| My head is spinning [message #169424] |
Sat, 11 September 2010 22:44  |
MikeB
Messages: 65
Registered: September 2010
Karma: 0
|
Member |
|
|
Please help me understand, my head is absolutely spinning and I can't
get my mind around this.
In the php.net site there is an example on uploading a file via a
form. http://www.php.net/manual/en/features.file-upload.post-method.php
This is the sample code for the form:
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
Assuming I want to make it a variable in my PHP code, can I do this:
<?php
$MAX_FILE_SIZE = 30000;
echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<<<_END
<?
In other words, simply omitting the "value" clause in the form field?
And can I make that value a global constant somehow so that I can
later also test the actual size of the uploaded file in another
function?
Or do I have to do this:
<?php
$MAX_UPLOAD_SIZE = 30000;
echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE"
value="$MAX_UPLOAD_SIZE"/>
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<<<_END
<?
I'm also concerned that in the first instance, a malicious user can
modify the value and I will be hosed. Am I correct?
Thanks.
|
|
|
|
| Re: My head is spinning [message #169425 is a reply to message #169424] |
Sun, 12 September 2010 00:52  |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
MikeB wrote:
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
>
No. Its either defined somewhere - php.ini, or is simpky a variable you
set yourself.
I know that the maximum size of file you can accept is defined in
php.ini though, but cant remember whether or not it sets a variable
with that name.
However if you set a form variable like that in a piece of HTML php will
receive that as $_POST['MAX_FILE_SIZE'] (or $_GET....)
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?
>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
>
No. It doesn't work like that.
The size of the uploaded file is in the $_FILES[...array after uploading.
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?
>
No.
I think you had better go read the documentation on file uploading.
The key elements of a file uplaod system are these..
<INPUT type="FILE" name="upload<?echo $file_id;?>"></div>
So here we define an HTML file upload box and give it the name ulopad0,
upload1 upload2 etc etc.
After the form is submitted, we can e.g. access the uploaded file this way
$index="upload".$file_id;
$filename=$_FILES[$index]["name"]; //orig filename
$tmpname=$_FILES[$index]["tmp_name"]; // the name of the temporary copy
of the file stored on the server
Its maximum size is set by the limits the PHP system has set in php.ini.
I am not sure its possible to stop someone sending a huge file, merely
to prevent php from accepting it.
I have to say I am not sure what you are trying to achieve here, so I
have stuck this lot up in the hope it at least gets you to ask the right
question.
> Thanks.
|
|
|
|
| Re: My head is spinning [message #169426 is a reply to message #169425] |
Sun, 12 September 2010 00:56 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
The Natural Philosopher wrote:
> MikeB wrote:
>> Please help me understand, my head is absolutely spinning and I can't
>> get my mind around this.
>>
>> In the php.net site there is an example on uploading a file via a
>> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>>
>> This is the sample code for the form:
>>
>> <form enctype="multipart/form-data" action="__URL__" method="POST">
>> <!-- MAX_FILE_SIZE must precede the file input field -->
>> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
>> <!-- Name of input element determines name in $_FILES array -->
>> Send this file: <input name="userfile" type="file" />
>> <input type="submit" value="Send File" />
>> </form>
>>
>> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
>>
>
> No. Its either defined somewhere - php.ini, or is simpky a variable you
> set yourself.
>
> I know that the maximum size of file you can accept is defined in
> php.ini though, but cant remember whether or not it sets a variable
> with that name.
>
> However if you set a form variable like that in a piece of HTML php will
> receive that as $_POST['MAX_FILE_SIZE'] (or $_GET....)
>
>
>> Assuming I want to make it a variable in my PHP code, can I do this:
>>
>> <?php
>>
>> $MAX_FILE_SIZE = 30000;
>>
>> echo <<<_END
>> <form enctype="multipart/form-data" action="__URL__" method="POST">
>> <!-- MAX_FILE_SIZE must precede the file input field -->
>> <input type="hidden" name="MAX_FILE_SIZE" />
>> <!-- Name of input element determines name in $_FILES array -->
>> Send this file: <input name="userfile" type="file" />
>> <input type="submit" value="Send File" />
>> </form>
>> <<<_END
>> <?
>>
>> In other words, simply omitting the "value" clause in the form field?
>>
>> And can I make that value a global constant somehow so that I can
>> later also test the actual size of the uploaded file in another
>> function?
>>
>
> No. It doesn't work like that.
>
> The size of the uploaded file is in the $_FILES[...array after uploading.
>
>> Or do I have to do this:
>>
>> <?php
>>
>> $MAX_UPLOAD_SIZE = 30000;
>>
>> echo <<<_END
>> <form enctype="multipart/form-data" action="__URL__" method="POST">
>> <!-- MAX_FILE_SIZE must precede the file input field -->
>> <input type="hidden" name="MAX_FILE_SIZE"
>> value="$MAX_UPLOAD_SIZE"/>
>> <!-- Name of input element determines name in $_FILES array -->
>> Send this file: <input name="userfile" type="file" />
>> <input type="submit" value="Send File" />
>> </form>
>> <<<_END
>> <?
>>
>> I'm also concerned that in the first instance, a malicious user can
>> modify the value and I will be hosed. Am I correct?
>>
> No.
> I think you had better go read the documentation on file uploading.
>
>
> The key elements of a file uplaod system are these..
>
> <INPUT type="FILE" name="upload<?echo $file_id;?>"></div>
>
> So here we define an HTML file upload box and give it the name ulopad0,
> upload1 upload2 etc etc.
>
> After the form is submitted, we can e.g. access the uploaded file this way
>
> $index="upload".$file_id;
> $filename=$_FILES[$index]["name"]; //orig filename
> $tmpname=$_FILES[$index]["tmp_name"]; // the name of the temporary copy
> of the file stored on the server
>
> Its maximum size is set by the limits the PHP system has set in php.ini.
> I am not sure its possible to stop someone sending a huge file, merely
> to prevent php from accepting it.
>
> I have to say I am not sure what you are trying to achieve here, so I
> have stuck this lot up in the hope it at least gets you to ask the right
> question.
>
>
apologies for typos in the above post. Too late, too much C2H50H.
>
>
>
>> Thanks.
|
|
|
|
| Re: My head is spinning [message #169427 is a reply to message #169424] |
Sun, 12 September 2010 02:11 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 9/11/2010 6:44 PM, MikeB wrote:
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file:<input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
>
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo<<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file:<input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?
>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
>
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
>
> echo<<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
> <!-- Name of input element determines name in $_FILES array -->
> Send this file:<input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?
>
> Thanks.
You can define it in your code anywhere you want. It is sent to the
browser, and most browsers will honor it. However, like anything coming
from the client, you shouldn't trust it. As you mentioned, a user could
change it, and there is no real requirement that a browser honor it
(although the ones I am familiar with do).
Yes, it will be sent back to your script in the $_POST array, but if
it's changed, you'll get the changed value. Better is to remember what
you set server side - it's not that hard. Just save the value in your
own configuration file somewhere (you should have one anyway, with
things like the database information if you're using a database, etc.).
If you have different types of files which could be uploaded, just
have several constants, i.e.
define('MAX_AVATAR_SIZE', '20000');
define('MAX_OTHER_FILE_SIZE', '50000');
You should know when you're handling the upload which type of file it is.
It's also easier if the same script which creates the form is the one
which processes it. That way you can set the appropriate value in the
script, and if there's a problem with the upload, redisplay the form.
If everything goes OK, just process the input then redirect to a new
page with header('Location: .....');
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My head is spinning [message #169428 is a reply to message #169424] |
Sun, 12 September 2010 02:21 |
Norman Peelman
Messages: 126
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
MikeB wrote:
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
>
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?
>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
>
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?
>
> Thanks.
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
has nothing to do with PHP... This is a directive for the browser to not
process a file over that limit. It's not 100% reliable but seems to be
needed for the browser to process the upload.
PHP, on the other hand has setting(s) (php.ini) that control the
server side of things (for PHP). Among them are PHP memory allowance and
upload size. Many can be set per instance (site, virtualhost).
Take a look at:
http://php.net/manual/en/ini.list.php
&
http://www.php.net/manual/en/ini.core.php#ini.file-uploads
&
http://www.php.net/manual/en/ini.core.php#ini.memory-limit
&
http://www.php.net/manual/en/ini.core.php#ini.post-max-size
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]