css compression with php security bug

Question

I got a script that uses query(s) provided to it and exploding them calls the files from directory. Here the script

<?php
header("Content-type: text/css");

$safehash = sha1(binary-style_1afn34jdd2);

$css = '';
$root = 'css/'; //directory where the css lives
$files = explode(',',$_SERVER['QUERY_STRING']);
if(sizeof($files))
{
  foreach($files as $file)
  {
    $css.= (is_file($root.$file.'.css') ? file_get_contents($root.$file.'.css') : '');
  }
}
function compress($css){
  // Remove comments
  $css = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '', $css);
  // Remove spaces before and after symbols
  $css = preg_replace('/(\s(?=\W))|((?<=\W)\s)/', '', $css);
  // Remove remaining whitespace
  $css = str_replace(array("\r\n","\r","\n","\t",'  ','    ','    '), '', $css);
  return $css;
}

echo compress($css);
?>

The problem is in the fact that some-one can potentially crash server by eating up read just by adding more and more query's to the script as such style.php?sheet,sheet,sheet,sheet.....ect what would be the best way to secure this code?

Answer 1

You could simply have a limit on the size of the query string:

if(mb_strlen($_SERVER['QUERY_STRING'])>10) {
    header('HTTP/1.0 413 Request Entity Too Large');
    exit;
}