Re: New to PHP and the list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Sep 11, 2010 at 06:37:41PM -0500, MikeB wrote:

> Hello, I'm new to PHP and also new to using newsgroups/mailing lists
> directly. So if I make a mistake, please forgive me this once and I'll
> try to do better in the future.
> 
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
> 
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
> 
> This is the sample code for the form:
> 
> <form enctype="multipart/form-data" action="__URL__" method="POST">
>     <!-- MAX_FILE_SIZE must precede the file input field -->
>     <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
>     <!-- Name of input element determines name in $_FILES array -->
>     Send this file: <input name="userfile" type="file" />
>     <input type="submit" value="Send File" />
> </form>
> 
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?

No. It's passed as: $_POST['MAX_FILE_SIZE'], as are all variables in a
form which uses "post" as its method attribute.

> 
> Assuming I want to make it a variable in my PHP code, can I do this:
> 
> <?php
> 
> $MAX_FILE_SIZE = 30000;
> 
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
>     <!-- MAX_FILE_SIZE must precede the file input field -->
>     <input type="hidden" name="MAX_FILE_SIZE"  />
>     <!-- Name of input element determines name in $_FILES array -->
>     Send this file: <input name="userfile" type="file" />
>     <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
> 
> In other words, simply omitting the "value" clause in the form field?

No. Better is this:

<?php

$max_file_size = 30000;

echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="<?php echo $max_file_size; ?>"  />
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>
<<<_END

Remember that the data HTML/values you're sending are being sent back
when the form returns to the server for processing. So the
information must be contained in POST/GET variables, just the way I did
it above. (There are other ways to do the syntax, but the meaning is the
same.)


> 
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
> 
> Or do I have to do this:
> 
> <?php
> 
> $MAX_UPLOAD_SIZE = 30000;
> 
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
>     <!-- MAX_FILE_SIZE must precede the file input field -->
>     <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
>     <!-- Name of input element determines name in $_FILES array -->
>     Send this file: <input name="userfile" type="file" />
>     <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?

You can make it a global constant if you want, but remember that,
because of the HTTP protocol, the server doesn't know anything about
what you've declared "global" until it processes the form on its return.
And then the only thing it knows is what you've put in the values of
your HTML fields. The exception is $_SESSION variables, which can store
values *across* calls to a page.

> 
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?

Yes, a malicious user can do this. They can stand off somewhere and
submit a copy of your form with different values. Then they can upload a
file of larger size. However, if you keep that 30000 value somewhere,
you can refuse to "process" files which exceed that size. When I say
"process", I mean store the file in a more permanent place and actually
*do* something with it. Uploading files puts them in a temporary
location controlled by the server and inaccessible to you using "normal"
methods. You probably know you have to go through a couple of extra
steps to get to that file someone uploaded. You can't just say, "Give me
the file at /tmp/phpuploads/uploadedfile.txt."

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux