HTML Upload MAX FILE SIZE does not appear to work

Question

I am wondering how is the hidden field named MAX FILE SIZE supposed to work    lt form action    method  post  enctype  multipart form-data  gt       lt  -- in byes must preceed file field -- gt       lt input type  hidden  name  MAX FILE SIZE  value  2097152    gt        lt input type  file  name  upload    gt        lt input type  submit  name  submit  value  Submit    gt   lt  form gt    I uploaded a 4MB  file but I got no warning from client side  I am not talking about server side   What is it MAX FILE SIZE supposed to do   UPDATE  OK so its for PHP to impose a  soft  limit  But is there any difference between using it and checking something like   FILES  upload    size    lt  2000 in code

User · Answer

Before I start  please let me emphasize that the size of the file must be checked on  the server side  If not checked on server side  malicious users can override your client side limits  and upload huge files to your server  DO NOT TRUST THE USERS   I played a bit with PHP s MAX FILE SIZE  it seemed to work only after the file was uploaded  which makes it irrelevant  again  malicious user can override it quite easily     The javascript code below  tested in Firefox and Chrome   based on Matthew s post  will warn the user  the good  innocent one  a priori to uploading a large file  saving both traffic and the user s time    lt form method  post  enctype  multipart form-data   onsubmit  return checkSize 2097152   gt       lt input type  file  id  upload    gt   lt input type  submit    gt       lt script type  text javascript  gt  function checkSize max img size        var input   document getElementById  upload           check for browser support  may need to be modified      if input files  amp  amp  input files length    1                           if  input files 0  size  gt  max img size                         alert  The file must be less than      max img size 1024 1024     MB                return false                       return true     lt  script gt

User · Answer

PHP net explanation about MAX FILE SIZE hidden field      The MAX FILE SIZE hidden field  measured in bytes  must precede the file input field  and its value is the maximum filesize accepted by PHP  This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too large and the transfer failed  Keep in mind  fooling this setting on the browser side is quite easy  so never rely on files with a greater size being blocked by this feature  It is merely a convenience feature for users on the client side of the application  The PHP settings  on the server side  for maximum-size  however  cannot be fooled    http   php net manual en features file-upload post-method php

User · Answer

It s only supposed to send the information to the server  The reason that it must preceed the file field is that it has to come before the file payload in the request for the server to be able to use it to check the size of the upload   How the value is used on the server depends on what you use to take care of the upload  The code is supposedly intended for a specific upload component that specifically looks for that value   It seems that the built in upload support in PHP is one to use this field value

User · Answer

MAX FILE SIZE is in KB not bytes  You were right  it is in bytes  So  for a limit of 4MB convert 4MB in bytes  1024    1024   4   try   lt input type  quot hidden quot  name  quot MAX FILE SIZE quot  value  quot 4194304 quot    gt     Update 1 As explained by others  you will never get a warning for this  It s there just to impose a soft limit on server side  Update 2 To answer your sub-question  Yes  there is a difference  you NEVER trust the user input  If you want to always impose a limit  you always must check its size  Don t trust what MAX FILE SIZE does  because it can be changed by a user  So  yes  you should check to make sure it s always up to or above the size you want it to be  The difference is that if you have imposed a MAX FILE SIZE of 2MB and the user tries to upload a 4MB file  once they reach roughly the first 2MB of upload  the transfer will terminate and the PHP will stop accepting more data for that file  It will report the error on the files array

User · Answer

There IS A POINT in introducing MAX FILE SIZE client side hidden form field   php ini can limit uploaded file size  So  while your script honors the limit imposed by php ini  different HTML forms can further limit an uploaded file size  So  when uploading video  form may limit  maximum size to 10MB  and while uploading photos  forms may put a limit of just 1mb  And at the same time  the maximum limit can be set in php ini to suppose 10mb to allow all this   Although this is not a fool proof way of telling the server what to do  yet it can be helpful    HTML does nt limit anything  It just forwards the server all form variable including MAX FILE SIZE and its value    Hope it helped someone

User · Answer

To anyone who had been wonderstruck about some files being easily uploaded and some not  it could be a size issue  I m sharing this as I was stuck with my PHP code not uploading large files and I kept assuming it wasn t uploading any Excel files  So  if you are using PHP and you want to increase the file upload limit  go to the php ini file and make the following modifications    upload max filesize   2M   to be changed to    upload max filesize   10M post max size   10M   or the size required  Then restart the Apache server and the upload will start magically working  Hope this will be of help to someone

User · Answer

Actually  it doesn t really work  You can find an explanation in one of the comments in the manual page  http   www php net manual en features file-upload php 74692  Answer to updated question  the obvious difference is that server-side checks are reliable  client-side checks are not

[php] HTML Upload MAX_FILE_SIZE does not appear to work

Examples related to php

Examples related to html

Examples related to file-upload