>From the research I've done, I can find no REAL support for this at all.
I think it would be extremely useful if there was some real proof that MAX_FILE_SIZE affected the browser at all. I don't think it does. My IE7 and FF2 on WinXPSP2 completely ignore it. RFC1867 has been superseded by RFC2388 via RFC2854. 5.7 Correlating form data with the original form says ... "Alternatively, data about the form might be encoded in a "hidden field" (a field which is part of the form but which has a fixed value to be transmitted back to the form-data processor.)" But this is still not anything to do with MAX_FILE_SIZE. And whilst php-src/main/rfc1867.c does support this field, it is not being processed at the client end. Using Wireshark to watch the conversation between the browser and the server (IE7/FF2 and Sambar Server running PHP5.2.2-dev ISAPI), the file whose size exceeds the MAX_FILE_SIZE is fully transmitted and then a response is generated. Unless some proof that this setting is handled by the client it should be removed. Richard. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 23 March 2007 17:38 To: phpdoc@lists.php.net Subject: [PHP-DOC] #40387 [Opn->Csd]: MAX_FILE_SIZE erroneous. ID: 40387 Updated by: [EMAIL PROTECTED] Reported By: jon at hackcraft dot net -Status: Open +Status: Closed Bug Type: Documentation problem PHP Version: Irrelevant New Comment: This bug has been fixed in the documentation's XML sources. Since the online and downloadable versions of the documentation need some time to get updated, we would like to ask you to be a bit patient. Thank you for the report, and for helping us make our documentation better. "This is an advisory to the browser" deleted. Previous Comments: ------------------------------------------------------------------------ [2007-02-07 14:56:45] jon at hackcraft dot net Description: ------------ At http://www.php.net/manual/en/features.file-upload.php#features.file-uplo ad.post-method and equivalent locations in other formats, it is stated that browsers take the value of a MAX_FILE_SIZE form field into account. This information is repeated elsewhere on the web and in books, but appears to originate from the PHP documentation (it does not appear in terms of other server-side technologies). There is nothing in any of the HTML, HTTP or related specs to indicate that this is the case (in particular RFC 1867 which introduced file uploads to HTML doesn't mention it, so it isn't even a case of a kludge that was mentioned in the first RFC and then dropped) nor does it make sense in the context of the HTML specs (there is nothing to indicate any relationship between that particular hidden input and the file input). The only statements about hidden fields I could find in any of them was warnings in the security considerations sections against user-agents basing any file-related operations on anything mentioned in a hidden field. No browsers appear to perform this as an "extension". Indeed given that there are potentially other possible meanings for a hidden field with that name in an application handling several file uploads, it would have to be considered a design flaw any any did. I submit that there is no such mechanism in mainstream browsers (if any at all) and indeed shouldn't be. Reference to it should be dropped from documentation. I'd further suggest that since this idea has propagated from this documentation elsewhere that a note about it not working should to be added. If a mechanism is required or desired for more rapidly handling this sort of file handling issue then it requires functionality to allow PHP to intercept streams being uploaded before request completion, which would be completely different to how this documentation suggest it should be dealt with, even if it was true. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40387&edit=1
