File Size problem

babystarman · October 29, 2025, 5:26pm

Hi, I have hit a bit of a hiccup!
Doing some testing before completing a file upload, and my problem is the opposite to most file size troubles! I want to put a limit on the size a user can upload, and to do this I have put a size limit of 3KB (as suggested in David Powers’ excellent guide PHP Solutions)
However, when I do upload a bigger file than this, it still gets uploaded, even though it shouldn’t! As he suggests, I have the size-checking code at the top of the doc and a hidden field before the file input box. Hidden field goes:

<input type="hidden" name="maxfilesize" value="<?php echo maxfilesize; ?>" />

and the size checking routine goes:

define('maxfilesize', 3000);

But I don’t see anywhere the file size actually gets checked in order to prevent a file larger than the 3KB from being uploaded. I can’t see how making a string with a name equal to the defined constant can actually do anything. I have used David Powers’ code throughout (apart from putting the constant name in lowercase and leaving out his underscores)
Also, for the value attribute, why can this not simply be value=“maxfilesize”? Why the echo statement?

phdr · October 29, 2025, 6:28pm

Firstly, nothing you do in the client is secure. Once you get the syntax correct for this hidden field, anyone can alter or delete the field from your form using the browser’s developer tools and anyone or a bot doesn’t even need your form to submit data to your site and can simply leave out that field when they submit the data for a file upload.

The name attribute must be exactly MAX_FILE_SIZE for php to use this field value when processing the uploaded file data, before passing control to your php script.

The form field is html markup. You are not in php ‘mode’ at this point. To include a php value (defined constant in this case), you must echo it to cause it to be output to the browser. If you just use value=“maxfilesize” and look at the ‘view source’ of the page in the browser, you will see the literal string maxfilesize, not the defined constant’s value.

Note: if you use php’s short-open-echo tag <?= and leave out the closing ; right before a closing ?> tag, you can use this simple syntax <?=maxfilesize?> to echo a defined constant, or in the case of a variable <?=$var?>, to echo a php variable in html markup.

babystarman · October 29, 2025, 11:35pm

Ah, OK. I thought that his MAX_FILE_SIZE was just what he called that variable. I didnt realise it was an ‘official’ PHP constant. Thanks for clearing that up. I have only got to this stage at the moment and there are other steps that need to be taken so hopefully the security issues you raise will be obviated.
Cheers!