> And here is the dump of the $_FILES array (which, notably, reports
> zero as the size):

<snip>

> [error] => 2

And also gives you an error code.

http://www.php.net/manual/en/feature...oad.errors.php

--
Postgresql & php tutorials
http://www.designmagick.com/

Chris wrote:
> [error] => 2
> And also gives you an error code.

Yes, I know and knew that. That's why the upload ultimately fails
(which is okay).

My point is that when a file's size exceeds the MAX_FILE_SIZE value,
I want the browser to (a) detect that it's too large BEFORE
attempting to upload it and (b) report the file size back to the
user. That's what's not happening.

> -----Original Message-----
> From: Jeff Cohan [mailto:jeff@nsiteful.com]
> Sent: 23 September 2007 00:02
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
> Chris wrote:
> > [error] => 2
> > And also gives you an error code.
>
> Yes, I know and knew that. That's why the upload ultimately fails
> (which is okay).
>
> My point is that when a file's size exceeds the MAX_FILE_SIZE value,
> I want the browser to (a) detect that it's too large BEFORE
> attempting to upload

I might be wrong but this would be classed as 'exploitable'... Webservers
should not be allowed to read from or write to clients... Of course there is
ActiveX...

Dan

> -----Original Message-----
> From: Jeff Cohan [mailto:jeff@nsiteful.com]
> Sent: 23 September 2007 02:45
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
>
>
> Dan Parry wrote:
> > I might be wrong but this would be classed as
> > 'exploitable'... Webservers should not be allowed
> > to read from or write to clients... Of course there
> > is ActiveX...
>
> I think we're off the point.
>
> My script is simply interrogating the value of the
> $_FILES[userfile][size] array element. It's coming up as ZERO if it
> exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
> the way it's SUPPOSED to work. That's why I started this thread out
> with "What am I missing?".
>
> Said another way:
>
> It seems that the server had to know the size of the file in order
> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> size?

I'm not sure it can... The server has to accept the file before it can
process any details on it

The MAX_FILE_SIZE input field is notoriously unreliable... I think if it
returns zero (0) then the PHP limit is reached

Dan

On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> Dan Parry wrote:
> > I might be wrong but this would be classed as
> > 'exploitable'... Webservers should not be allowed
> > to read from or write to clients... Of course there
> > is ActiveX...
>
> I think we're off the point.
>
> My script is simply interrogating the value of the
> $_FILES[userfile][size] array element. It's coming up as ZERO if it
> exceeds the MAX_FILE_SIZE.

Exactly, no valid file was uploaded. The size of the valid file is therefore
zero.

> That seems odd to me.
> But maybe that's
> the way it's SUPPOSED to work. That's why I started this thread out
> with "What am I missing?".
>
> Said another way:
>
> It seems that the server had to know the size of the file in order
> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> size?

Can you use Javascript to check file size client side, send data via AJAX then
issue warnings? (Remember the php mantra: "PHP is a server side language" )

As noted in the php.net documentation you quoted, and as mentioned previously,
MAX_FILE_SIZE is a _hint_ to the browser. some browsers just don't take
hints.
Ray

> -----Original Message-----
> From: Ray [mailto:ray@stilltech.net]
> Sent: 23 September 2007 02:25
> To: php-general@lists.php.net
> Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
>
> On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> > Dan Parry wrote:
> > > I might be wrong but this would be classed as
> > > 'exploitable'... Webservers should not be allowed
> > > to read from or write to clients... Of course there
> > > is ActiveX...
> >
> > I think we're off the point.
> >
> > My script is simply interrogating the value of the
> > $_FILES[userfile][size] array element. It's coming up as ZERO if it
> > exceeds the MAX_FILE_SIZE.
>
> Exactly, no valid file was uploaded. The size of the valid file is
> therefore
> zero.
>
> > That seems odd to me.
> > But maybe that's
> > the way it's SUPPOSED to work. That's why I started this thread out
> > with "What am I missing?".
> >
> > Said another way:
> >
> > It seems that the server had to know the size of the file in order
> > to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> > size?
>
> Can you use Javascript to check file size client side, send data via
> AJAX then
> issue warnings

This would be the exploitable 'feature' I mentioned... Client-side files
should never be readable

Dan

Dan Parry wrote:
> I might be wrong but this would be classed as
> 'exploitable'... Webservers should not be allowed
> to read from or write to clients... Of course there
> is ActiveX...

