[RESOLVED] How do you handle the MAX_FILE_SIZE, if the client cheat it?

blackhorse

in the html form, we have MAX_FILE_SIZE set up. In php.ini, we also have the upload_max_filesize set up too.

For example, if our upload_max_filesize set up is 4 MB. But for most of the application, we set up MAX_FILE_SIZE as 2 MB. How do you prevent user change the MAX_FILE_SIZE to 4 MB, and uploate the file 4 MB big?

So additional php script may be needed here to check at the server site, if the uploaded file is bigger than 2 MB here (we will know it is due to the client cheat the html form value), we will remove the uploaded file.

Any one run into the same situations before, could you share your apporaches or your scripts to handle this?

Thanks!

jmack159

you can use this to check if the file is larger than 2 Mb.

if($_FILES['file']['size'] > 2000000) die('your file is too large to upload');

from the php site:

Fooling this setting [MAX_FILE_SIZE] on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature.

but you should still use the form element. also take a look at this: $_FILES['file']['error']
hope this helps!

cgraz

$filesize = 4194300;

if( $_FILES['fieldname']['size'] > $filesize )
{
	// File is larger than 4MB
}
else
{
	// Filesize is 4MB or less. Continue
}

NogDog

jmack159 wrote:
...
Fooling this setting [MAX_FILE_SIZE] on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature.
...

Note this paragraph from the above-referenced source, with my emphasis added:

The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. The PHP settings for maximum-size, however, cannot be fooled. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too big and the transfer failed.

Therefore your PHP upload_max_filesize setting will prevent uploads of larger than that size to successfully complete; the person bypassing the limit in your form just won't know this until that number of allowed bytes has actually been uploaded.

Weedpacket

Frankly I'm not sure I've come across a browser that's even heard of MAX_FILE_SIZE, let alone respects it.