Max_File_Size in PHP - What's the Point

MAX_FILE_SIZE in PHP - what's the point?

At the moment there are no browsers that actually care about the MAX_FILE_SIZE directive so it is pretty pointless. I suppose it does give you more granular control over max sizes on upload (as the poster above stated) rather than going with php.ini's, but personally I just ignore it, and you probably should too. It will certainly not stop a user uploading a larger than required file - the manual is fairly misleading in this regard.

PHP post_max_size vs upload_max_filesize, what is the difference?

You are correct. post_max_size is the maximum size for all POST body data. It doesn't matter if you're POSTing JSON or your DVD collection, this is all POST body data. Your file upload counts towards this limit. You should also be aware that if you are uploading multiple files, the total file size has to fit within this limit.

upload_max_filesize is a maximum size only for files that are POSTed. Other types of POST body data are not subject to this limit.

In short, if you want to upload large files, you must increase both limits.

MAX_FILE_SIZE not giving error?

Forgot about case 2!

switch($_FILES['uploadphoto']['error']) {

case 2:
echo 'Photo exceeds 10MB limit.';
break;
}

Thank you @Passerby!

problem when uploading file

File Uploads - Common Pitfalls

The MAX_FILE_SIZE item cannot specify
a file size greater than the file size
that has been set in the
upload_max_filesize in the php.ini
file. The default is 2 megabytes.

If a memory limit is enabled, a larger
memory_limit may be needed. Make sure
you set memory_limit large enough.

...

If post_max_size is set too small,
large files cannot be uploaded. Make
sure you set post_max_size large
enough.

You can increase the value for MAX_FILE_SIZE three four ways:

1) php.ini

upload_max_filesize = 20M
post_max_size = 20M

2) ini_set()

ini_set('upload_max_filesize', 20M);
ini_set('post_max_size', 20M);

3) .htaccess

php_value upload_max_filesize 20M
php_value post_max_size 20M

4) hidden form fields

<input name="MAX_FILE_SIZE" value="20971520" type="hidden">

HTML Upload MAX_FILE_SIZE does not appear to work

MAX_FILE_SIZE is in KB not bytes. You were right, it is in bytes. So, for a limit of 4MB convert 4MB in bytes {1024 * (1024 * 4)} try:

<input type="hidden" name="MAX_FILE_SIZE" value="4194304" /> 

Update 1

As explained by others, you will never get a warning for this. It's there just to impose a soft limit on server side.

Update 2

To answer your sub-question. Yes, there is a difference, you NEVER trust the user input. If you want to always impose a limit, you always must check its size. Don't trust what MAX_FILE_SIZE does, because it can be changed by a user. So, yes, you should check to make sure it's always up to or above the size you want it to be.

The difference is that if you have imposed a MAX_FILE_SIZE of 2MB and the user tries to upload a 4MB file, once they reach roughly the first 2MB of upload, the transfer will terminate and the PHP will stop accepting more data for that file. It will report the error on the files array.

Is MAX_FILE_SIZE always written in upper-case? Does it have to be?

This is not an HTML feature, but a PHP feature.

The documentation explains how PHP looks for a field named MAX_FILE_SIZE in form data, and uses its value for handling file uploads if applicable.

It's a matter of historical convention that constants are capitalised and, traditionally, a field like MAX_FILE_SIZE would be a constant in an application. Matters are complicated slightly because, as far as PHP is concerned, it's actually a variable (named $_POST['MAX_FILE_SIZE']) and isn't constant at all; still, if you take the web application as a whole, you could see how this convention might still apply.

It also sets the field name apart from any other fields that the user has in his/her form.

Note that, since access to arrays by string key is case-sensitive, it makes sense to assume that PHP's search for this form field is also case-sensitive. So, if you were considering otherwise, stick with the capitalisation.

---

Related Topics