Re: able to upload 28 meg file, yet php.ini limits posts to 10 megs. What is up with that?

On May 31, 3:01 am, Lawrence Krubner <lawre...@xxxxxxxxxxx> wrote:
To guard against our users possibly uploading huge files, I've got this
in my php.ini file:

; Maximum size of POST data that PHP will accept.
post_max_size = 10M

On a server running Ubuntu Linux. The PHP version:

root@ldc310:/etc/php5/cli# php -v
PHP 5.1.6 (cli) (built: Nov 28 2007 22:52:49)

I just uploaded a 28 meg file to the server. I have a PHP script that
automatically resizes the images to less than a meg. However, I was
assuming that the upload should have failed, before the PHP script ever
had the chance to resize the file. How do I limit how much our users can
upload? I really don't want the users to have the power to upload 30 or
40 or 50 meg files.

The server does have Plesk installed, which I know, in times past, has
found ways to undermine the settings in php.ini.

No - override - exactly as it's supposed to do. But its worth noting
that the only time I've seen plesk is on hosted servers - which rather
implies that you're already paying somebody to answer these questions.

For instance, for
open_basedir, the value that gets written in the httpd.conf file, in
each vhost directory, takes precedence over whatever I put in php.ini.
But I've never seen Plesk undermine the importance of the post_max_size
setting, nor can I imagine where Plesk might store such a conf setting
if it did.

Any thoughts on what might be wrong? Are there other places some
configuration data might be taking precedent?

The post_max_size is PHP specific thing - assuming it did work as you
expect, it wouldn't stop anyone from posting more data to the
webserver - indeed, according to the manual, it only says that when
more than this limit is posted, the $_POST and $_GET vars are empty -
no mention of $_FILES. A better setting would be to set the limit
using upload_max_filesize, but again this does not stop people from
abusing your bandwidth.

If you set the limit in the webserver config then it will terminate
the conenction.

C.
.

Relevant Pages

  • Re: PHP Instalation problems. Browser doesnt know what to do
    ... This is loaded and run as a local server (for class ... PHP 5.2.0 from php-5.2.0-win32-installer.msi ... # configuration directives that give the server its instructions. ...
    (comp.lang.php)
  • Re: PHP Instalation problems. Browser doesnt know what to do
    ... This is loaded and run as a local server (for class ... PHP 5.2.0 from php-5.2.0-win32-installer.msi ... # configuration directives that give the server its instructions. ...
    (comp.lang.php)
  • Re: write with cURL
    ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... Apache as the global web server user and thus needs world write ...
    (alt.php)
  • mysqli error?
    ... I'm just setting up my php enviroment and I typed in a simple script ... # configuration directives that give the server its instructions. ...
    (comp.lang.php)
  • Re: write with cURL
    ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... web server itself is part of the group. ...
    (alt.php)