PHP 中的 MAX_FILE_SIZE - 有什么意义?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1381364/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
MAX_FILE_SIZE in PHP - what's the point?
提问by Vilx-
I was trying to make a file upload form and checked the PHP documentation to refresh my memory on the subject. Here is a link to the relevant article.All of a sudden I noticed this message:
我试图制作一个文件上传表单并检查了 PHP 文档以刷新我对这个主题的记忆。这是相关文章的链接。突然我注意到了这条消息:
The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted by PHP. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too large and the transfer failed. Keep in mind: fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature. It is merely a convenience feature for users on the client side of the application. The PHP settings (on the server side) for maximum-size, however, cannot be fooled.
MAX_FILE_SIZE 隐藏字段(以字节为单位)必须位于文件输入字段之前,其值为 PHP 接受的最大文件大小。应始终使用此表单元素,因为它可以节省用户等待传输大文件时才发现它太大而传输失败的麻烦。请记住:在浏览器端欺骗此设置非常容易,因此切勿依赖此功能阻止更大尺寸的文件。对于应用程序客户端的用户来说,它只是一个方便的功能。然而,最大尺寸的 PHP 设置(在服务器端)是不能被愚弄的。
OK... Say what? First it tells that it mustprecede the file upload field. Then it tells us that it is merely for convenience. And besides - it's on client side anyway so anyone can mess with it. After googling around I also found information that there are no known browsers that support it.
好吧……说什么?首先它告诉它必须在文件上传字段之前。然后它告诉我们这只是为了方便。此外 - 它无论如何都在客户端,所以任何人都可以弄乱它。在谷歌搜索之后,我还发现没有已知浏览器支持它的信息。
WTF? Why is it said that it mustprecede the file upload field if it seems to be (for all intents and purposes) absolutely pointless? Should I bother putting it in my HTML at all?
跆拳道?如果它似乎(出于所有意图和目的)绝对毫无意义,为什么说它必须在文件上传字段之前?我应该费心把它放在我的 HTML 中吗?
采纳答案by Meep3D
At the moment there are no browsers that actually care about the MAX_FILE_SIZE directive so it is pretty pointless. I suppose it does give you more granular control over max sizes on upload (as the poster above stated) rather than going with php.ini's, but personally I just ignore it, and you probably should too. It will certainly not stop a user uploading a larger than required file - the manual is fairly misleading in this regard.
目前还没有真正关心 MAX_FILE_SIZE 指令的浏览器,所以它毫无意义。我想它确实可以让您更精细地控制上传的最大大小(如上面的海报所述),而不是使用 php.ini,但我个人只是忽略它,您可能也应该这样做。它肯定不会阻止用户上传比所需文件更大的文件 - 该手册在这方面具有相当大的误导性。
回答by Stann
After failed attempt to find any authoritative information about MAX_FILE_INFO i've decided to resort to drastic measures - and peeked at PHP's holy source.
在尝试找到有关 MAX_FILE_INFO 的任何权威信息失败后,我决定采取严厉措施 - 并偷看 PHP 的神圣来源。
I scanned entire PHP source recursively using grep:
我使用 grep 递归扫描整个 PHP 源代码:
grep -ri MAX_FILE_SIZE .
The only place that mentioned this variable was (excluding tests folder) - rfc1867.c file. Completely expectable since rfc1867 standard deals with file uploads.
唯一提到这个变量的地方是(不包括测试文件夹) - rfc1867.c 文件。完全可以预料,因为 rfc1867 标准处理文件上传。
Related C code:
相关C代码:
......
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
max_file_size = atol(value);
}
......
......
if (PG(upload_max_filesize) > 0 && (total_bytes+blen) > PG(upload_max_filesize)) {
cancel_upload = UPLOAD_ERROR_A;
} else if (max_file_size && ((total_bytes+blen) > max_file_size)) {
cancel_upload = UPLOAD_ERROR_B;
} else if
....
So - here's short explanationof above code:
所以 - 这是上面代码的简短解释:
1) first we get the value of MAX_FILE_SIZE into max_file_size variable.
1) 首先我们将 MAX_FILE_SIZE 的值放入 max_file_size 变量中。
2) Then we check if max_file_size value exists and if the sum of already accepted bytes (total_bytes) + the size of bytes in the buffer(blen) exceeds max_file_size.
2) 然后我们检查 max_file_size 值是否存在,以及已接受字节的总和 (total_bytes) + 缓冲区中的字节大小 (blen) 是否超过 max_file_size。
3) If 2 is true - at this point we cancel upload with some error code that's been set by this constant: UPLOAD_ERROR_B
3) 如果 2 为真 - 此时我们取消上传,并使用此常量设置的一些错误代码:UPLOAD_ERROR_B
BUT - as you can see - right before checking max_file_size variable - PHP performs EXACTLY THE SAME CHECK for upload_max_filesize variable!!! So - there we have it.
但是 - 正如你所看到的 - 在检查 max_file_size 变量之前 - PHP 对 upload_max_filesize 变量执行完全相同的检查!!!因此,我们有它。
Conclusion:IMHO - op is right - there is 0 point in including MAX_FILE_SIZE into your forms! Simply set upload_max_filesize in your php.ini file or dynamically via ini_set().
结论:恕我直言 - 操作是对的 - 在您的表单中包含 MAX_FILE_SIZE 有 0 分!只需在 php.ini 文件中或通过 ini_set() 动态设置 upload_max_filesize。
回答by Pacerier
Until we find browsers that support it, there's no point on the clientside.
