Uploading large files
Thu, 08/09/2007 - 11:12 — newbie
Hello Alex,
Could you please help me with file upload.
I can upload small files (eg. 5mb) without any problems.
But when I try to add a large file (eg. 100 mb), I get:
"Please specify category name"
error message.
My code is shown below. Thank you in advance!
<?php
require_once("../config.php");
if (empty($_POST['catname'])) showmessage("Please specify category name ");
if (empty($_POST['catdescr'])) showmessage("Please specify category name");
if (!isset($_POST['hide'])) $hide = 'show';
$catlogo = '';
$catname = trim(str_replace("'", "`", $_POST['catname']));
$catdescr = trim(str_replace("'", "`", $_POST['catdescr']));
if (!isset($_POST['catpos']))
{
$query = "SELECT MAX(category_order) AS pos FROM category";
$cnt = mysql_query($query);
if ($cnt)
{
$count = mysql_fetch_array($cnt);
$catpos = $count ['pos'] + 1;
}
else error_report("Error: ".mysql_error(),"Error accessing category");
}
if ($_FILES['catlogo']['tmp_name'] != '-' && $_FILES['catlogo']['tmp_name'] != '')
{
$path = "../files/".$_FILES['catlogo']['name']; //strrchr($_FILES['catlogo']['name'],'.');
if (copy($_FILES['catlogo']['tmp_name'], $path)) $catlogo = $path;
else error_report("Error loading logo".$_FILES['catlogo']['name'], "Error loading logo");
}
$queryAdd = "INSERT INTO category VALUES (NULL, '$catname', '$catdescr', $catpos, '$catlogo', '$hide')";
$qAdd = mysql_query($queryAdd);
if($qAdd)
{
echo "<HTML><HEAD>
<META HTTP-EQUIV='Refresh' CONTENT='0; URL=addcatform.php'>
</HEAD>";
}
else error_report("Error: ".mysql_error(),"Error accessing category");
function showmessage($msg)
{
echo "<p>".$msg."</p>";
echo "<p> <a href=# onClick='history.back()'>Back to edit categories</a> </p>";
exit();
}
?>
I'm Alex Netkachov and I welcome you on my site, which is my technical playground and web log.
Correction
Correction
File is not copied when size of file is 5Mb (the record is inserted). The message described below appears only when file size is 100Mb (File is not copied).
What do you think can be implemented to make the script more secure?
Answer
I successfully uploaded 100Mb file using my script (running on Apache server) with the following options in PHP.ini:
upload_max_filesize = 200M
post_max_size = 200M
When these options are less then 100Mb, uploading fails with empty $_FILES and $_POST arrays.
As for secured file uploading please consider the following article in PHP manual:
http://www.php.net/features.file-upload (available in different languages)
Pay special attention to "See also the function entries for is_uploaded_file() and move_uploaded_file() for further information".
Generally, it is better to use PDO and parametrized queries when you work with database.
Sincerely,
Alex
Q.
As I know, default value in PHP.ini is 2Mb (upload_max_filesize) ??, the record is inserted. And post_max_size=8Mb. My filesize is more 8Mb. But I don't understood: why I don't get message "Error loading logo".$_FILES['catlogo']['name'], "Error loading logo"?
How I can change this value without using PHP.ini?
if ($_FILES['catlogo']['tmp_name'] != '-' && $_FILES['catlogo']['tmp_name'] != '')
{
$path = "../files/".$_FILES['catlogo']['name']; //strrchr($_FILES['catlogo']['name'],'.');
if (copy($_FILES['catlogo']['tmp_name'], $path)) $catlogo = $path;
else error_report("Error loading logo".$_FILES['catlogo']['name'], "Error loading logo");
}
Because the following
Because the following condition is false when $_FILES array is empty:
if ($_FILES['catlogo']['tmp_name'] != '-' && $_FILES['catlogo']['tmp_name'] != '')
Consider:
$_FILES = array();
$_FILES['catlogo']['tmp_name'] returns null, which is converted to '' when being compared with string, so $_FILES['catlogo']['tmp_name'] != '' is false and all expression is false.
The PHP settings can be changed in php.ini, in .htaccess file or in script. The file upload related settings cannot be changed in script because uploading happens before PHP executes the script. Please check manual article "Running PHP as an Apache module" on how to set PHP values in .htaccess files.