides a Content-Length header. Do a HEAD request for this. Some servers/services don't handle HEAD requests. You'd then make a GET request and abort the transfer after you got the response headers.
    2. If (1) yielded a result, check if it's greater than you limit. If so, abort.
    3. Use curl to fetch the resource. Have a look at CURLOPT_READFUNCTION to be able to abort the download if the volume exceeds your limit. You should also check this, if (1) yielded a result, as this result might've been spoofed.

In the very worst case you'll have made 1 HEAD and 1 GET request to acquire the Content-Length, as well as another GET request to download $yourLimit bytes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Check for the Content-Length header in the response from the server.

Improve this answer

2 Comments

What if there is no such header in the response?
What if they supplied Content-Length: 123 but actually sent (a whole lot) more than that?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.