Prev: How to handle a submitted form with no changes -- best practices sought
Next: How to handle a submitted form with no changes -- bestpractices sought
From: MikeB on 11 Sep 2010 19:37 Hello, I'm new to PHP and also new to using newsgroups/mailing lists directly. So if I make a mistake, please forgive me this once and I'll try to do better in the future. Please help me understand, my head is absolutely spinning and I can't get my mind around this. In the php.net site there is an example on uploading a file via a form. http://www.php.net/manual/en/features.file-upload.post-method.php This is the sample code for the form: <form enctype="multipart/form-data" action="__URL__" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE? Assuming I want to make it a variable in my PHP code, can I do this: <?php $MAX_FILE_SIZE = 30000; echo <<<_END <form enctype="multipart/form-data" action="__URL__" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" /> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> <<<_END <? In other words, simply omitting the "value" clause in the form field? And can I make that value a global constant somehow so that I can later also test the actual size of the uploaded file in another function? Or do I have to do this: <?php $MAX_UPLOAD_SIZE = 30000; echo <<<_END <form enctype="multipart/form-data" action="__URL__" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" value="$MAX_UPLOAD_SIZE"/> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> <<<_END <? I'm also concerned that in the first instance, a malicious user can modify the value and I will be hosed. Am I correct? Thanks.
From: Tom Sparks on 11 Sep 2010 19:51 --- On Sun, 12/9/10, MikeB <mpbrede(a)gmail.com> wrote: > From: MikeB <mpbrede(a)gmail.com> > Subject: [PHP] New to PHP and the list > To: php-general(a)lists.php.net > Received: Sunday, 12 September, 2010, 9:37 AM > Hello, I'm new to PHP and also new to > using newsgroups/mailing lists directly. So if I make a > mistake, please forgive me this once and I'll try to do > better in the future. > > Please help me understand, my head is absolutely spinning > and I can't > get my mind around this. > > In the php.net site there is an example on uploading a file > via a > form. http://www.php.net/manual/en/features.file-upload.post-method.php > start off simpler with this version http://www.w3schools.com/php/php_file_upload.asp tom
From: MikeB on 11 Sep 2010 21:34 On 9/11/2010 6:51 PM, Tom Sparks wrote: > --- On Sun, 12/9/10, MikeB<mpbrede(a)gmail.com> wrote: > >> From: MikeB<mpbrede(a)gmail.com> >> Subject: [PHP] New to PHP and the list >> To: php-general(a)lists.php.net >> Received: Sunday, 12 September, 2010, 9:37 AM >> Hello, I'm new to PHP and also new to >> using newsgroups/mailing lists directly. So if I make a >> mistake, please forgive me this once and I'll try to do >> better in the future. >> >> Please help me understand, my head is absolutely spinning >> and I can't >> get my mind around this. >> >> In the php.net site there is an example on uploading a file >> via a >> form. http://www.php.net/manual/en/features.file-upload.post-method.php >> > start off simpler with this version http://www.w3schools.com/php/php_file_upload.asp > I think I have that much under my belt, I'm more or less trying to dig a little deeper.
From: viraj on 11 Sep 2010 23:03 On Sun, Sep 12, 2010 at 5:07 AM, MikeB <mpbrede(a)gmail.com> wrote: > Hello, I'm new to PHP and also new to using newsgroups/mailing lists > directly. So if I make a mistake, please forgive me this once and I'll try > to do better in the future. > > Please help me understand, my head is absolutely spinning and I can't > get my mind around this. > > In the php.net site there is an example on uploading a file via a > form. http://www.php.net/manual/en/features.file-upload.post-method.php > > This is the sample code for the form: > > <form enctype="multipart/form-data" action="__URL__" method="POST"> > Â Â <!-- MAX_FILE_SIZE must precede the file input field --> > Â Â <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> > Â Â <!-- Name of input element determines name in $_FILES array --> > Â Â Send this file: <input name="userfile" type="file" /> > Â Â <input type="submit" value="Send File" /> > </form> > > Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE? err! print_r and var_dump is your friend! > > Assuming I want to make it a variable in my PHP code, can I do this: > > <?php > > $MAX_FILE_SIZE = 30000; > > echo <<<_END > <form enctype="multipart/form-data" action="__URL__" method="POST"> > Â Â <!-- MAX_FILE_SIZE must precede the file input field --> > Â Â <input type="hidden" name="MAX_FILE_SIZE" Â /> > Â Â <!