php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #50684 max_file_uploads can't be changed from .htaccess (or ini_set)
Submitted: 2010-01-07 08:33 UTC Modified: 2012-02-17 17:49 UTC
From: john dot peterson10 at gmail dot com Assigned: aharvey
Status: Closed Package: Documentation problem
PHP Version: 5.2.12 OS: Windows
Private report: No CVE-ID:
 [2010-01-07 08:33 UTC] john dot peterson10 at gmail dot com
Description:
------------
The setting max_file_uploads can't be changed from .htaccess.

I think it should be possible to change max_file_uploads, like it's possible to change upload_max_filesize, post_max_size and max_input_time from .htaccess.

Reproduce code:
---------------
@.htaccess

php_value max_file_uploads 50

@settings.php

<?PHP
ini_set('max_file_uploads', "50");
echo "max_file_uploads: " . ini_get('max_file_uploads');
?>

Expected result:
----------------
max_file_uploads is changed to 50

Actual result:
--------------
max_file_uploads is not changed from its default (or php.ini) value

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-07 10:15 UTC] jani@php.net
Allowing that to be changed would open a can of worms.
 [2010-03-04 20:04 UTC] steven at realestatewebmasters dot com
Can we at least get the documentation changed? Currently it says PHP_INI_ALL which would include htaccess and ini_set.
 [2010-03-05 04:17 UTC] aharvey@php.net
-Status: Bogus +Status: Assigned -Type: Bug +Type: Documentation Problem -Package: PHP options/info functions +Package: Documentation problem
 [2010-03-05 04:36 UTC] aharvey@php.net
Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=295841
Log: Fix bug #50684 (max_file_uploads can't be changed from .htaccess (or ini_set))
by changing the documentation to reflect max_file_uploads being PHP_INI_SYSTEM,
not PHP_INI_ALL as previously documented.
 [2010-03-05 04:37 UTC] aharvey@php.net
-Status: Assigned +Status: Closed
 [2010-03-05 04:37 UTC] aharvey@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.


 [2010-09-28 21:39 UTC] guy dot paddock at redbottledesign dot com
Define "can of worms" with regard to this setting.

I'm sorry, but... umm... doesn't allowing sites to override *any* setting 
(including memory_limit) have the possibility of bad things happening? And, yet, 
we allow that.

It is strange to me how for some reason this one setting that so many people are 
now having trouble with is not allowed to be overridden at the reasonable level 
of per-site, or per-folder. If people are really concerned about locking-down 
the setting on their server, they can use php_admin_value in the INI.

As for me, like the rest of the developers who've encountered this botched 
feature, it's getting disabled until it's fixed. I have a rash of users upset 
that they can't upload more than 20 pictures per post, and I don't see how 
raising that limit to 300 server-wide would be any better.
 [2012-02-17 15:52 UTC] gonssal at gmail dot com
How do you close this bug without adding the posibility of changing the
parameter value through ini_set and .htaccess? This has to be the most retarded
idea a PHP dev has had since the "magic quotes" epic fiasco, breaking lots of
flawlessly and security-proof code working after a PHP version update, without
any warning (not even a Notice).

Also jani@php.net I've seen you answer in 3 different bugs in a way that makes
it seem like this won't be ever addressed. I can understand it was your
"brilliant" idea to implement this, but a bit of humility and acceptance of
errors would be really appreciated.

And sorry if someone is offended by the 'tone' of this message but when you have
to spend 3 days reviewing _ALL_ the projectes using the CMS you developed, in a
lot of different servers because, you know they'll stop working when PHP version
is updated, due to a "great idea" (not really), well your mood goes down real
quick.
 [2012-02-17 17:49 UTC] rasmus@php.net
ini_set would never work because file uploads happen before the PHP script is 
executed, so by the time you call ini_set() it would be too late.

But you are right about .htaccess, I think. We probably should allow this setting 
to be changed there. It is always a tricky balance when it comes to security-
related settings. In some environments you want to lock down the security-related 
settings in a single place and not allow individual users/apps to override these, 
and in other environments you want to let users/apps have more rope.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 18:02:13 2014 UTC