[id://Andre_br] let me just chime in with an observation, as I was
deeply immersed in the internals of CGI.pm recently, and specifically the file upload portions of the code. Previous comment about using $CGI::POST_MAX is pretty correct, but the next reply about using $ENV{CONTENT_LENGTH} is far better in my opinion. What you need to know is that merely instanstiating a CGI object will cause the CGI module to read all of <STDIN> (which is what apache passes the post data to your script via) - what this means is: before you continue execution beyond that line you utter
new CGI, the entire upload is written to a temp file on your disk. Therefore, preventing file uploads of a too-large-size is kind of useless after that happens, if you're trying to save on bandwidth. Saving on diskspace for storing that file, yes, but you'll still read and write the whole thing to disk before you even begin asking questions about it if the first thing you do is
my $q = new CGI;
so to save processing time and bandwidth and temp disk space, don't instantiate that until you're sure you want to. Also note, setting $CGI::POST_MAX will force CGI to stop reading from STDIN when it reaches that max, so any post variables that are in the stream AFTER the file upload (and HTTP defines no contraints as to what order variables ought be POSTed in, though in my experience most browsers POST in html form order) will not be exposed to you.
also note that
my $filehandle = $q->upload("file");
is a trivial function call, it's just handing back a file handle to the already existant file. I think this goes against most peoples expectations
my final words: use $ENV{CONTENT_LENGTH}, s'what it's there for. and CGI isn't as perfect as
you think i thought it
is was.
It's not what you look like, when you're doin' what you’re doin'.
It's what you’re doin' when you’re doin' what you look like you’re doin'!
- Charles Wright & the Watts 103rd Street Rhythm Band