-- Name of input element determines name in $_FILES array --> > Â Â Send this file: <input name="userfile" type="file" /> > Â Â <input type="submit" value="Send File" /> > </form> > <<<_END > <? > > In other words, simply omitting the "value" clause in the form field? > > And can I make that value a global constant somehow so that I can > later also test the actual size of the uploaded file in another > function? if this is about getting the size of the uploaded file, you better try print_r($_FILES) after the form submit. there you have size in bytes. MAX_FILE_SIZE in html form will be used to early notify the up-loader, in case of a bigger file which exceeds the server side limit imposed through php.ini. (see http://www.php.net/manual/en/ini.core.php file uploads section) > > Or do I have to do this: > > <?php > > $MAX_UPLOAD_SIZE = 30000; > <<<_END > <? > > I'm also concerned that in the first instance, a malicious user can > modify the value and I will be hosed. Am I correct? and yes, never trust client side. ~viraj > > Thanks. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
From: Paul M Foster on 12 Sep 2010 23:27
On Sat, Sep 11, 2010 at 06:37:41PM -0500, MikeB wrote: > Hello, I'm new to PHP and also new to using newsgroups/mailing lists > directly. So if I make a mistake, please forgive me this once and I'll > try to do better in the future. > > Please help me understand, my head is absolutely spinning and I can't > get my mind around this. > > In the php.net site there is an example on uploading a file via a > form. http://www.php.net/manual/en/features.file-upload.post-method.php > > This is the sample code for the form: > > <form enctype="multipart/form-data" action="__URL__" method="POST"> > <!-- MAX_FILE_SIZE must precede the file input field --> > <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> > <!-- Name of input element determines name in $_FILES array --> > Send this file: <input name="userfile" type="file" /> > <input type="submit" value="Send File" /> > </form> > > Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE? No. It's passed as: $_POST['MAX_FILE_SIZE'], as are all variables in a form which uses "post" as its method attribute. > > Assuming I want to make it a variable in my PHP code, can I do this: > > <?php > > $MAX_FILE_SIZE = 30000; > > echo <<<_END > <form enctype="multipart/form-data" action="__URL__" method="POST"> > <!-- MAX_FILE_SIZE must precede the file input field --> > <input type="hidden" name="MAX_FILE_SIZE" /> > <!-- Name of input element determines name in $_FILES array --> > Send this file: <input name="userfile" type="file" /> > <input type="submit" value="Send File" /> > </form> > <<<_END > <? > > In other words, simply omitting the "value" clause in the form field? No. Better is this: <?php $max_file_size = 30000; echo <<<_END <form enctype="multipart/form-data" action="__URL__" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="<?php echo $max_file_size; ?>" /> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> <<<_END Remember that the data HTML/values you're sending are being sent back when the form returns to the server for processing. So the information must be contained in POST/GET variables, just the way I did it above. (There are other ways to do the syntax, but the meaning is the same.) > > And can I make that value a global constant somehow so that I can > later also test the actual size of the uploaded file in another > function? > > Or do I have to do this: > > <?php > > $MAX_UPLOAD_SIZE = 30000; > > echo <<<_END > <form enctype="multipart/form-data" action="__URL__" method="POST"> > <!-- MAX_FILE_SIZE must precede the file input field --> > <input type="hidden" name="MAX_FILE_SIZE" > value="$MAX_UPLOAD_SIZE"/> > <!-- Name of input element determines name in $_FILES array --> > Send this file: <input name="userfile" type="file" /> > <input type="submit" value="Send File" /> > </form> > <<<_END > <? You can make it a global constant if you want, but remember that, because of the HTTP protocol, the server doesn't know anything about what you've declared "global" until it processes the form on its return. And then the only thing it knows is what you've put in the values of your HTML fields. The exception is $_SESSION variables, which can store values *across* calls to a page. > > I'm also concerned that in the first instance, a malicious user can > modify the value and I will be hosed. Am I correct? Yes, a malicious user can do this. They can stand off somewhere and submit a copy of your form with different values. Then they can upload a file of larger size. However, if you keep that 30000 value somewhere, you can refuse to "process" files which exceed that size. When I say "process", I mean store the file in a more permanent place and actually *do* something with it. Uploading files puts them in a temporary location controlled by the server and inaccessible to you using "normal" methods. You probably know you have to go through a couple of extra steps to get to that file someone uploaded. You can't just say, "Give me the file at /tmp/phpuploads/uploadedfile.txt." Paul -- Paul M. Foster |