Re: [PHP] MAX_FILE_SIZE not working with file uploads
Thank you, all who replied. This helps me understand. I might give a try to the workarounds some suggested. Great newsgroup. Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
Chris wrote: [error] = 2 And also gives you an error code. Yes, I know and knew that. That's why the upload ultimately fails (which is okay). My point is that when a file's size exceeds the MAX_FILE_SIZE value, I want the browser to (a) detect that it's too large BEFORE attempting to upload it and (b) report the file size back to the user. That's what's not happening. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAX_FILE_SIZE not working with file uploads
-Original Message- From: Jeff Cohan [mailto:[EMAIL PROTECTED] Sent: 23 September 2007 00:02 To: php-general@lists.php.net Subject: Re: [PHP] MAX_FILE_SIZE not working with file uploads Chris wrote: [error] = 2 And also gives you an error code. Yes, I know and knew that. That's why the upload ultimately fails (which is okay). My point is that when a file's size exceeds the MAX_FILE_SIZE value, I want the browser to (a) detect that it's too large BEFORE attempting to upload I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
Dan Parry wrote: I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... I think we're off the point. My script is simply interrogating the value of the $_FILES[userfile][size] array element. It's coming up as ZERO if it exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's the way it's SUPPOSED to work. That's why I started this thread out with What am I missing?. Said another way: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAX_FILE_SIZE not working with file uploads
-Original Message- From: Jeff Cohan [mailto:[EMAIL PROTECTED] Sent: 23 September 2007 02:45 To: php-general@lists.php.net Subject: Re: [PHP] MAX_FILE_SIZE not working with file uploads Dan Parry wrote: I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... I think we're off the point. My script is simply interrogating the value of the $_FILES[userfile][size] array element. It's coming up as ZERO if it exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's the way it's SUPPOSED to work. That's why I started this thread out with What am I missing?. Said another way: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? I'm not sure it can... The server has to accept the file before it can process any details on it The MAX_FILE_SIZE input field is notoriously unreliable... I think if it returns zero (0) then the PHP limit is reached Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote: Dan Parry wrote: I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... I think we're off the point. My script is simply interrogating the value of the $_FILES[userfile][size] array element. It's coming up as ZERO if it exceeds the MAX_FILE_SIZE. Exactly, no valid file was uploaded. The size of the valid file is therefore zero. That seems odd to me. But maybe that's the way it's SUPPOSED to work. That's why I started this thread out with What am I missing?. Said another way: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? Can you use Javascript to check file size client side, send data via AJAX then issue warnings? (Remember the php mantra: PHP is a server side language ) As noted in the php.net documentation you quoted, and as mentioned previously, MAX_FILE_SIZE is a _hint_ to the browser. some browsers just don't take hints. Ray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAX_FILE_SIZE not working with file uploads
-Original Message- From: Ray [mailto:[EMAIL PROTECTED] Sent: 23 September 2007 02:25 To: php-general@lists.php.net Subject: Re: [PHP] MAX_FILE_SIZE not working with file uploads On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote: Dan Parry wrote: I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... I think we're off the point. My script is simply interrogating the value of the $_FILES[userfile][size] array element. It's coming up as ZERO if it exceeds the MAX_FILE_SIZE. Exactly, no valid file was uploaded. The size of the valid file is therefore zero. That seems odd to me. But maybe that's the way it's SUPPOSED to work. That's why I started this thread out with What am I missing?. Said another way: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? Can you use Javascript to check file size client side, send data via AJAX then issue warnings This would be the exploitable 'feature' I mentioned... Client-side files should never be readable Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
-Original Message-
From: Ray [mailto:[EMAIL PROTECTED]
Sent: 23 September 2007 02:25
To: php-general@lists.php.net
Subject: Re: [PHP] MAX_FILE_SIZE not working with file uploads
On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
Dan Parry wrote:
I might be wrong but this would be classed as
'exploitable'... Webservers should not be allowed
to read from or write to clients... Of course there
is ActiveX...
I think we're off the point.
My script is simply interrogating the value of the
$_FILES[userfile][size] array element. It's coming up as ZERO if it
exceeds the MAX_FILE_SIZE.
Exactly, no valid file was uploaded. The size of the valid file is
therefore
zero.
That seems odd to me.
But maybe that's
the way it's SUPPOSED to work. That's why I started this thread out
with What am I missing?.
Said another way:
It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?
Can you use Javascript to check file size client side, send data via
AJAX then
issue warnings
This would be the exploitable 'feature' I mentioned... Client-side files
should never be readable
Dan
If the contents of a file were readable, I would definitely agree with you.
I'm not convinced that the ability to detect the filesize of a file that the
user selected would be exploitable, but it's a moot point as it doesn't work
in javascript. (as someone else pointed out, maybe activeX?)
