Limit Uploaded Image Size

[roadcone20]

Hello -

I'm running into a problem where images that are being uploaded through my form are causing the page to timeout and not finish executing. I am assuming it is being caused by the image file size being too large. To resolve this, I'd like to limit the size of the image that can be uploaded. I know this cannot be done with Javascript. Is there a way to do this in PHP?

I'm also open to other suggestions if anyone has any.

Thanks a lot in advance to anyone who can help.

 

[vacunita]

You can use the configuration option: upload_max_filesize
in the php.ini file to set the maximum upload file size.

If you don't have access to the php.ini file you can set it at the beginning of your php file using the ini_set function

<?PHP
ini_set('upload_max_filesize','3000000');

You can also use a hidden field to limit the file size.

The php.net online manual has an example of that:

http://php.net/features.file-upload

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[d0nny]

I set this up in my script in this fashion:

Setup the variables (my form object is called 'url')

$upload_Name = $_FILES['url']['name'];
$upload_Size = $_FILES['url']['size'];
$upload_Temp = $_FILES['url']['tmp_name'];
$upload_Mime_Type = $_FILES['url']['type'];

I then put some code in my PHP like this:

if( $upload_Size == 0) { //Test to see if file exists
die("<p align='center'>Please enter a valid CV file</p>");
}
if( $upload_Size >250000) { //Ensure file is no larger than 250kb
unlink($upload_Temp);
die("<p align='center'>Your upload was too big!<br />Maximum file size is 250kb</p>");
}
if( $upload_Mime_Type != "application/msword" AND $upload_Mime_Type != "application/pdf" ) { //Test file type
unlink($upload_Temp);
die("<p align='center'>Sorry, only Word Doc's and PDF's allowed.</p>");
}

So I hope that helps out.
One of the other issues I have is that I want to add another file upload field to my form (for a photo upload) which will not be mandatory, but I still want to check the size and the file type (only GIF and JPEG) but I don't know how I can add this into my current checks as above.
Can I double up with my checks in the IF condition above?

 

[vacunita]

You can check them independently. Check one first and then the other one.

Also I would like to point out that your method relies on actually uploading the file which can be bothersome for the user.

I would find it annoying if I just uploaded a huge file and waited 20 minutes for it to upload only to have your script tell me its too big.

Using the hidden form field method prevents this as PHP automatically checks the size of the file against it, and won't upload it if it exceeds the file size.


----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[d0nny]

I was thinking that the hidden form field was a better idea after I made my post.
I think I'll change it to this method.

 

[jpadie]

@vacunita

Using the hidden form field method prevents this as PHP automatically checks the size of the file against it, and won't upload it if it exceeds the file size.

are you sure? how would php do this?

 

[vacunita]

Quoting from the PHP online manual:

The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. The PHP settings for maximum-size, however, cannot be fooled. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too big and the transfer failed.

If you want the exact procedure, I don't know. But I would assume it looks at the hidden field, and then decides whether to proceed with the upload or not.

If you try this, you'll see that nothing gets populated in the $_FILES array, except for the name of the file and the error. The file is never actually uploaded, no temp file name is created and therefore the size appears as 0 bytes.

The output woull something like:

Array
(
    [userfile] => Array
        (
            [name] => file.ext
            [type] => 
            [tmp_name] => 
            [error] => 2
            [size] => 0
        )

)

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[jpadie]

but php must have the data from the webserver before it can make this decision, no? weird. has anyone looked at the source code to see how this might work? and would the behaviour be different between cgi and sapi?

 

[vacunita]

That's a good point.

Everything I have been able to find on the use of the field it says its not possible.

I wonder how its implemented.





----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[jpadie]

i think it's browser advisory only. i have not done any testing on it but a brief google suggests that none of the browsers consider themselves particularly well advised by the hidden field!

 

[d0nny]

Also, using the hidden field method, how could/would you limit the size of two file upload fields within the same form?

I'm assuming this is a generic value applicable to the entire form, and therefore the limit set within the hidden field would apply to all file type fields within the same form??

 

[jpadie]

that is correct. however, as i say above, i suspect that you will find it ineffective.

browser timeouts are nearly always caused by some other issue, anyway.

 

[d0nny]

So is it best to use my initial method?

I know I'm relying on the file being uploaded and maybe the user has to wait for the upload, but I'm only uploading CV's (resume's), so I can imagine someone would start uploading a 10M file say??

 

[jpadie]

there is no method that i know of that validates the filesize before data is sent to the server (using standard browser technologies such as html or javascript). so nothing you do can avoid the problem.

you might be able to use some browser helper like a flash based upload or a java applet (there are loads of each type). personally i'd just tell the user clearly what your maxima are, use the browser advisory and then if the user still ignores everything, then he's just wasted his bandwidth.