File upload should exit if the file is too big, but carries on without the file

I made an upload form. Students should send me their little essays. No essay will be bigger than say 0.5MB

I hope I have set the byte number correctly to 0.5MB (I think this number is bytes: 512000)

Then I fill out the form and try and send a 6MB music video. I get the student name and number, week number and email. The music video does not get through, but the student data still gets through.

I was hoping PHP would exit, but I still get my “Success” page.

What am I doing wrong??

//set a limit to the file upload size
  	if ($_FILES['my_upload']['size'] > 512000) 
  	{
	echo " The file you are sending is too big. <br> ";
	echo " The maximum size should be less than 0.5MB <br>";
	echo " Please send a smaller file or send the file in an email. <br>";
	echo " Your file could not be sent. <br>";
  	exit;        
    }

Do you have code to test if the upload was successful, before trying to use any of the uploaded file information? If the upload failed, with an error, the size will be zero, and it will pass that size test.

Yes, I have had this same upload1file2.php for a long time, but I don’t use it much, because I try to avoid any marking by hand!

I uploaded a couple of files today, then I fetched them with rsync to a folder on my laptop, no problems!

Here is the whole thing, sorry it is messy, I don’t write this stuff for a living!

Perhaps you can suggest a way to change it to reject files that are too large or too small.

<?php 
$_SESSION['error'] = 'So far everything is OK.';
$studentnr = $_POST['sn'];

  	//First, check if the student number is present
       if($studentnr == ''){
       echo " 错误:没有学号! No student number! <br> ";
       echo " Please enter your student number and name. <br>";
       echo " Your homework could not be sent. <br>";
       echo " 返回再次试一试! Try again!";
	exit;
}

		include '../../includes/studentdbWriteto.inc.php';
		//check if the studentnr exists in this course names and numbers list
		$stmt = $pdo->prepare('SELECT 1 FROM allstudents20BE WHERE student_nr = ?');
		try{
			$stmt->execute([$studentnr]);
			//echo 'row count is ' . $stmt->rowCount();
				if($stmt->rowCount() == 0){
					//echo 'this student is not in the database';
				$_SESSION['error'] = 'This student number is not in this class students\' database: <b>' . $studentnr . '</b>. Please try again!';
				//echo $_SESSION['error'];
				//header('Location: /20PYhw/uploadessaysV1.html.php');
				header('Location: /20BEhw/uploadessaysV1.html.php');
				//include '../20BEwW9.html.php';
				exit();
				// if the student number exists, save the answers			
			}
		}
			catch(PDOException $e){
			$_SESSION['error'] = $e->getMessage();
			//echo $_SESSION['error'];
			//header("Location: ../19BEwW1.html");
			header('Location: /20BEhw/uploadessaysV1.html.php');
			exit();
		}

$upload_file_name = $_FILES['my_upload']['name'];
//echo 'The file name is ' . $upload_file_name;
//$time = microtime($get_as_float = false);
//$newname = $upload_file_name . '.data_' . $time;
//echo 'newname is ' . $newname;
$path = $_SERVER['DOCUMENT_ROOT'] . '/20BEhw/php/files/';
$q1 = $_POST['cn'];
$q2 = $_POST['sn'];
$q3 = $_POST['email'];
$q4 = $_POST['message'];
$q5 = $_POST['week'];
$newname = $upload_file_name . '_' . $q1 . '_' . $q2 . '_data';
$fp = fopen($path . $newname, 'w');
$savestring = 'Week nr. ' . $q5 . "\n" . 'Chinese name:  ' . $q1 . "\n". 'Student number:  ' . $q2 . "\n". 'Email address:  ' . $q3 . "\n" . 'Message text:  ' . $q4 . "\n";
fwrite($fp, $savestring);
fclose($fp);
//echo ' Your data has been saved in a text file!  <br> ';

if ($_SERVER['REQUEST_METHOD'] == 'POST') 
{
  if (is_uploaded_file($_FILES['my_upload']['tmp_name'])) 
  { 
  	//First, Validate the file name
  	if(empty($_FILES['my_upload']['name']))
  	{
  		echo " The file name is empty! <br> ";
  		echo " Please select a file. <br>";
		echo " Your file could not be sent. <br>";
  		exit;
  	}
 