在我们找到支持它的浏览器之前,客户端没有任何意义。
However, on the serverside, MAX_FILE_SIZEdoesaffect the values you get from $_FILES['your_file'].
但是,在服务器端,MAX_FILE_SIZE确实会影响您从$_FILES['your_file'].
Assuming the browser's request actually made it through post_max_size, usually this is what PHP gives:
假设浏览器的请求实际上通过了post_max_size,通常这是 PHP 给出的:
array(5) {
["name"]=> string(11) "my_upload.dll"
["type"]=> string(24) "application/x-msdownload"
["tmp_name"]=> string(26) "C:\WINDOWS\Temp\php86A.tmp"
["error"]=> int(0) // UPLOAD_ERR_OK
["size"]=> int(238592)
}
But if uploaded file size exceeds MAX_FILE_SIZE, you'd see:
但如果上传的文件大小超过MAX_FILE_SIZE,您会看到:
array(5) {
["name"]=> string(11) "my_upload.dll"
["type"]=> string(0) ""
["tmp_name"]=> string(0) ""
["error"]=> int(2) // UPLOAD_ERR_FORM_SIZE
["size"]=> int(0)
}
And the part on "MAX_FILE_SIZEmust precede the file input field" is not a joke. It actually works because PHP will interpret the browser's POSTrequest payload sequentially:
“MAX_FILE_SIZE必须在文件输入字段之前”这部分不是开玩笑。它实际上有效,因为 PHP 将按POST顺序解释浏览器的请求负载:
<input name=F1 type=file>
<input name=F2 type=file>
F1 and F2 will not be affected by MAX_FILE_SIZE
<input name=MAX_FILE_SIZE value=1024 type=hidden>
<input name=F3 type=file>
<input name=F4 type=file>
F3 and F4 will have MAX_FILE_SIZE = 1024 bytes
<input name=MAX_FILE_SIZE value=0 type=hidden>
<input name=F5 type=file>
<input name=F6 type=file>
F5 and F6 will have MAX_FILE_SIZE = 0 (infinite)
<input name=MAX_FILE_SIZE value=1 type=hidden>
<input name=F7 type=file>
<input name=F8 type=file>
F7 and F8 will have MAX_FILE_SIZE = 1 byte
Also note that PHP interprets MAX_FILE_SIZEcase insensitively, so maX_fILe_sIZEand Max_File_SIZEwould work too.
另请注意,PHPMAX_FILE_SIZE不区分大小写,因此maX_fILe_sIZE也Max_File_SIZE可以使用。
回答by Rob
I believe the point is that conformant browsers would prevent form submission in the case where the user selected a file that was too large, which would save them having to perform at least a partial upload (which could take a while) of a file that was going to be rejected.
我相信重点是,在用户选择的文件太大的情况下,符合标准的浏览器会阻止表单提交,这将使他们不必执行至少部分上传(这可能需要一段时间)的文件将被拒绝。
On the server side, PHP still checks and enforces the various limits set in PHP.ini, and will reference the fact that an upload was too large in the normal manner, i.e. an error code set in $_FILES. You might think of the field as an analogy to JavaScript validation - we might do a quick client-side check for the user's convenience, but we still do a proper server-side test and enforce it for all requests.
在服务器端,PHP 仍会检查并强制执行 PHP.ini 中设置的各种限制,并且会以正常方式引用上传过大这一事实,即 $_FILES 中设置的错误代码。您可能会认为该字段类似于 JavaScript 验证——为了用户的方便,我们可能会进行快速的客户端检查,但我们仍然会进行适当的服务器端测试并针对所有请求强制执行它。
As others have stated, there don't appear to be any browsers that actually bother to perform this check, making it relatively useless.
正如其他人所说,似乎没有任何浏览器真正费心执行此检查,使其相对无用。
回答by Dominic Rodger
What follows is me being wrong, please read the other answers which are better-informed, and accurate (AFAIK).
接下来是我错了,请阅读其他更明智且准确的答案(AFAIK)。
I think the point is exactly as it states:
我认为重点正如它所说的那样:
This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too large and the transfer failed
应始终使用此表单元素,因为它可以节省用户等待传输大文件时才发现它太大而传输失败的麻烦
Yes, it can be fooled, and so shouldn't be relied on to prevent larger files from being uploaded, but for non-malicious users if the uploaded file is bigger than the integer in this field, PHP disallows this upload and presents an error code in the $_FILESarray (source - comments on php.net).
是的,它可以被愚弄,因此不应该依赖于阻止上传更大的文件,但对于非恶意用户,如果上传的文件大于该字段中的整数,PHP 将禁止此上传并显示错误$_FILES数组中的代码(来源 - php.net 上的评论)。
回答by cls
I use it to set file size limit when a particular application needs smaller files than the limit in php.ini. My php scripts check it, but it is set in the HTML form. Different forms have different file size limits. I am not sure if this has much to do with the intended use, but it makes it easier to reuse my scripts. It would be good if it could be checked at the browser level, but it's not the only reason it is useful.
当特定应用程序需要的文件小于php.ini. 我的 php 脚本检查了它,但它是在 HTML 表单中设置的。不同的表格有不同的文件大小限制。我不确定这是否与预期用途有很大关系,但它可以更轻松地重用我的脚本。如果可以在浏览器级别检查它会很好,但这并不是它有用的唯一原因。
