By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,987 Members | 997 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,987 IT Pros & Developers. It's quick & easy.

MAX_FILE_SIZE for HTML forms

P: 18
hi,
I tried to lookup on w3c website for information on the MAX_FILE_SIZE hidden field to restrict the size of file uploads, but couldn't find much. Looked up elsewhere, but generally, couldn't find more than a single line about this. I know that this fails in many browsers, but I'd still like to learn about it. Here are some of my doubts regarding this

* Is it necessary to include it at the beginning of the form?
* Does it work for single form containing multiple file upload fields?
* If I specify a different MAX_FILE_SIZE field before each of the file inputs (for the same form), would it work? If not then what would the final MAX_FILE_SIZE value be? or does that give an error?

thanks
May 16 '07 #1
Share this Question
Share on Google+
23 Replies


drhowarddrfine
Expert 5K+
P: 7,435
Never heard of it and there is no such thing in html.
May 16 '07 #2

P: 18
Never heard of it and there is no such thing in html.
It is recommended that we include this inside forms containing file uploads.

<input type="hidden" name="MAX_FILE_SIZE" value="512000" />

This limits the size of file that can be uploaded. I mostly use php, and it gives an error if the uploaded file exceeds this value. It must be similar in other scripting languages.
May 17 '07 #3

drhowarddrfine
Expert 5K+
P: 7,435
This limits the size of file that can be uploaded.
It does not. "name" is a name you assign to the input element and nothing else. I googled around and it seems it might be a common name used in PHP for such things but the form's "action" calls a PHP script where, I assume, that name is used to monitor the file size. In any case, HTML and the browser does absolutely nothing with the name except transmit it to the server inside the form.
May 17 '07 #4

epots9
Expert 100+
P: 1,351
i think this is what he wants
Expand|Select|Wrap|Line Numbers
  1. ;;;;;;;;;;;;;;;;
  2. ; File Uploads ;
  3. ;;;;;;;;;;;;;;;;
  4.  
  5. ; Whether to allow HTTP file uploads.
  6. file_uploads = On
  7.  
  8. ; Temporary directory for HTTP uploaded files (will use system default if not
  9. ; specified).
  10. ;upload_tmp_dir =
  11.  
  12. ; Maximum allowed size for uploaded files.
  13. upload_max_filesize = 2M
  14.  
edit that in the php.ini file

i think this is php question more than an HTML...
Jun 19 '07 #5

P: 1
Hi. I do not know how but MAX_FILE_SIZE really works. I've just tried it in my form in which PHP handles file uploads. After submitting a form which contains file, which size exceeds MAX_FILE_SIZE value, PHP $_FILES array doesn't comprise any file.

Could anyone tell me how it works?
Feb 11 '09 #6

drhowarddrfine
Expert 5K+
P: 7,435
This has nothing to do with HTML. Go ask on the PHP board. There is no such thing in HTML.
Feb 11 '09 #7

Dormilich
Expert Mod 5K+
P: 8,639
@drhowarddrfine
I agree with that.

MAX_FILE_SIZE is submitted via HTML but is used by PHP.
Feb 13 '09 #8

P: 1
Its not a html tag, its an form input tag with the name of "MAX_FILE_SIZE".

PHP uses that variable to limit the file upload if its bigger than said amount.

Sources:
http://us3.php.net/manual/en/feature...oad.errors.php
http://www.developershome.com/wap/wa....asp?page=php3

** Edit **
Offensive comments removed.
Jun 10 '09 #9

gits
Expert Mod 5K+
P: 5,270
as it was already stated it is not a HTML-question that belongs to this HTML-forum and therefor it was already suggested to post in the PHP-forum ... and i even wouldn't use that at all since it is just very simple to hack ... and the server has to double-check the uploaded file again to ensure the allowed filesize anyway. so i cannot imagine where this usage would be 'suggested'? ...
Jun 10 '09 #10

drhowarddrfine
Expert 5K+
P: 7,435
I stand by everything I said before, including the information posted. I may be a 'jackass' and a 'douche' but at least I'm not stupid and uninformed.
Jun 10 '09 #11

NeoPa
Expert Mod 15k+
P: 31,347
@ma7erick
As I welcome you to Bytes, I would like to point you in the general direction of posting in forums (here specifically but generally too).

When you have a question it is not appreciated (It is specifically against our rules) that you post it within an existing thread. This is called Thread Hijacking and will tend to upset the current participants.

Furthermore, it is good policy if you can, to post your new thread in the relevant forum.

I can see you're new at this so I'm not about to throw any infractions at you, but please try to remember this for future usage of the forums.

I think it's probably clear by now that you need the PHP forum for this particular question. Good luck.

Administrator.
Jun 10 '09 #12

P: 2
I know this is late after the thread has basically died but after finding this listing from a google search i thought i better mention it.

It does look as though this is some sort of HTML tag.

I have done a simple test using the following code, this code has the MAX_FILE_SIZE within it as a HTML tag, there is no php code on this page.

