php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #20570 description of MAX_FILE_SIZE should be clear
Submitted: 2002-11-22 08:38 UTC Modified: 2004-04-03 10:28 UTC
Votes:3
Avg. Score:3.3 ± 1.7
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Xuefer at 21cn dot com Assigned: nlopess (profile)
Status: Closed Package: Documentation problem
PHP Version: 4.3.0 OS: independency
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-11-22 08:38 UTC] Xuefer at 21cn dot com 
[quote from php manual
 mian>>feature>>handling file uploads]

The MAX_FILE_SIZE hidden field must precede the file input field and its value is the maximum filesize accepted. The value is in bytes. 

[warnning]
warning: The MAX_FILE_SIZE is advisory to the browser. It is easy to circumvent this maximum. So don't count on it that the browser obeys you wish! The PHP-settings for maximum-size, however, cannot be fooled.  
[/warnning]
[/quote]
it doesn't tell how php check the size
1 year ago I 1st time read it, and re-read it today, finally get what it means

document should tell more to programmers:
----------
1. user's file size is checked at the beginning of transfer before upload is done
2. hard limit: file size is check against "PHP-settings for maximum-size", file which larger will be refused
3. then, soft limit: check against "MAX_FILE_SIZE" if there is one hidden value before input file field
4. when transfer done, php-script is active, manage to store the uploaded-file, however, value of MAX_FILE_SIZE easy to circumvent, and cannot be trust on, your php-script should re-check the uploaded file size as u wish.
FAQ: u said MAX_FILE_SIZE is untrustable, why we should make use of it? why not use only php-script to check filesize?
answer: in current php, handling of upload file, scirpt is not active, thus, cannot check filesize until transfer of upload file is done. MAX_FILE_SIZE get ability to soft limit the filesize before user have to wait too long.
----------

this is what i comprehend :)
yes, it's too long, hope u guys can refine it, and put into new version of phpmanual

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-25 13:18 UTC] hholzgra@php.net 
there is no step 3, php itself does not check MAX_FILE_SIZE
(unless your script does)

will add the "user won't have to wait to long" part
 [2003-01-25 20:04 UTC] Xuefer at 21cn dot com 
sorry, there is step 3, php itself does check MAX_FILE_SIZE

if MAX_FILE_SIZE is for script not for php itself, it shouldn't mention by document

look at these code:
  safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
  if (!strcmp(param, "MAX_FILE_SIZE")) {
    max_file_size = atol(value);
  }
==========
  else if (max_file_size && (total_bytes > max_file_size)) {
    sapi_module.sapi_error(E_WARNING, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
    cancel_upload = UPLOAD_ERROR_B;
  } else if
...........
 [2003-01-25 21:51 UTC] philip@php.net 
Still open, more information is needed in these docs regarding all of this.
 [2004-02-29 06:13 UTC] nlopess@php.net 
I'll take care of this
 [2004-04-03 10:28 UTC] nlopess@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I've read all the docs and sources and updated the docs.
I think now everything is clear enough.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 18:02:40 2024 UTC