Page 1 of 1
upload file MAX_FILE_SIZE
Posted: Fri Jun 08, 2007 1:58 am
by Rioku
I have read as much as I can find but I simply can not get the code to work the way I expect it to. I want the code to not upload a file if it is to large and to have it message the user that the file is too large. So far I can only make that message after the file is uploaded, which is annoying to have to wait to find out.
I am using PHP version: 4.4.2
Code: Select all
<?php
$flag = $_POST['flag'];
if ($flag != "")
{
$flag = "";
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path))
{
$Message = "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
}
else
{
switch ($_FILES['uploadedfile'] ['error'])
{
case 1:
$Message = '<p> The file is bigger than this PHP installation allows</p>';
break;
case 2:
$Message = '<p> The file is bigger than this form allows</p>';
break;
case 3:
$Message = '<p> Only part of the file was uploaded</p>';
break;
case 4:
$Message = '<p> No file was uploaded</p>';
break;
default:
$Message = 'Error: ' . $_FILES['uploadedfile'] ['error'];
};
}
}
if($flag == "")
{
echo $Message;
echo $Message2;
echo
"
<form enctype=\"multipart/form-data\" action=\"upload.php\" method=\"POST\">
<input type=hidden name=MAX_FILE_SIZE value=1 />
Choose a file to upload: <input name=\"uploadedfile\" type=\"file\" /><br />
<input type=\"submit\" value=\"Upload File\" />
<input type=hidden name=flag value = true>
</form>
";
}
?>
Can you see what is wrong with my use of MAX_FILE_SIZE that is allowing the files to be uploaded???
note: I have tried all sorts of uses of double quotes and single quotes and so on so that does not seem to be the issue.
I thank you in advance for your help.
Posted: Fri Jun 08, 2007 9:21 am
by Chris Corbyn
Look at PHP's ini setting for post_max_size since that may be overriding the setting sent by the client.
Posted: Fri Jun 08, 2007 10:41 am
by Rioku
This is where things get annoying... I am not sure I have permission to access php.ini on the server I have to use... is there anything else i can try?
Re: upload file MAX_FILE_SIZE
Posted: Fri Jun 08, 2007 10:50 am
by onion2k
Rioku wrote:Can you see what is wrong with my use of MAX_FILE_SIZE that is allowing the files to be uploaded?
If I understand your point correctly then I think you've misunderstood what MAX_FILE_SIZE does. It won't stop a file larger than that amount being uploaded, it'll stop PHP putting it into the $_FILES array after it's reached the server. It's a 'soft' limit that's applied after the post_max_size and max_upload_size limits from php.ini.
If you want to stop people uploading larger files then your only course of action is Java, or possibly Flash.
Posted: Fri Jun 08, 2007 11:15 am
by Rioku
Yes you understood my question correctly. And your answer is what I feared.

time to look into a java solution. It just seems odd that PHP would not be able to check if the file was too large before the upload was attempted.
Posted: Fri Jun 08, 2007 12:49 pm
by onion2k
PHP is a server side language. It has absolutely nothing to do with what goes on at the browser.
Posted: Fri Jun 08, 2007 3:01 pm
by inghamn
PHP does provide workaround for this waiting game. If, in your form, you include a special input named "MAX_FILE_SIZE"
before the file input, PHP will error out when the POST data it receives reaches this limit, instead of the post_max_size or upload_max_filesize limits set in php.ini
That is, of course, if you set MAX_FILE_SIZE to be smaller than the limits set in php.ini. Either way, though PHP's still a server side language, and as such none of your code runs until a browser GETs or POSTs a request to your webserver. How is PHP supposed to know how big said file is until the browser sends it?
http://www.php.net/manual/en/features.file-upload.php
Posted: Fri Jun 08, 2007 4:10 pm
by onion2k
inghamn wrote:PHP does provide workaround for this waiting game. If, in your form, you include a special input named "MAX_FILE_SIZE"
before the file input, PHP will error out when the POST data it receives reaches this limit, instead of the post_max_size or upload_max_filesize limits set in php.ini
That is, of course, if you set MAX_FILE_SIZE to be smaller than the limits set in php.ini. Either way, though PHP's still a server side language, and as such none of your code runs until a browser GETs or POSTs a request to your webserver. How is PHP supposed to know how big said file is until the browser sends it?
http://www.php.net/manual/en/features.file-upload.php
Did you bother to read the thread? No, you clearly didn't. In the future kindly
READ THE WHOLE THREAD before you post. You're just repeating what's been said and wasting everyone's time.