I think we're off the point.

My script is simply interrogating the value of the
$_FILES[userfile][size] array element. It's coming up as ZERO if it
exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
the way it's SUPPOSED to work. That's why I started this thread out
with "What am I missing?".

Said another way:

It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?

On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
> > -----Original Message-----
> > From: Ray [mailto:ray@stilltech.net]
> > Sent: 23 September 2007 02:25
> > To: php-general@lists.php.net
> > Subject: Re: [php] MAX_FILE_SIZE not working with file uploads
> >
> > On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> > > Dan Parry wrote:
> > > > I might be wrong but this would be classed as
> > > > 'exploitable'... Webservers should not be allowed
> > > > to read from or write to clients... Of course there
> > > > is ActiveX...
> > >
> > > I think we're off the point.
> > >
> > > My script is simply interrogating the value of the
> > > $_FILES[userfile][size] array element. It's coming up as ZERO if it
> > > exceeds the MAX_FILE_SIZE.
> >
> > Exactly, no valid file was uploaded. The size of the valid file is
> > therefore
> > zero.
> >
> > > That seems odd to me.
> > > But maybe that's
> > > the way it's SUPPOSED to work. That's why I started this thread out
> > > with "What am I missing?".
> > >
> > > Said another way:
> > >
> > > It seems that the server had to know the size of the file in order
> > > to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> > > size?
> >
> > Can you use Javascript to check file size client side, send data via
> > AJAX then
> > issue warnings
>
> This would be the exploitable 'feature' I mentioned... Client-side files
> should never be readable
>
> Dan

If the contents of a file were readable, I would definitely agree with you.
I'm not convinced that the ability to detect the filesize of a file that the
user selected would be exploitable, but it's a moot point as it doesn't work
in javascript. (as someone else pointed out, maybe activeX?)
I'm not a javaScript expert, but I am learning, so I dug out the book, and put
together the following script. (Ugly, insecure, and doesn't really do
anything, but quick and It works, at least on my machine/browser combo)
Select a file, and the page will tell you everything It can about the file. My
machine reports size as zero.
Ray

(Script guaranteed to occupy 0 or more bites of diskspace.)

<html>
<head><TITLE>test</TITLE>
<script type="text/javascript">
function uptest()
{
alert (document.test.fileTest.defaultValue);
alert (document.test.fileTest.form);
alert (document.test.fileTest.name);
alert (document.test.fileTest.readOnly);
alert ('size follows');
alert (document.test.fileTest.size);
alert (document.test.fileTest.type);
alert (document.test.fileTest.value);

}
</script>
</head>
<body>
<form name="test" method="post">
File: <input type="file" onchange="uptest()" name="fileTest"/>
</form>
</body>
</html>

Jeff Cohan wrote:
>
> Dan Parry wrote:
>> I might be wrong but this would be classed as
>> 'exploitable'... Webservers should not be allowed
>> to read from or write to clients... Of course there
>> is ActiveX...
>
> I think we're off the point.
>
> My script is simply interrogating the value of the
> $_FILES[userfile][size] array element. It's coming up as ZERO if it
> exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
> the way it's SUPPOSED to work. That's why I started this thread out
> with "What am I missing?".
>
> Said another way:
>
> It seems that the server had to know the size of the file in order
> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> size?
>

OK, not sure why anybody has pointed this out, but...

