[OWASP_PHPSEC] Couple of Questions on Code

Abbas Naderi abiusx at owasp.org
Thu Jun 27 17:52:28 UTC 2013


Hi Azzeddine,
Good to have you back on board.
Rahul, what Azzeddine said is true. set_time_limit(0) means unlimited time, though it needs to be allowed by php.ini, so its better to check it somewhere and throw an exception if it is not supported.

BandwidthLimits are means of limiting the speed visitors can download files at. For example if you're providing videos or music archives, you don't want them to be leeched and you don't want your server to be overwhelmed, so you put a limit of 512kbps per person per file. That means that a minimum of 2000 users can download files from your server if you're serving on a 1gbps connection.

Since we don't want this limit to be enforced upon javascript and css files that actually form our web pages (yet are counted as static downloadable contents) we set a minimum size for enabling the limitation. For example for all files that are bigger than 1MB we set this limit and others are unlimited in bandwidth, so that our website doesnt look slow or problematic to the end user.

Thanks
-Abbas
On Tir 6, 1392, at 9:35 PM, Azeddine Islam Mennouchi <azeddine.mennouchi at owasp.org> wrote:

> I do not have any knowledge about jframework
> but for the 2nd question it is totally on the contrary it will make an error goes away
> if any action you are doing can take more than the max_execution time you need to put set_time_limit(0) or you will Maximum execution time exceeded
> I think that $BandwidthLimitInitialSize is a bandwidth limitation (the amount of data that you read in one time)
> The rest I can't tell
> 
> Regards Islam,
> 
> 
> On Thu, Jun 27, 2013 at 5:30 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> This is the code inside Feed in download.php inside jFramwork: Comments are my questions:
> 
> //Q1-> What does $BandwidthLimitInitialSize represents ???
> if (self::$BandwidthLimitInitialSize>0 && $FileSize > self::$BandwidthLimitInitialSize)
>         {
>             $f = fopen($File, "rb");
>             fseek($f, $seek_start);
>             set_time_limit(0);   // Q2->   Why is time set to 0. Would't it trigger an error ???
>             while (! feof($f))
>             {
>                 echo fread($f, self::$BandwidthLimitSpeed);
>                 flush();
>                 ob_flush(); //Q3->  You haven't done ob_Start() here but still you are using ob_flush() ???
>                 sleep(1);  //Q4->   Why sleep ???
>             }
>             fclose($f);
>             return true;
>         }
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> 
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Islam Azeddine Mennouchi
> Consultant at NovaSup
> http://www.novasup.com/
> OWASP ALGERIA Chapter Leader
> phone n°: +213796314102
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130627/a6b05332/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list