I'm not a javaScript expert, but I am learning, so I dug out the book, and put
together the following script. (Ugly, insecure, and doesn't really do
anything, but quick and It works, at least on my machine/browser combo)
Select a file, and the page will tell you everything It can about the file. My
machine reports size as zero.
Ray
(Script guaranteed to occupy 0 or more bites of diskspace.)
html
headTITLEtest/TITLE
script type=text/javascript
function uptest()
{
alert (document.test.fileTest.defaultValue);
alert (document.test.fileTest.form);
alert (document.test.fileTest.name);
alert (document.test.fileTest.readOnly);
alert ('size follows');
alert (document.test.fileTest.size);
alert (document.test.fileTest.type);
alert (document.test.fileTest.value);
}
/script
/head
body
form name=test method=post
File: input type=file onchange=uptest() name=fileTest/
/form
/body
/html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
Jeff Cohan wrote: Dan Parry wrote: I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... I think we're off the point. My script is simply interrogating the value of the $_FILES[userfile][size] array element. It's coming up as ZERO if it exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's the way it's SUPPOSED to work. That's why I started this thread out with What am I missing?. Said another way: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? OK, not sure why anybody has pointed this out, but... A signed Javascript session is allowed to access the local file system through the browser. But an un-signed JS process/session is not. Now, the reason that PHP can't do anything about the file upload while in process, is that PHP doesn't know anything about the file upload until Apache/IIS/... hands off the uploaded file to PHP. Apache is actually the part receiving the uploaded file. Once it is completely uploaded, the web server passes the temporary file name to php and then php gets what information about it it can. Try trapping the error. You will probably want to try with a setting in the php.ini or a .htaccess file that will change your error_handler function to some custom function that you can then use to allow the script to continue running, but capture and pass off information to the rest of your scripts. Then see if in the $_FILES array you find a temp file name. before your script ends, you might be able to look at the stats of that temp file and gleam some of the information that you are wanting to know from it. Remember, when uploading a file, your scripts are only parsed before the upload actually starts. Once your upload completes, successfully, will it then execute your php scripts. From what research and testing that I have done, this is the way PHP handles uploads. This was on a Redhat/Apache/PHP4 setup. back about 6 years ago. Hope it is still accurate. Jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
Ray wrote: On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote: This would be the exploitable 'feature' I mentioned... Client-side files should never be readable Dan If the contents of a file were readable, I would definitely agree with you. I'm not convinced that the ability to detect the filesize of a file that the user selected would be exploitable, but it's a moot point as it doesn't work in javascript. (as someone else pointed out, maybe activeX?) If Javascript can read the *directory* (and, thus, the size of the file) i'd be a bit nervous about that. I'm not a javaScript expert, but I am learning, so I dug out the book, and put together the following script. (Ugly, insecure, and doesn't really do anything, but quick and It works, at least on my machine/browser combo) Select a file, and the page will tell you everything It can about the file. My machine reports size as zero. Wouldn't that suggest that it's not working, then? ;-) Anyway, your script is interrogating the file *input element*, not the file, itself. Where you're trying to get the file size (document.test.fileTest.size) you're actually grabbing the value of the input's size attribute, which has a default of 0. You'll see this if you edit the input to have, eg. size=100 brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
Jeff Cohan wrote: Dan Parry wrote: I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... I think we're off the point. My script is simply interrogating the value of the $_FILES[userfile][size] array element. It's coming up as ZERO if it exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's the way it's SUPPOSED to work. That's why I started this thread out with What am I missing?. Said another way: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? Not at all. The user-agent is built to ignore files that exceed the MAX_FILE_SIZE value. The hooks into the OS that it utilises to send the file to the server also allow it to poll the file size (if it couldn't, things would get messy on the server, quick). But Javascript is a whole 'nother thing, and it is not (normally--see Jim Lucas' post) able to get this information (thankfully). So, your PHP script is not receiving a file at all. brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAX_FILE_SIZE not working with file uploads
brian wrote: Jeff Cohan wrote: It seems that the server had to know the size of the file in order to know it exceeded MAX_FILE_SIZE. So how can my script find out the size? Not at all. The user-agent is built to ignore files that exceed the MAX_FILE_SIZE value. Ack! I meant, The user-agent *should be* built to ignore ... ie. MAX_FILE_SIZE is generally a client-side tool (and thus not to be relied upon too much) but will be honoured by PHP as well (if it does not exceed post_max_size in php.ini). brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MAX_FILE_SIZE not working with file uploads
