Prev: How to handle a submitted form with no changes -- best practices sought
Next: How to handle a submitted form with no changes -- bestpractices sought
From: kranthi on 13 Sep 2010 05:31 > Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE? only if register_golbals is set to ON in php.ini. This is a very bad practice and should be avoided. Use $_POST['MAX_FILE_SIZE'] instead. But in this case dont use the post variable also. define a constant in your configuration file and use that constant. The only use of MAX_FILE_SIZE is to inform the browser that "dont allow the user to upload files which are > MAX_FILE_SIZE". > <?php > > $MAX_FILE_SIZE = 30000; > > echo <<<_END > <form enctype="multipart/form-data" action="__URL__" method="POST"> > <!-- MAX_FILE_SIZE must precede the file input field --> > <input type="hidden" name="MAX_FILE_SIZE" /> > <!-- Name of input element determines name in $_FILES array --> > Send this file: <input name="userfile" type="file" /> > <input type="submit" value="Send File" /> > </form> > <<<_END Nope, you cant. You have to mention the value attribute of a hidden field > I'm also concerned that in the first instance, a malicious user can > modify the value and I will be hosed. Am I correct? A malicious user can ALWAYS modify the data. You will have to always validate every input field. > echo <<<_END > <form enctype="multipart/form-data" action="__URL__" method="POST"> > <!-- MAX_FILE_SIZE must precede the file input field --> > <input type="hidden" name="<?php echo $max_file_size; ?>" /> > <!-- Name of input element determines name in $_FILES array --> > Send this file: <input name="userfile" type="file" /> > <input type="submit" value="Send File" /> > </form> > <<<_END i did not understand this echo <<<_END means that you are in php so why do you need a <?php echo $max_file_size; ?> ? |