A signed Javascript session is allowed to access the local file system
through the browser. But an un-signed JS process/session is not.

Now, the reason that PHP can't do anything about the file upload while
in process, is that PHP doesn't know anything about the file upload
until Apache/IIS/... hands off the uploaded file to PHP.

Apache is actually the part receiving the uploaded file. Once it is
completely uploaded, the web server passes the temporary file name to
php and then php gets what information about it it can.

Try trapping the error. You will probably want to try with a setting in
the php.ini or a .htaccess file that will change your error_handler
function to some custom function that you can then use to allow the
script to continue running, but capture and pass off information to the
rest of your scripts.

Then see if in the $_FILES array you find a temp file name. before your
script ends, you might be able to look at the stats of that temp file
and gleam some of the information that you are wanting to know from it.


Remember, when uploading a file, your scripts are only parsed before the
upload actually starts. Once your upload completes, successfully, will
it then execute your php scripts.

From what research and testing that I have done, this is the way PHP
handles uploads. This was on a Redhat/Apache/PHP4 setup. back about 6
years ago.

Hope it is still accurate.

Jim

Ray wrote:
> On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
>
>>
>>This would be the exploitable 'feature' I mentioned... Client-side files
>>should never be readable
>>
>>Dan
>
>
> If the contents of a file were readable, I would definitely agree with you.
> I'm not convinced that the ability to detect the filesize of a file that the
> user selected would be exploitable, but it's a moot point as it doesn't work
> in javascript. (as someone else pointed out, maybe activeX?)

If Javascript can read the *directory* (and, thus, the size of the file)
i'd be a bit nervous about that.

> I'm not a javaScript expert, but I am learning, so I dug out the book, and put
> together the following script. (Ugly, insecure, and doesn't really do
> anything, but quick and It works, at least on my machine/browser combo)
> Select a file, and the page will tell you everything It can about the file. My
> machine reports size as zero.

Wouldn't that suggest that it's not working, then? ;-)

Anyway, your script is interrogating the file *input element*, not the
file, itself. Where you're trying to get the file size
(document.test.fileTest.size) you're actually grabbing the value of the
input's "size" attribute, which has a default of 0. You'll see this if
you edit the input to have, eg. size="100"

brian

Jeff Cohan wrote:
>
> Dan Parry wrote:
>
>>I might be wrong but this would be classed as
>>'exploitable'... Webservers should not be allowed
>>to read from or write to clients... Of course there
>>is ActiveX...
>
>
> I think we're off the point.
>
> My script is simply interrogating the value of the
> $_FILES[userfile][size] array element. It's coming up as ZERO if it
> exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
> the way it's SUPPOSED to work. That's why I started this thread out
> with "What am I missing?".
>
> Said another way:
>
> It seems that the server had to know the size of the file in order
> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> size?
>

Not at all. The user-agent is built to ignore files that exceed the
MAX_FILE_SIZE value. The hooks into the OS that it utilises to send the
file to the server also allow it to poll the file size (if it couldn't,
things would get messy on the server, quick). But Javascript is a whole
'nother thing, and it is not (normally--see Jim Lucas' post) able to get
this information (thankfully).

So, your PHP script is not receiving a file at all.

brian

brian wrote:
> Jeff Cohan wrote:
>>
>> It seems that the server had to know the size of the file in order
>> to know it exceeded MAX_FILE_SIZE. So how can my script find out the
>> size?
>>
>
> Not at all. The user-agent is built to ignore files that exceed the
> MAX_FILE_SIZE value.

Ack! I meant, "The user-agent *should be* built to ignore ..."

ie. MAX_FILE_SIZE is generally a client-side tool (and thus not to be
relied upon too much) but will be honoured by PHP as well (if it does
not exceed post_max_size in php.ini).

brian

Thank you, all who replied. This s me understand. I might give a
try to the workarounds some suggested.

Great newsgroup.

Jeff