| Re: My head is spinning [message #169427 is a reply to message #169424] |
Sun, 12 September 2010 02:11   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 9/11/2010 6:44 PM, MikeB wrote:
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file:<input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
>
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo<<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file:<input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?
>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
>
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
>
> echo<<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
> <!-- Name of input element determines name in $_FILES array -->
> Send this file:<input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?
>
> Thanks.
You can define it in your code anywhere you want. It is sent to the
browser, and most browsers will honor it. However, like anything coming
from the client, you shouldn't trust it. As you mentioned, a user could
change it, and there is no real requirement that a browser honor it
(although the ones I am familiar with do).
Yes, it will be sent back to your script in the $_POST array, but if
it's changed, you'll get the changed value. Better is to remember what
you set server side - it's not that hard. Just save the value in your
own configuration file somewhere (you should have one anyway, with
things like the database information if you're using a database, etc.).
If you have different types of files which could be uploaded, just
have several constants, i.e.
define('MAX_AVATAR_SIZE', '20000');
define('MAX_OTHER_FILE_SIZE', '50000');
You should know when you're handling the upload which type of file it is.
It's also easier if the same script which creates the form is the one
which processes it. That way you can set the appropriate value in the
script, and if there's a problem with the upload, redisplay the form.
If everything goes OK, just process the input then redirect to a new
page with header('Location: .....');
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]