How to sneak past the php upload limits

More Articles

Test Drive PHP5

A web based PHP FTP Client..

Tiled background for swing components.

The php configuration file - php.ini has more than one setting that limits the size of the files that you can upload. Or rather it will limit the maximum amount of data that php handles. If you have access to the php.ini file on your server the article at http://www.radinks.com/upload/config.php will show you how to optimize these settings so that large amounts of data can be handled.

If you don't have access to the php.ini file read on, you will find out how to bypass these limits with out changing any of the configuration settings - with a little help from perl.

'Out of the box' installations of perl can usually handle up to 32 MB of post data, where as with php this figure defaults to 2Mb. So by simply switching to perl you can overcome this limit.

Unfortunately many developers would run a mile if you asked them to switch from perl to PHP. The solution would then be to use a simple perl script to handle the upload and then pass on this data to a PHP script to process. This is indeed the approach that has been adapted by megaupload which being used at the time of writing by well over 20,000 PHP programmers.

With this solution you would only need to change just three lines of code in your entire web applications. The first change would be to change HTML form tag. Just replace the url used in the action attribute of the form, to the url for your upload.cgi script. for example:

<FORM action="http://localhost/upload.php" enctype="multipart/form-data">

might become

<FORM action="http://localhost/cgi-bib/upload.cgi" enctype="multipart/form-data">

The second change is to edit the line that starts as my $url= ... and to replace it with your original file upload handler url. So that it now looks like:

my $url="http://localhost/upload.php";

Changing that perl code wasn't so difficult was it? The next step is to change the line in your original php code that grabs the uploaded file information. In my script it used to read as:

$file = $_FILES['file'];

Since file was the name that I had assigned the INPUT TYPE="file" elements in my HTML form. I had to change this to

$file = $_REQUEST['userfile'];

Notice how $_FILES has changed to $_REQUEST and file has changed to userfile (because the perl script has changed that variable name).

Ladies and gentlemen, you now have a PHP upload handler that by passes any arbitrary restrictions imposed by php.ini

NOTE: If you use this script in a shared hosting environment, and your system administrator shoots you that's your problem not mine.

Get the full source code for the perl script, the php script Megaupload versions after 1.40 uses this same procedure to transfer handling to the php script, please feel free to download it and try it out.


Mega Upload :: perl edition  :   JSP edition  :   PHP edition

Copyright © Raditha Dissanayake 2013