11

Possible Duplicate:
How to detect if a user uploaded a file larger than post_max_size?

I'm writing a script that handles file uploads from a web application. I've got a set limit on the size of files that may be uploaded to my application (storage space limitations). I'm currently trying to put some validation code in that will check to make sure the user actually uploaded a file, so that I can display a nice error message to them. But I'd also like to be able to display an error message to the user if they've uploaded a file that's too big. I can use Javascript for this, but I'd like a PHP check as well in case they don't have Javascript enabled.

I've set my POST_MAX_SIZE var in PHP.ini to be the maximum file upload size, but this has produced an unexpected issue. If someone tries to upload a file larger than the POST_MAX_SIZE, the binary data just gets truncated at the max size, and the $_FILES array doesn't contain an entry for that file. This is the same behavior that would occur if the user didn't submit a file at all.

This makes it difficult to tell why the $_FILES array doesn't contain a file, i.e. whether it wasn't ever uploaded, or whether it was too big to send completely.

Is there a way to distinguish between these two cases? In other words, is there a way to tell whether POST data was sent for a file, but was truncated prematurely before the entire file was sent?

Community
  • 1
  • 1
dsw88
  • 4,400
  • 8
  • 37
  • 50
  • 4
    [did you try something silly like the manual?](http://www.php.net/manual/en/features.file-upload.errors.php) – Wrikken Jul 13 '12 at 18:24
  • 1
    You should see something in `$_FILES['field_name']['error']. See [the documentation](http://www.php.net/manual/en/features.file-upload.errors.php). – Michael Mior Jul 13 '12 at 18:24
  • 1
    When a file is uploaded that's bigger than the MAX_POST_DATA limit in php.ini, there's nothing at all in the $_FILES array, including PHP error messages – dsw88 Jul 13 '12 at 19:15
  • 1
    @MichaelMior @Wrikken this is a sneakier issue than it appears at first glance. The correct answer is that POST_MAX_SIZE isn't the right field for OP to be changing, and when POST data exceeds this value, the `$_FILES` and `$_POST` arrays are indeed not populated at all, something not mentioned on the page you link to (except in the comments). – dimo414 Jul 14 '12 at 17:43

2 Answers2

8

Odd as it may seem, this is intentional behavior, as POST_MAX_SIZE is a low level ultimate failsafe, and to protect you and prevent DOS attacks, there's no way the server can do anything but discard all POST data when it realizes, mid-stream, that it's receiving more data than it can safely handle. You can raise this value if you know you need to receive more data than this at once (but be sure your server can handle the increased load this will put on it) but I'd suggest looking into other ways of handling your use case, hitting up against POST_MAX_SIZE suggests to me that there might be more robust solutions than one massive HTTP POST, such as splitting it up into multiple AJAX calls, for instance.

Separate from POST_MAX_SIZE there is UPLOAD_MAX_SIZE which is the php.ini setting for a single file limit, which is what I assumed you were talking about initially. It limits the size of any one uploaded file, and if a file exceeds this value, it will set $_FILES['file']['error'] to 1. Generally speaking, you want to have your site set up like this:

  • The <form> MAX_FILE_SIZE should be set to the maximum you actually want to accept for this form. While any user attempting to exploit your site can get around this, it's nice for users actually using your site, as the browser will (actually, could) prevent them from wasting the bandwidth attempting to upload it. This should always be smaller than your server-side settings.
  • UPLOAD_MAX_FILESIZE is the maximum size the server will accept, discarding anything larger and reporting the error to the $_FILES array. This should be larger than the largest file you want to actually accept throughout your site.
  • POST_MAX_SIZE is the maximum amount of data your server is willing to accept in a single POST request. This must be bigger than UPLOAD_MAX_SIZE in order for large uploads to succeed, and must be much bigger to allow more than one file upload at a time. I might suggest a value of UPLOAD_MAX_FILESIZE * 4.1 - this will allow four large files at a time, along with a little extra data. YMMV of course, and you should ensure your server can properly handle whatever values you decide to set.

To your specific question of How to tell, PHP documentation on POST_MAX_SIZE I linked to suggested setting a get variable in the form, i.e.

<form action="edit.php?processed=1">

However like I said above, if you're running into this issue, you may want to explore alternative upload methods.

dimo414
  • 47,227
  • 18
  • 148
  • 244
  • This isn't helpful when the `$_FILES` array is missing the field. – Matthew Jul 13 '12 at 19:00
  • Yes, when a file upload exceeds the size of the post data limit in php.ini, there's nothing at all in the $_FILES array, so no error messages are accessible. – dsw88 Jul 13 '12 at 19:12
6

Something like this:

if ($_SERVER['CONTENT_LENGTH'] && !$_FILES && !$_POST) {
  // upload failed
}

Untested, so play around with the various scenarios to see what combination works. Not sure if it works with multiple file uploads at the same time.

You may need to inspect $_SERVER['CONTENT_LENGTH'] and compare it to the sum of files received if dealing with multiple uploads.

Matthew
  • 47,584
  • 11
  • 86
  • 98
  • Hmm, didn't think about doing something like this. It looks good to me. I'll test it out and see if it works. – dsw88 Jul 13 '12 at 19:15