3

My PHP is configured with a limit of 2MB for file uploads.

If I try and upload (through a PHP script) a file which is more than 2MB, the browser doesn't stop when it gets to 2MB, it uploads the entire thing, and then my PHP script says it's too large.

My question is, why does the browser not stop at 2MB and reject the file? Since the file won't be stored if it's over the limit, where does this data being uploaded actually go?

My VPS is configured with 512MB RAM and 7GB storage. Does this mean someone can upload a file bigger than 512MB or 7GB and it will kill the server because it runs out of memory/space?

cantsay
  • 1,967
  • 3
  • 21
  • 34
  • 2
    Because PHP doesn't even see the file to check its size until it has been uploaded: it won't affect memory (the file isn't in memory) and it will be deleted from the temp folder on disk as soon as PHP determines that it is too big – Mark Baker Sep 25 '14 at 18:55
  • so if someone uploads a file larger than 7GB, what will happen? – cantsay Sep 25 '14 at 19:22
  • Assuming that the webserver allows file uploads that size, then the browser will upload it to the server, and save it to the temporary folder.... then the webserver will pass control to PHP, which will reject the file, and the file will then be deleted – Mark Baker Sep 25 '14 at 19:25

1 Answers1

1

PHP only gets the request after it's completed. If you want to abort earlier, there are methods in your webserver, like Apache's LimitRequestBody or nginx's client_max_body_size. Those fail quite ugly though, to make it more user friendly another option is to use chunked uploads, there are several options mentioned in this question

Community
  • 1
  • 1
Wrikken
  • 69,272
  • 8
  • 97
  • 136
  • but what if someone uploaded an 8GB file, wouldn't it kill the server by using up all of the disk space? – cantsay Sep 29 '14 at 23:16