ini - Allowing large file uploads in PHP (security)
Are there any security and/or performance implications to consider when allowing large file uploads in PHP? For example, these are the PHP ini settings I currently have set.
memory_limit = 950M upload_max_filesize = 950M post_max_size = 950M max_execution_time = 0
What, if anything, could go wrong with these settings?
The security considerations do not change by changing these settings. However for performance the following is valid:
The art of serving users in a performing way is to offer enough ressources to what is requested by the sum of your users. Translating this into examples upon your settings would be something like:
10 users uploading 950 MB would require you to serve 9.5 GB of bandwidth and I/O throughput (which is eg. ipacted by disk speed) in a performing manner. I as user could probably live with uploading 950 MB in 1 minute, but would be dissatisfied with this taking me an hour.
100 users uploading 950 MB would require you to serve 95 GB...
1000 users uploading 950 MB would reuire you to serve 950 GB... ...
Of cause not all of your users go for max at all the time and even concurrent uploads might be limited. However these Max-settings add to your risk stack. So depending on your usage characteristics and your ressource stuffing these settings could be valid.
However I assume you gave extreme examples and want to learn about implications.
When I google "optimize php memory_limit" I get this: https://softwareengineering.stackexchange.com/questions/207935/benefits-of-setting-php-memory-limit-to-lower-value-for-specific-php-script
Obviously you can do the same with the other settings.
In forums you can find a lot of swear against setting those config-values such high. However having this in environments, where ressource utilization is managed carefully on other access layers (eg. restrict the number of upload-users via in-app permissions) did work out for me in past very well.