-----FILE UPLOAD CODE-----
Expand|Select|Wrap|Line Numbers
  1. <form enctype="multipart/form-data" action="moveimage.php" method="POST">
  2. <input type="hidden" name="MAX_FILE_SIZE" value="100000" />
  3. Choose a file to upload: <input name="uploadedfile" type="file" /><br />
  4. <input type="submit" value="Upload File" />
  5. </form>
--------------------------

Here is my PHP code, note how there is NO reference to MAX_FILE_SIZE at all.

-----PHP FILE ACCEPT CODE-----
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. $target_path = $target_path . "/" . basename( $_FILES['uploadedfile']['name']);
  3.  
  4. if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
  5.     echo "The file ". $target_path . " has been uploaded";
  6. } else{
  7.     echo "There was an error uploading the file, please try again!";
  8. }
  9.  
  10. ?>
The argument MAX_FILE_SIZE is never referenced by any of my PHP code and i do no checks on the file size, yet if i upload a file over 100K it fails........

It is as though the form from HTML is not passing the file names / form arguments through to the php file.

I just had to post this in case anyone else finds this thread in google and wants some more information like i did.
Jun 19 '10 #13

drhowarddrfine
Expert 5K+
P: 7,435
Because THERE IS NO SUCH THING AS MAX_FILE_SIZE IN HTML. Here is the list of ALL html elements and a link at the top for ALL HTML attributes as published by the W3C.

Any further comments remotely implying that there is such a thing in the HTML spec is pure poppycock.
Jun 19 '10 #14

P: 2
Ah, so it's a magical item that doesn't exist but works exactly as expected?

could it be built into the browser?
Jun 19 '10 #15

Dormilich
Expert Mod 5K+
P: 8,639
see this comment in the PHP manual.
Jun 20 '10 #16

NeoPa
Expert Mod 15k+
P: 31,347
I'm just reviewing this thread, and I'm a bit inexperienced in both of these areas. Can I ask, does what is being said indicate that essentially the MAX_FILE_SIZE is a PHP setting and not related to HTML at all?
Jun 20 '10 #17

Dormilich
Expert Mod 5K+
P: 8,639
It’s a bit of a two-edged sword, on the one hand side, there is no relation to a HTML spec (the "max_file_size" is only the name of a form field). on the other hand side, there is no note in the PHP manual (not in the official part that I know of), that a php.ini setting (runtime configuration) can be applied by sending an appropriate $_REQUEST entry (esp. since "max_file_size" is not even a PHP directive, that would be "post_max_size" or "upload_max_size").
Jun 21 '10 #18

HaLo2FrEeEk
100+
P: 404
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />

This does client-side checks to make sure the file was within acceptable limits, but it does NOT actually prevent the user from uploading a file of that size, they can simply remove that line using a real-time HTML editor or something like "Developer Tools" in IE8.

It's always recommended that you have both client-side AND server-side confirmation of files when uploading. I wish I still had an example that I'd written years ago, but sadly I think I either deleted it or moved it somewhere I don't remember.

Still, you're definately going to want server-side confirmation of the uploaded files. Check to make sure they're the right type (sometimes the mimetype can be spoofed by simply changing the file extension, so you'll need to be 100% positive you can confirm this particular file,) the right size, etc. Client-side scripting is just too prone to modifications by...well, the client. Use them, don't ever rely on them.
Jun 21 '10 #19

P: 4
I came to this forum looking for answers on MAX_FILE_SIZE.

Let me express, first, my impressions on the subject.

Agreed, it is not an HTML misterious tag; it is a PHP feature. It can be editted, as all client side info, agreed too, but that's irrelevant because it is not meant as a security meassure at all. By adding an element named MAX_FILE_SIZE to an HTML form, PHP knows in advance which is the maximum size of an uploaded file, thus catching the error BEFORE attempting to upload the file, saving the user a long wasted time. The value is expressed in bytes (an integer) and should be equal or a little lower than PHP's directive upload_max_filesize.

** Edit **
Removed argumentative content. Please read the rules before posting again.
Sep 7 '10 #20

NeoPa
Expert Mod 15k+
P: 31,347
Let me first congratulate you on putting your points forward clearly and concisely. I understood your purport with almost no previous understanding of the main concepts.

That said, please don't use these forums as somewhere to criticise other members. That is against our rules for reasons I would have expected were pretty obvious.
Sep 7 '10 #21

P: 4
My bad, missplaced.
Sep 7 '10 #22

NeoPa
Expert Mod 15k+
P: 31,347
No harm. No foul.

Welcome to Bytes Diego.
Sep 7 '10 #23

Canabeez
100+
P: 126
Here's a quote from php.net.

"The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too large and the transfer failed. Keep in mind: fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. It is merely a convenience feature for users on the client side of the application. The PHP settings (on the server side) for maximum-size, however, cannot be fooled."

The quote can be found here. Hope this will bring to understanding.
Sep 11 '10 #24

Post your reply

Sign in to post your reply or Sign up for a free account.