The punchline question is: What am I missing? Now for the details. I have a form through which a user uploads image files. In the event the chosen file exceeds the MAX_FILE_SIZE (which I have included as a hidden form field immediately after the form tag), I want to abort the upload process and display an appropriate error message to the user, including the size of the file s/he attempted to upload. But that doesn't seem to be working. Instead, the computer chugs along and then properly refuses to perform the upload, but not immediately. And here is the dump of the $_FILES array (which, notably, reports zero as the size): [code] Array ( [userfile] = Array ( [name] = beach_iStock_00112348_L2.jpg [type] = [tmp_name] = [error] = 2 [size] = 0 ) ) [/code] The file (about 1.2MB) DOES upload when I increase the MAX_FILE_SIZE value to 200. This, from PHP.net: [quote] The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. The PHP settings for maximum-size, however, cannot be fooled. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too big and the transfer failed. [/quote] Here is the form code: [code] form action=__URL__?action=sent method=post enctype=multipart/form-data name=upload id=upload input type=hidden name=MAX_FILE_SIZE value=1024000 Filename on your PC: input name=userfile type=file size=45 Please click ONCE and be patient: input name=Submit type=submit id=Submit value=Upload File /form [/code] Pertinent php.ini settings: version = 4.3.10 file_uploads = on upload_max_filesize = 2M post_max_size = 8M Any guidance would be appreciated. Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAX_FILE_SIZE not working with file uploads
In the _ More photos; more messages; more whatever – Get MORE with Windows Live™ Hotmail®. NOW with 5GB storage. http://imagine-windowslive.com/hotmail/?locale=en-usocid=TXT_TAGHM_migration_HM_mini_5G_0907 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAX_FILE_SIZE not working with file uploads
In the To: php-general@lists.php.net Date: Thu, 20 Sep 2007 14:45:36 -0500 From: [EMAIL PROTECTED] Subject: [PHP] MAX_FILE_SIZE not working with file uploads The punchline question is: What am I missing? Now for the details. I have a form through which a user uploads image files. In the event the chosen file exceeds the MAX_FILE_SIZE (which I have included as a hidden form field immediately after the form tag), I want to abort the upload process and display an appropriate error message to the user, including the size of the file s/he attempted to upload. But that doesn't seem to be working. Instead, the computer chugs along and then properly refuses to perform the upload, but not immediately. And here is the dump of the $_FILES array (which, notably, reports zero as the size): [code] Array ( [userfile] = Array ( [name] = beach_iStock_00112348_L2.jpg [type] = [tmp_name] = [error] = 2 [size] = 0 ) ) [/code] The file (about 1.2MB) DOES upload when I increase the MAX_FILE_SIZE value to 200. This, from PHP.net: [quote] The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. The PHP settings for maximum-size, however, cannot be fooled. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too big and the transfer failed. [/quote] Here is the form code: [code] enctype=multipart/form-data name=upload id=upload Filename on your PC: Please click ONCE and be patient: [/code] Pertinent php.ini settings: version = 4.3.10 file_uploads = on upload_max_filesize = 2M post_max_size = 8M Any guidance would be appreciated. Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Can you find the hidden words? Take a break and play Seekadoo! http://club.live.com/seekadoo.aspx?icid=seek_wlmailtextlink -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAX_FILE_SIZE not working with file uploads
Max file size is a hint to the browser and not all support it...you can't count on it bastien To: php-general@lists.php.net Date: Thu, 20 Sep 2007 14:45:36 -0500 From: [EMAIL PROTECTED] Subject: [PHP] MAX_FILE_SIZE not working with file uploads The punchline question is: What am I missing? Now for the details. I have a form through which a user uploads image files. In the event the chosen file exceeds the MAX_FILE_SIZE (which I have included as a hidden form field immediately after the form tag), I want to abort the upload process and display an appropriate error message to the user, including the size of the file s/he attempted to upload. But that doesn't seem to be working. Instead, the computer chugs along and then properly refuses to perform the upload, but not immediately. And here is the dump of the $_FILES array (which, notably, reports zero as the size): [code] Array ( [userfile] = Array ( [name] = beach_iStock_00112348_L2.jpg [type] = [tmp_name] = [error] = 2 [size] = 0 ) ) [/code] The file (about 1.2MB) DOES upload when I increase the MAX_FILE_SIZE value to 200. This, from PHP.net: [quote] The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. The PHP settings for maximum-size, however, cannot be fooled. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too big and the transfer failed. [/quote] Here is the form code: [code] form action=__URL__?action=sent method=post enctype=multipart/form-data name=upload id=upload input type=hidden name=MAX_FILE_SIZE value=1024000 Filename on your PC: input name=userfile type=file size=45 Please click ONCE and be patient: input name=Submit type=submit id=Submit value=Upload File /form [/code]Pertinent php.ini settings: version = 4.3.10 file_uploads = on upload_max_filesize = 2M post_max_size = 8M Any guidance would be appreciated. Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE
Re: [PHP] MAX_FILE_SIZE not working with file uploads
And here is the dump of the $_FILES array (which, notably, reports zero as the size): snip [error] = 2 And also gives you an error code. http://www.php.net/manual/en/features.file-upload.errors.php -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
