> And here is the dump of the $_FILES array (which, notably, reports
> zero as the size):

<snip>

> [error] => 2

And also gives you an error code.

http://www.php.net/manual/en/feature...oad.errors.php

--
Postgresql & php tutorials
http://www.designmagick.com/

Chris wrote:
> [error] => 2
> And also gives you an error code.

Yes, I know and knew that. That's why the upload ultimately fails
(which is okay).

My point is that when a file's size exceeds the MAX_FILE_SIZE value,
I want the browser to (a) detect that it's too large BEFORE
attempting to upload it and (b) report the file size back to the
user. That's what's not happening.

> -----Original Message-----
> From: Jeff Cohan [mailto:jeff@nsiteful.com]
> Sent: 23 September 2007 00:02
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
> Chris wrote:
> > [error] => 2
> > And also gives you an error code.
>
> Yes, I know and knew that. That's why the upload ultimately fails
> (which is okay).
>
> My point is that when a file's size exceeds the MAX_FILE_SIZE value,
> I want the browser to (a) detect that it's too large BEFORE
> attempting to upload

I might be wrong but this would be classed as 'exploitable'... Webservers
should not be allowed to read from or write to clients... Of course there is
ActiveX...

Dan

> -----Original Message-----
> From: Jeff Cohan [mailto:jeff@nsiteful.com]
> Sent: 23 September 2007 02:45
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
>
>
> Dan Parry wrote:
> > I might be wrong but this would be classed as
> > 'exploitable'... Webservers should not be allowed
> > to read from or write to clients... Of course there
> > is ActiveX...
>
> I think we're off the point.
>
> My script is simply interrogating the value of the
> $_FILES[userfile][size] array element. It's coming up as ZERO if it
> exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
> the way it's SUPPOSED to work. That's why I started this thread out
> with "What am I missing?".
>
> Said another way:
>
> It seems that the server had to know the size of the file in order
> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> size?

I'm not sure it can... The server has to accept the file before it can
process any details on it

The MAX_FILE_SIZE input field is notoriously unreliable... I think if it
returns zero (0) then the PHP limit is reached

Dan

On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> Dan Parry wrote:
> > I might be wrong but this would be classed as
> > 'exploitable'... Webservers should not be allowed
> > to read from or write to clients... Of course there
> > is ActiveX...
>
> I think we're off the point.
>
> My script is simply interrogating the value of the
> $_FILES[userfile][size] array element. It's coming up as ZERO if it
> exceeds the MAX_FILE_SIZE.

Exactly, no valid file was uploaded. The size of the valid file is therefore
zero.

> That seems odd to me.
> But maybe that's
> the way it's SUPPOSED to work. That's why I started this thread out
> with "What am I missing?".
>
> Said another way:
>
> It seems that the server had to know the size of the file in order
> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> size?

Can you use Javascript to check file size client side, send data via AJAX then
issue warnings? (Remember the php mantra: "PHP is a server side language" )

As noted in the php.net documentation you quoted, and as mentioned previously,
MAX_FILE_SIZE is a _hint_ to the browser. some browsers just don't take
hints.
Ray

> -----Original Message-----
> From: Ray [mailto:ray@stilltech.net]
> Sent: 23 September 2007 02:25
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
> On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> > Dan Parry wrote:
> > > I might be wrong but this would be classed as
> > > 'exploitable'... Webservers should not be allowed
> > > to read from or write to clients... Of course there
> > > is ActiveX...
> >
> > I think we're off the point.
> >
> > My script is simply interrogating the value of the
> > $_FILES[userfile][size] array element. It's coming up as ZERO if it
> > exceeds the MAX_FILE_SIZE.
>
> Exactly, no valid file was uploaded. The size of the valid file is
> therefore
> zero.
>
> > That seems odd to me.
> > But maybe that's
> > the way it's SUPPOSED to work. That's why I started this thread out
> > with "What am I missing?".
> >
> > Said another way:
> >
> > It seems that the server had to know the size of the file in order
> > to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> > size?
>
> Can you use Javascript to check file size client side, send data via
> AJAX then
> issue warnings

This would be the exploitable 'feature' I mentioned... Client-side files
should never be readable

Dan

Dan Parry wrote:
> I might be wrong but this would be classed as
> 'exploitable'... Webservers should not be allowed
> to read from or write to clients... Of course there
> is ActiveX...

I think we're off the point.

My script is simply interrogating the value of the
$_FILES[userfile][size] array element. It's coming up as ZERO if it
exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
the way it's SUPPOSED to work. That's why I started this thread out
with "What am I missing?".

Said another way:

It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?

On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
> > -----Original Message-----
> > From: Ray [mailto:ray@stilltech.net]
> > Sent: 23 September 2007 02:25
> > To: php-general@lists.php.net
> > Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
> >
> > On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> > > Dan Parry wrote:
> > > > I might be wrong but this would be classed as
> > > > 'exploitable'... Webservers should not be allowed
> > > > to read from or write to clients... Of course there
> > > > is ActiveX...
> > >
> > > I think we're off the point.
> > >
> > > My script is simply interrogating the value of the
> > > $_FILES[userfile][size] array element. It's coming up as ZERO if it
> > > exceeds the MAX_FILE_SIZE.
> >
> > Exactly, no valid file was uploaded. The size of the valid file is
> > therefore
> > zero.
> >
> > > That seems odd to me.
> > > But maybe that's
> > > the way it's SUPPOSED to work. That's why I started this thread out
> > > with "What am I missing?".
> > >
> > > Said another way:
> > >
> > > It seems that the server had to know the size of the file in order
> > > to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> > > size?
> >
> > Can you use Javascript to check file size client side, send data via
> > AJAX then
> > issue warnings
>
> This would be the exploitable 'feature' I mentioned... Client-side files
> should never be readable
>
> Dan

If the contents of a file were readable, I would definitely agree with you.
I'm not convinced that the ability to detect the filesize of a file that the
user selected would be exploitable, but it's a moot point as it doesn't work
in javascript. (as someone else pointed out, maybe activeX?)
I'm not a javaScript expert, but I am learning, so I dug out the book, and put
together the following script. (Ugly, insecure, and doesn't really do
anything, but quick and It works, at least on my machine/browser combo)
Select a file, and the page will tell you everything It can about the file. My
machine reports size as zero.
Ray

(Script guaranteed to occupy 0 or more bites of diskspace.)

<html>
<head><TITLE>test</TITLE>
<script type="text/javascript">
function uptest()
{
alert (document.test.fileTest.defaultValue);
alert (document.test.fileTest.form);
alert (document.test.fileTest.name);
alert (document.test.fileTest.readOnly);
alert ('size follows');
alert (document.test.fileTest.size);
alert (document.test.fileTest.type);
alert (document.test.fileTest.value);

}
</script>
</head>
<body>
<form name="test" method="post">
File: <input type="file" onchange="uptest()" name="fileTest"/>
</form>
</body>
</html>