Posted: Fri Jun 08, 2007 5:22 pm
by Rioku
PHP does provide workaround for this waiting game. If, in your form, you include a special input named "MAX_FILE_SIZE" before the file input, PHP will error out when the POST data it receives reaches this limit, instead of the post_max_size or upload_max_filesize limits set in php.ini
If you look at my code in the first post you will see that I use the exact syntax you describe, and I set the MAX_FILE_SIZE to 1 which is obviously very small. Even when I do this my code still allows the file larger then 1 byte to be uploaded. The only thing I can think of is that MAX_FILE_SIZE is a PHP 5 feature or that I am doing something wrong. Do you know which is the case??
Posted: Sat Jun 09, 2007 1:52 am
by jmut
Rioku wrote:
PHP does provide workaround for this waiting game. If, in your form, you include a special input named "MAX_FILE_SIZE" before the file input, PHP will error out when the POST data it receives reaches this limit, instead of the post_max_size or upload_max_filesize limits set in php.ini
If you look at my code in the first post you will see that I use the exact syntax you describe, and I set the MAX_FILE_SIZE to 1 which is obviously very small. Even when I do this my code still allows the file larger then 1 byte to be uploaded. The only thing I can think of is that MAX_FILE_SIZE is a PHP 5 feature or that I am doing something wrong. Do you know which is the case??
I really don't understand why you are stuck to this MAX_FILE_SIZE thing. It is client side...it cannot prevent anything - restriction easy to bypass.
Write a simple massage to customer that max 2 MB is allowed, so that customer knows what he can do.... he can try any other size but will be no luck as you will check on server side.
As for the Java thing - I think it is worse solution, you will probably use applets (you don't know if java enabled or not on customers browser). Applet should be signed so that you can read on peoples drives etc etc.
Clear your goal - pros/cons and let us know how you ultimately solved this
Edit: forgot to add this link. should be interesting
http://shiflett.org/articles/file-uploads
Posted: Sat Jun 09, 2007 6:12 am
by onion2k
jmut wrote:I really don't understand why you are stuck to this MAX_FILE_SIZE thing. It is client side...it cannot prevent anything - restriction easy to bypass.
MAX_FILE_SIZE does
nothing on the client. Nothing at all. Zip. Nowt. Zero. Nothing. It is not client side.
It has no effect on the client. It is only used by PHP to validate the size of an upload when it arrives at the server. NOTHING ELSE AT ALL. It is not a client side restriction. PHP cannot tell browsers what to do. Ever. There is nothing in PHP that tells the browser what to do. All PHP can do is construct files and HTTP requests. That's it. No browser directives, no automatic Javascript, no magic validation, NOTHING.
Grr.
I'm going to lock this thread if people persist in trying to say that PHP can validate things on the client.
Posted: Sat Jun 09, 2007 7:52 am
by jmut
onion2k wrote:jmut wrote:I really don't understand why you are stuck to this MAX_FILE_SIZE thing. It is client side...it cannot prevent anything - restriction easy to bypass.
MAX_FILE_SIZE does
nothing on the client. Nothing at all. Zip. Nowt. Zero. Nothing. It is not client side.
It has no effect on the client. It is only used by PHP to validate the size of an upload when it arrives at the server. NOTHING ELSE AT ALL. It is not a client side restriction. PHP cannot tell browsers what to do. Ever. There is nothing in PHP that tells the browser what to do. All PHP can do is construct files and HTTP requests. That's it. No browser directives, no automatic Javascript, no magic validation, NOTHING.
Grr.
I'm going to lock this thread if people persist in trying to say that PHP can validate things on the client.
Dude, you are crazy...where the hell did I tell PHP can prevent things on client side.
I mean MAX_FILE_SIZE is client side..meaning if form is spoofed it could be bypassed...as if not there, hence not to be relied upon.
Gee...crazy..
Posted: Sat Jun 09, 2007 6:09 pm
by Rioku
I really don't understand why you are stuck to this MAX_FILE_SIZE thing. It is client side...it cannot prevent anything - restriction easy to bypass.
I am not trying to stop hacking I am trying to stop stupid users. MAX_FILE_SIZE seems to be the best solution on limiting the file size. What I read tells me php will stop uploading when that file size is reached, which is a lot better then having the user wait till the entire file is uploaded before they get an error. But my code does not seem to work the way it is described which is one of the questions I am asking, does anything know why it is not working the way it is supposed to?
As for the Java thing - I think it is worse solution, you will probably use applets (you don't know if java enabled or not on customers browser). Applet should be signed so that you can read on peoples drives etc etc.
You make good points that I have considered, and I agree with you on this point. It is a lot of work for minimal benefit.
Clear your goal - pros/cons and let us know how you ultimately solved this Smile
My goal is to limit the file upload size, which I can do after the file has gone through the upload process. Done!!
I am investigating what software engineers call a "Nice to have" feature which would be to stop the upload of a too large file before it happens. But as you pointed out it seems to be more trouble then it is worth at this point. So I will keep is as a "Nice to have" for a while.
Posted: Sat Jun 09, 2007 8:17 pm
by feyd
Have you considered setting the value(s) in an .htaccess file?