From: MikeB on
Hello, I'm new to PHP and also new to using newsgroups/mailing lists
directly. So if I make a mistake, please forgive me this once and I'll
try to do better in the future.

Please help me understand, my head is absolutely spinning and I can't
get my mind around this.

In the php.net site there is an example on uploading a file via a
form. http://www.php.net/manual/en/features.file-upload.post-method.php

This is the sample code for the form:

<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>

Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?

Assuming I want to make it a variable in my PHP code, can I do this:

<?php

$MAX_FILE_SIZE = 30000;

echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<<<_END
<?

In other words, simply omitting the "value" clause in the form field?

And can I make that value a global constant somehow so that I can
later also test the actual size of the uploaded file in another
function?

Or do I have to do this:

<?php

$MAX_UPLOAD_SIZE = 30000;

echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE"
value="$MAX_UPLOAD_SIZE"/>
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<<<_END
<?

I'm also concerned that in the first instance, a malicious user can
modify the value and I will be hosed. Am I correct?

Thanks.
From: Tom Sparks on
--- On Sun, 12/9/10, MikeB <mpbrede(a)gmail.com> wrote:

> From: MikeB <mpbrede(a)gmail.com>
> Subject: [PHP] New to PHP and the list
> To: php-general(a)lists.php.net
> Received: Sunday, 12 September, 2010, 9:37 AM
> Hello, I'm new to PHP and also new to
> using newsgroups/mailing lists directly. So if I make a
> mistake, please forgive me this once and I'll try to do
> better in the future.
>
> Please help me understand, my head is absolutely spinning
> and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file
> via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
start off simpler with this version http://www.w3schools.com/php/php_file_upload.asp

tom




From: MikeB on
On 9/11/2010 6:51 PM, Tom Sparks wrote:
> --- On Sun, 12/9/10, MikeB<mpbrede(a)gmail.com> wrote:
>
>> From: MikeB<mpbrede(a)gmail.com>
>> Subject: [PHP] New to PHP and the list
>> To: php-general(a)lists.php.net
>> Received: Sunday, 12 September, 2010, 9:37 AM
>> Hello, I'm new to PHP and also new to
>> using newsgroups/mailing lists directly. So if I make a
>> mistake, please forgive me this once and I'll try to do
>> better in the future.
>>
>> Please help me understand, my head is absolutely spinning
>> and I can't
>> get my mind around this.
>>
>> In the php.net site there is an example on uploading a file
>> via a
>> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>>
> start off simpler with this version http://www.w3schools.com/php/php_file_upload.asp
>

I think I have that much under my belt, I'm more or less trying to dig a
little deeper.
From: viraj on
On Sun, Sep 12, 2010 at 5:07 AM, MikeB <mpbrede(a)gmail.com> wrote:
> Hello, I'm new to PHP and also new to using newsgroups/mailing lists
> directly. So if I make a mistake, please forgive me this once and I'll try
> to do better in the future.
>
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
>    <!-- MAX_FILE_SIZE must precede the file input field -->
>    <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
>    <!-- Name of input element determines name in $_FILES array -->
>    Send this file: <input name="userfile" type="file" />
>    <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?

err! print_r and var_dump is your friend!

>
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
>    <!-- MAX_FILE_SIZE must precede the file input field -->
>    <input type="hidden" name="MAX_FILE_SIZE"  />
>    <!-- Name of input element determines name in $_FILES array -->
>    Send this file: <input name="userfile" type="file" />
>    <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?
>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?

if this is about getting the size of the uploaded file, you better try
print_r($_FILES) after the form submit. there you have size in bytes.

MAX_FILE_SIZE in html form will be used to early notify the up-loader,
in case of a bigger file which exceeds the server side limit imposed
through php.ini. (see http://www.php.net/manual/en/ini.core.php file
uploads section)

>
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
> <<<_END
> <?
>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?

and yes, never trust client side.


~viraj

>
> Thanks.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
From: Paul M Foster on
On Sat, Sep 11, 2010 at 06:37:41PM -0500, MikeB wrote:

> Hello, I'm new to PHP and also new to using newsgroups/mailing lists
> directly. So if I make a mistake, please forgive me this once and I'll
> try to do better in the future.
>
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?

No. It's passed as: $_POST['MAX_FILE_SIZE'], as are all variables in a
form which uses "post" as its method attribute.

>
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?

No. Better is this:

<?php

$max_file_size = 30000;

echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="<?php echo $max_file_size; ?>" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<<<_END

Remember that the data HTML/values you're sending are being sent back
when the form returns to the server for processing. So the
information must be contained in POST/GET variables, just the way I did
it above. (There are other ways to do the syntax, but the meaning is the
same.)


>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
>
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?

You can make it a global constant if you want, but remember that,
because of the HTTP protocol, the server doesn't know anything about
what you've declared "global" until it processes the form on its return.
And then the only thing it knows is what you've put in the values of
your HTML fields. The exception is $_SESSION variables, which can store
values *across* calls to a page.

>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?

Yes, a malicious user can do this. They can stand off somewhere and
submit a copy of your form with different values. Then they can upload a
file of larger size. However, if you keep that 30000 value somewhere,
you can refuse to "process" files which exceed that size. When I say
"process", I mean store the file in a more permanent place and actually
*do* something with it. Uploading files puts them in a temporary
location controlled by the server and inaccessible to you using "normal"
methods. You probably know you have to go through a couple of extra
steps to get to that file someone uploaded. You can't just say, "Give me
the file at /tmp/phpuploads/uploadedfile.txt."

Paul

--
Paul M. Foster