I was trying to make a file upload form and checked the PHP documentation to refresh my memory on the subject. Here is a link to the relevant article. All of a sudden I noticed this message:
The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too large and the transfer failed. Keep in mind: fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. It is merely a convenience feature for users on the client side of the application. The PHP settings (on the server side) for maximum-size, however, cannot be fooled.
OK... Say what? First it tells that it must precede the file upload field. Then it tells us that it is merely for convenience. And besides - it's on client side anyway so anyone can mess with it. After googling around I also found information that there are no known browsers that support it.
WTF? Why is it said that it must precede the file upload field if it seems to be (for all intents and purposes) absolutely pointless? Should I bother putting it in my HTML at all?
After failed attempt to find any authoritative information about MAX_FILE_INFO i've decided to resort to drastic measures - and peeked at PHP's holy source.
I scanned entire PHP source recursively using grep:
grep -ri MAX_FILE_SIZE .
The only place that mentioned this variable was (excluding tests folder) - rfc1867.c file.
Completely expectable since rfc1867 standard deals with file uploads.
Related C code:
......
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
max_file_size = atol(value);
}
......
......
if (PG(upload_max_filesize) > 0 && (total_bytes+blen) > PG(upload_max_filesize)) {
cancel_upload = UPLOAD_ERROR_A;
} else if (max_file_size && ((total_bytes+blen) > max_file_size)) {
cancel_upload = UPLOAD_ERROR_B;
} else if
....
So - here's short explanation of above code:
1) first we get the value of MAX_FILE_SIZE into max_file_size variable.
2) Then we check if max_file_size value exists and if the sum of already accepted bytes (total_bytes) + the size of bytes in the buffer(blen) exceeds max_file_size.
3) If 2 is true - at this point we cancel upload with some error code that's been set by this constant: UPLOAD_ERROR_B
BUT - as you can see - right before checking max_file_size variable - PHP performs EXACTLY THE SAME CHECK for upload_max_filesize variable!!!
So - there we have it.
Conclusion:
IMHO - op is right - there is 0 point in including MAX_FILE_SIZE into your forms! Simply set upload_max_filesize in your php.ini file or dynamically via ini_set().
At the moment there are no browsers that actually care about the MAX_FILE_SIZE directive so it is pretty pointless. I suppose it does give you more granular control over max sizes on upload (as the poster above stated) rather than going with php.ini's, but personally I just ignore it, and you probably should too. It will certainly not stop a user uploading a larger than required file - the manual is fairly misleading in this regard.
Until we find browsers that support it, there's no point on the client side.
However, on the server side, MAX_FILE_SIZE does affect the values you get from $_FILES['your_file'].
Assuming the browser's request actually made it through post_max_size, usually this is what PHP gives:
array(5) {
["name"]=> string(11) "my_upload.dll"
["type"]=> string(24) "application/x-msdownload"
["tmp_name"]=> string(26) "C:\WINDOWS\Temp\php86A.tmp"
["error"]=> int(0) // UPLOAD_ERR_OK
["size"]=> int(238592)
}
But if uploaded file size exceeds MAX_FILE_SIZE, you'd see:
array(5) {
["name"]=> string(11) "my_upload.dll"
["type"]=> string(0) ""
["tmp_name"]=> string(0) ""
["error"]=> int(2) // UPLOAD_ERR_FORM_SIZE
["size"]=> int(0)
}
And the part on "MAX_FILE_SIZE must precede the file input field" is not a joke. It actually works because PHP will interpret the browser's POST request payload sequentially:
<input name=F1 type=file>
<input name=F2 type=file>
F1 and F2 will not be affected by MAX_FILE_SIZE
<input name=MAX_FILE_SIZE value=1024 type=hidden>
<input name=F3 type=file>
<input name=F4 type=file>
F3 and F4 will have MAX_FILE_SIZE = 1024 bytes
<input name=MAX_FILE_SIZE value=0 type=hidden>
<input name=F5 type=file>
<input name=F6 type=file>
F5 and F6 will have MAX_FILE_SIZE = 0 (infinite)
<input name=MAX_FILE_SIZE value=1 type=hidden>
<input name=F7 type=file>
<input name=F8 type=file>
F7 and F8 will have MAX_FILE_SIZE = 1 byte
Also note that PHP interprets MAX_FILE_SIZE case insensitively, so maX_fILe_sIZE and Max_File_SIZE would work too.