  	$upload_file_name = $_FILES['my_upload']['name'];
  	//Too long file name?
  	if (strlen($upload_file_name)>100)
  	{
  		echo " The file name is too long! <br> ";
  		echo " Please make the file name shorter. <br>";
		echo " Your file could not be sent. <br>";
  		exit;
  	}
 
  	//replace any non-alpha-numeric characters in th file name
  	$upload_file_name = preg_replace("/[^A-Za-z0-9 \.\-_]/", '', $upload_file_name);

 //set a limit to the file minimum size
  	if ($_FILES['my_upload']['size'] < 5000) 
  	{
		echo " 错误!! <br> ";		
		echo " The file you are sending is too small. <br> ";
		echo " Your essay should be about 15kB or more. <br> ";
		echo " This is cannot be an essay <br>";
		echo " Please check the file you are sending and send again. <br>";
		echo " Your file could not be sent. <br>";
  		exit;        
    }
    
  	//set a limit to the file upload size
  	if ($_FILES['my_upload']['size'] > 512000) 
  	{
		echo " The file you are sending is too big. <br> ";
		echo " The maximum size should be less than 5MB <br>";
		echo " Please send a smaller file or send the file in an email. <br>";
		echo " Your file could not be sent. <br>";
  		exit;        
    }
 
    //Save the file
    $dest=__DIR__.'/files/'.$q5.$q2.$upload_file_name;
    if (move_uploaded_file($_FILES['my_upload']['tmp_name'], $dest)) 
    {
    	//echo " Your contact details have been saved. <br>";
		//echo 'Your file has been uploaded to our cloud! <br> ';
    	//echo 'We will contact you very soon! <br> ';
    }
  }
}
?>

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Success</title>

<link rel="stylesheet" type="text/css" href="css/mystyle5.css" />
</head>
<body>
<div id="div-success"> 
成功!Your data has been saved.</div><br>
<div> <h1>The date and time now is:</h1>  </div><br>
<div id="div-date"<div> <h1>The date and time now is:</h1>  </div><br>>  </div><br>
<div id="div-namenumber"> Name: <?=$q1;?> --|-- Student number: <?=$q2;?> </div><br>
<div id="div-list">
<ul>
<li> <a href="http://www.mywebpage.com">反回.<p> Go back to the homepage. </p> </a> </li>
<li> <a href="http://www.ted.com">更多有趣的<p>  Go somewhere interesting.</p></a> </li>
<li> <a href="https://breakingnewsenglish.com/">更多有趣的<p>  Go somewhere interesting.</p></a> </li>
<li> <a href="https://learnenglish.britishcouncil.org/">更多有趣的<p>  Go somewhere interesting.</p></a> </li>
</ul>
<script>
    document.getElementById("div-date").innerHTML = formatAMPM();

function formatAMPM() {
var d = new Date(),
    minutes = d.getMinutes().toString().length == 1 ? '0'+d.getMinutes() : d.getMinutes(),
    hours = d.getHours().toString().length == 1 ? '0'+d.getHours() : d.getHours(),
    ampm = d.getHours() >= 12 ? 'pm' : 'am',
    months = ['Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec'],
    days = ['Sun','Mon','Tue','Wed','Thu','Fri','Sat'];
return days[d.getDay()]+' '+months[d.getMonth()]+' '+d.getDate()+' '+d.getFullYear()+' '+hours+':'+minutes+ampm;
}
</script>
</div>
</body>
</html>

unset the form post data instead and remove the exit and go to a failed page, also validate what file and ext they are uploading you might get exploited with anything being uploaded

Thanks for your reply!

I was thinking about this: until php has collected the file to the server, php won’t really be able to know the size of the file anyway. As I understand it, php is not active on the user’s computer.

Know some other way of checking for a big file? A javascript?

Sponsor our Newsletter | Privacy Policy | Terms of Service