SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Brazil,Maringá-PR
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    MAX_FILE_SIZE bug?

    The follow code is a working upload script with MAX_FILE_SIZE
    Code:
    <html>
    	<body>
    		<form enctype="multipart/form-data" action="<?= $_SERVER['PHP_SELF'] ?>" method="POST">
    			<input type="hidden" name="MAX_FILE_SIZE" value="200000">
    			<input name="userfile" type="file">			
    			<input type="submit" value="SEND">
    		</form>
    		<?
    			print_r($_FILES);
    		?>
    		</pre>
    	</body>
    </html>
    The only problem is that if I send a file bigger than MAX_FILE_SIZE (200k), the upload doesn't stop instantly as should do. My php version is 4.3.9 and there's a working copy of this script at: http://www.flexbrasil.com.br/up.php
    I tried with php 4.3.8 and didn't work too. Does I need another conf? My .ini confs:
    memory_limit = 32M
    post_max_size = 8M
    upload_max_filesize = 10M
    I thing must exist a conf maybe in apache, or is it a bug? I'm pretty shure that it worked sometime in the past.

  2. #2
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It won't ever stop instantly unless you have some client side script checking the size of the file first. The only way for the server to know it's too big is to first upload it

  3. #3
    Resident Java Hater
    Join Date
    Jul 2004
    Location
    Gerodieville Central, UK
    Posts
    446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Most browsers ignore this field. You just need to make server side validation (not to mention sneeky buggers will easily alter this if they wanted to upload a ultra large file)

    mmm, I wouldn't exactly say this is an advanced topic

  4. #4
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    New Jersey
    Posts
    69
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by markl999
    It won't ever stop instantly unless you have some client side script checking the size of the file first. The only way for the server to know it's too big is to first upload it
    Since client side scripts can be disabled, there is no real use in ever having a client side script check the file size, unless ofcourse your not concerned with the security.

    Basically you're forced to allow them to upload the file before checking to make sure its an acceptable size using the $_FILE array.

  5. #5
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Brazil,Maringá-PR
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is a quote from the php extended manual. The bold text is the one that interest me

    Warning:
    The MAX_FILE_SIZE is advisory to the browser. It is easy to circumvent this maximum. So don't count on it that the browser obeys your wish! The PHP-settings for maximum-size, however, cannot be fooled. But you should add MAX_FILE_SIZE anyway as it saves users the trouble to wait for a big file being transfered only to find out that it was too big afterwards.
    http://br2.php.net/manual/en/features.file-upload.php
    Now is it clear what behavior I'm expecting?

  6. #6
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Brazil,Maringá-PR
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Does any body knows about this behavior?

  7. #7
    SitePoint Zealot
    Join Date
    Jul 2004
    Location
    Brazil,Maringá-PR
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The script below shows that the upload stop to be copied to the upload_tmp_dir when it overlap MAX_FILE_SIZE
    http://www.flexbrasil.com.br/upload.htm

    This is a piece of code from the PHP source. file rfc1867.c
    This while loop shows that PHP do check max_file_size and stop coping the uploaded file.

    code:
    while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff) TSRMLS_CC)))
    {
    if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
    sapi_module.sapi_error(E_WARNING, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
    cancel_upload = UPLOAD_ERROR_A;
    } else if (max_file_size && (total_bytes > max_file_size)) {
    sapi_module.sapi_error(E_WARNING, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
    cancel_upload = UPLOAD_ERROR_B;
    } else if (blen > 0) {
    wlen = fwrite(buff, 1, blen, fp);

    if (wlen < blen) {
    sapi_module.sapi_error(E_WARNING, "Only %d bytes were written, expected to write %d", wlen, blen);
    cancel_upload = UPLOAD_ERROR_C;
    } else {
    total_bytes += wlen;
    }
    }
    }
    fclose(fp);


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •