"Leif K-Brooks" wrote
Ivo wrote: <form method="post" action="somescript" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="7340032">
<input type="file" name="uploadme">
<input type="submit">
</form>
What's with the hidden MAX_FILE_SIZE field? If your script is supposed
to check the file size to make sure it's under that, you need to rethink
your security: anyone who knows what they're doing can easily change
that. Your script needs to have the maximum file size hard-coded.
<quote cite="http://www.php.net/manual/en/features.file-upload.php">
The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file
input field, and its value is the maximum filesize accepted. (...) The
MAX_FILE_SIZE is advisory to the browser, although PHP also checks it.
Changing this on the browser size is quite easy, so you can never rely on
files with a greater size being blocked by this feature. The PHP-settings
for maximum-size, however, cannot be fooled. You should add the
MAX_FILE_SIZE form variable anyway as it saves users the trouble of waiting
for a big file being transferred only to find that it was too big and the
transfer actually failed.
</quote>
:-]