I believe the point is that conformant browsers would prevent form submission in the case where the user selected a file that was too large, which would save them having to perform at least a partial upload (which could take a while) of a file that was going to be rejected.
On the server side, PHP still checks and enforces the various limits set in PHP.ini, and will reference the fact that an upload was too large in the normal manner, i.e. an error code set in $_FILES. You might think of the field as an analogy to JavaScript validation - we might do a quick client-side check for the user's convenience, but we still do a proper server-side test and enforce it for all requests.
As others have stated, there don't appear to be any browsers that actually bother to perform this check, making it relatively useless.
What follows is me being wrong, please read the other answers which are better-informed, and accurate (AFAIK).
I think the point is exactly as it states:
This form element should always be
used as it saves users the trouble of
waiting for a big file being
transferred only to find that it was
too large and the transfer failed
Yes, it can be fooled, and so shouldn't be relied on to prevent larger files from being uploaded, but for non-malicious users if the uploaded file is bigger than the integer in this field, PHP disallows this upload and presents an error code in the $_FILES array (source - comments on php.net).
I use it to set file size limit when a particular application needs smaller files than the limit in php.ini. My php scripts check it, but it is set in the HTML form. Different forms have different file size limits. I am not sure if this has much to do with the intended use, but it makes it easier to reuse my scripts. It would be good if it could be checked at the browser level, but it's not the only reason it is useful.
Related
I have a php script where I store a file uploaded by the user in a tmp folder and then move it to s3. I also check if the emails they entered are valid in the database. I am using chunking so that large files can get uploaded to the server quickly. My post_max_size is 8M, however I am only able to upload files that are very small.
For example, If I upload a 7M file, I get an alert I set which says the file size is too large. This alert is only supposed to show if file size is >8M. If I upload a 1 KB file, it uploads the file successfully. Am I doing something incorrectly? I'm fairly new to php so I'd appreciate the help!
I'm not sure how relevant this may be, but I noticed that you haven't specified anywhere that the type of the data is "multipart/form-data". I've always been under the impression that a file upload won't work correctly unless this is specified.
Also not related per se but I see you're using jQuery. I recommend moving away from that and using the native fetch API. It's a cleaner and more modern solution.
ini_get('post_max_size') can (and will) return human-friendly values. So you will end up comparing integer file size values with string values (8M in your case). And 9000 > '8M'...
UPDATE:
There is no need to explicitly use the PHP configuration values post_max_size or upload_max_filesize, because:
in case of exceeding the post_max_size value, the $_FILES array will be empty, plus a warning will be generated, e.g.:
Warning: POST Content-Length of 3414 bytes exceeds the limit of 2048 bytes in Unknown on line 0
in case of exceeding the upload_max_filesize value, the corresponding 'error' field(s) within the $_FILES array will contain the UPLOAD_ERR_INI_SIZE value, e.g:
array(1) { ["name"]=> array(5) { ["name"]=> string(12) "filename.ext" ["type"]=> string(0) "" ["tmp_name"]=> string(0) "" ["error"]=> int(1) ["size"]=> int(0) } }
All the above mean that if there's a non-empty $_FILES array available and the value of the error field is UPLOAD_ERR_OK, you can be sure that the upload was successful and configuration values were also respected.
In your case this translates to the condition if ($_FILES['file']['size'] <= ini_get('post_max_size')) ... not only incorrect (comparing integer file sizes (e.g. 9000) with possibly non-integer strings (e.g. '8M')), but also not needed at all.
I trying to use file input to upload a 3.5MB file, but when I try to upload it, I get a $_FILES['error'] == 2, I believe that is telling me that the file is way too big.
what can I do to get this to upload?
here is some of my code:
<input type="hidden" name="MAX_FILE_SIZE" value="100000000000000000000000000000000000000000000000000000000000000">
<input type="file" id="home_pdf" name="home_pdf">
my php settings are the following:
post_max_size = 128M
memory_limit = 128M
max_file_uploads = 20
max_execution_time = 30
upload_max_filesize = 128M
100000000000000000000000000000000000000000000000000000000000000 is too big of a number, and overflows. Try 134217728 instead (128MB).
PHP has a maximum int value of 9,223,372,036,854,775,807 on 64 bit installations and 2,147,483,647 on 32-bit installations.
I've tested this and can reproduce your issue and it gets fixed by lowering the value.
See POST method uploads
The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too large and the transfer failed. Keep in mind: fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. It is merely a convenience feature for users on the client side of the application. The PHP settings (on the server side) for maximum-size, however, cannot be fooled.
Your MAX_FILE_SIZE field is too big.
from the PHP manual:
UPLOAD_ERR_FORM_SIZE
Value: 2; The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form
According to docs:
UPLOAD_ERR_FORM_SIZE
Value: 2; The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form.
You should check the MAX_FILE_SIZE directive that was specified in the HTML form.
Also, as noted from #BrandonWamboldt, you have specified an invalid attribute value for the MAX_FILE_SIZE directive.
It may sound silly, but sometimes it is necessary in upload script to add a setting for php_ini. Example:
ini_set("max_execution_time", 120);
ini_set("max_input_time", 120);
ini_set("memory_limit", "128M");
ini_set("upload_max_filesize", "10M");
ini_set("post_max_size", "10M");
For some reason this works. I had a similar problem and that was my solution.
My opinion for name MAX_FILE_SIZE and value 100000000000000000000000000000000000000000000000000000000000000 is realy bad move and not recommended to be visible. That part define in PHP upload function and reduce the number of zeros (the value is tooooooooo large).
I have multiple file uploads but the $_FILES seems to be chunked after 20 inputs
var_dump($_FILES); //gives array(20){ ... } although there are more file inputs
This is the public php_info
Which parameter is responsible for this limit ?
As a workaround, I used some javascript:
<input id="input_fileXX" type="file" class="input_file">
----
$('.input_file').on('change',function(){
$(this).prop('name',$(this).prop('id'));
});
This allows to only send the inputs that have change. This is useful when you can't change php.ini.
http://www.php.net/manual/en/features.file-upload.multiple.php
Since PHP 5.2.12, the max_file_uploads configuration setting acts as a limit on the number of files that can be uploaded in one request. You will need to ensure that your form does not try to upload more files in one request than this limit.
I was trying to upload a file which is 20MB in size. Now default form upload size is 8MB. When I upload such a file i get $_POST and $_FILE variables empty. Now I want to put a check on file size. If I get both these variables empty, how can I put such a check ?? Please give me suggestions
Barring any code errors, its most likely your 20MB exceeds your upload limit.
Change this permanently from your php.ini file.
Use
ini_set("upload_max_filesize", "30M");
to set your max upload size for that session only. And for POST
Use this
ini_set("post_max_size", "30M");
To check the sizes
echo ini_get("post_max_size") . "\n";
echo ini_get("upload_max_filesize");
No idea what you actually want. But you can probe the recieved content size using:
$_SERVER["CONTENT_LENGTH"]
This should tell how big the POST request body would have been. (The number might be higher than the actual received content, in case of an aborted upload.)
Checkout php://input, the allowed 8mb part of it should be there.
For example echo file_get_contents('php://input');
You can dynamically set your max file size for upload.
write down below statement in your upload function where you are trying to upload file.
this will enhance limit up to 50 MB
ini_set("upload_max_filesize", "50M");
If you want to check file variables, you can user alternative HTTP_POST_FILES
$theFileSize = $HTTP_POST_FILES['file']['size'];
Hope this may help you.
Thanks.
Use MAX_FILE_SIZE as a hidden input field, this will stop the user waiting if the file is larger than the limit and won't execute your code so the variables won't be empty...
The MAX_FILE_SIZE hidden field (measured in bytes) must precede the
file input field, and its value is the maximum filesize accepted by
PHP. This form element should always be used as it saves users the
trouble of waiting for a big file being transferred only to find that
it was too large and the transfer failed. Keep in mind: fooling this
setting on the browser side is quite easy, so never rely on files with
a greater size being blocked by this feature. It is merely a
convenience feature for users on the client side of the application.
The PHP settings (on the server side) for maximum-size, however,
cannot be fooled.
http://www.php.net/manual/en/features.file-upload.post-method.php
I'm using PHP for file uploads. In the PHP manual it shows an example using a MAX_FILE_SIZE hidden field, saying that it will detect on the client side (i.e. the browser) whether the file is too large or not.
I've just tried the example in Firefox, Chrome and IE and it doesn't work. The file is always uploaded, even if it is way larger than the specified hidden field.
Incidentally, if the file is larger than MAX_FILE_SIZE then calling move_uploaded_file doesn't work, so it seems the variable is having an effect server-side, but not client-side.
On MAX_FILE_SIZE
Read This:
...At http://pk.php.net/manual/en/features.file-upload.post-method.php and equivalent locations in other formats, it is stated
that browsers take the value of a MAX_FILE_SIZE form field into
account.
This information is repeated elsewhere on the web and in books, but
appears to originate from the PHP documentation (it does not appear in
terms of other server-side technologies).
There is nothing in any of the HTML, HTTP or related specs to indicate
that this is the case (in particular RFC 1867 which introduced file
uploads to HTML doesn't mention it, so it isn't even a case of a kludge
that was mentioned in the first RFC and then dropped) nor does it make
sense in the context of the HTML specs (there is nothing to indicate any
relationship between that particular hidden input and the file input).
The only statements about hidden fields I could find in any of them was
warnings in the security considerations sections against user-agents
basing any file-related operations on anything mentioned in a hidden
field.
No browsers appear to perform this as an "extension". Indeed given that
there are potentially other possible meanings for a hidden field with
that name in an application handling several file uploads, it would have
to be considered a design flaw any any did.
I submit that there is no such mechanism in mainstream browsers (if any
at all) and indeed shouldn't be. Reference to it should be dropped from
documentation.
I'd further suggest that since this idea has propagated from this
documentation elsewhere that a note about it not working should to be
added.
If a mechanism is required or desired for more rapidly handling this
sort of file handling issue then it requires functionality to allow PHP
to intercept streams being uploaded before request completion, which
would be completely different to how this documentation suggest it
should be dealt with, even if it was true...
http://www.juangiordana.com.ar/blog/2007/12/08/max_file_size-erroneo/
the code below come from swfUpload php implementation:
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
$POST_MAX_SIZE = ini_get('post_max_size');
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
header("HTTP/1.1 500 Internal Server Error");
echo "POST exceeded maximum allowed size.";
exit(0);
}
// Validate the file size (Warning the largest files supported by this code is 2GB)
$max_file_size_in_bytes = 2147483647;
$file_size = #filesize($_FILES[$upload_name]["tmp_name"]);
if (!$file_size || $file_size > $max_file_size_in_bytes) {
HandleError("File exceeds the maximum allowed size");
exit(0);
}
This probably only works on Firefox 3.6 for now:
<script type="text/javascript">
function checkSize()
{
var input = document.getElementById("upload");
// check for browser support (may need to be modified)
if(input.files && input.files.length == 1)
{
if (input.files[0].fileSize > 1024) /* or maybe .size */
{
alert("The file must be less than 1KB");
return false;
}
}
return true;
}
</script>
<form method="post" enctype="multipart/form-data" onsubmit="return checkSize()">
<input type="file" id="upload" />
<input type="submit" />
</form>
See http://www.w3.org/TR/FileAPI/.
As far as I know there is no simple, cross-browser solution to achieve this. The only working solutions are Flash or Java based since these technologies can access filesystem and get file info.
Example scripts: YUI2 Uploader, FancyUpload, SWFUpload
If you are using MAX_FILE_SIZE hidden field properly, the file uploading will just stop when the uploaded size reaches the specified value. And thus saves users the trouble of waiting for a big file being transferred.
You have to check whether the file upload is stopped, in the server side by using the error code generated.
if($_FILES['userfile']['error'] == 2)
{
die("Maximum file size Exceeded");
}