Page 297 - Beginning PHP 5.3
P. 297
Chapter 9: Handling HTML Forms with PHP
PHP allows you to limit the size of uploaded files in a few ways. First, if you have access to your php.
ini file, you can add or edit a directive called upload_max_filesize in the file:
; Maximum allowed size for uploaded files.
upload_max_filesize = 32M
Then, if a user tries to upload a file larger than this value (32 megabytes in this example), the file upload
is cancelled and the corresponding error array element is set to UPLOAD_ERR_INI_SIZE .
You can find out more on editing your php.ini file in Appendix B.
If you don ’ t have access to your server ’ s php.ini file, you can add a hidden form field called MAX_
FILE_SIZE that specifies the maximum allowed size (in bytes) of an uploaded file. This should be
placed before the file upload field:
< input type=”hidden” name=”MAX_FILE_SIZE” value=”10000” />
< input type=”file” name=”fileSelectField” id=”fileSelectField” value=”” />
If the uploaded file is larger than this figure, the upload is cancelled and the corresponding error array
element is set to UPLOAD_ERR_FORM_SIZE . In theory, a browser can also look at the MAX_FILE_SIZE
field in the form and prevent the user from uploading a file bigger than that value in the first place. In
practice, though, hardly any browsers support this technique.
It ’ s also relatively easy for an attacker to modify your Web form and alter the value of the MAX_FILE_
SIZE hidden field (or even remove the field altogether). For this reason, it ’ s best to use upload_max_
filesize to limit your file uploads, if possible.
Of course, you can also check the size of an uploaded file manually and reject it if it ’ s too large:
if ( $_FILES[“photo”][“size”] > 10000 ) die( “File too big!” );
Storing and Using an Uploaded File
Once a file has been successfully uploaded, it is automatically stored in a temporary folder on the server.
To use the file, or store it on a more permanent basis, you need to move it out of the temporary folder.
You do this using PHP ’ s move_uploaded_file() function, which takes two arguments: the path of the
file to move, and the path to move it to. You can determine the existing path of the file using the tmp_
name array element of the nested array inside the $_FILES array. move_uploaded_file() returns true
if the file was moved successfully, or false if there was an error (such as the path to the file being
incorrect). Here ’ s an example:
if ( move_uploaded_file( $_FILES[“photo”][“tmp_name”], “/home/matt/photos/
photo.jpg” ) ) {
echo “Your file was successfully uploaded.”;
} else {
echo “There was a problem uploading your file - please try again.”;
}
259
c09.indd 259 9/21/09 7:23:48 PM
9/21/09 7:23:48 PM
c09.indd 259
