> -----Original Message----- > From: Ray [mailto:[EMAIL PROTECTED] > Sent: 23 September 2007 02:25 > To: php-general@lists.php.net > Subject: Re: [PHP] MAX_FILE_SIZE not working with file uploads > > On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote: > > Dan Parry wrote: > > > I might be wrong but this would be classed as > > > 'exploitable'... Webservers should not be allowed > > > to read from or write to clients... Of course there > > > is ActiveX... > > > > I think we're off the point. > > > > My script is simply interrogating the value of the > > $_FILES[userfile][size] array element. It's coming up as ZERO if it > > exceeds the MAX_FILE_SIZE. > > Exactly, no valid file was uploaded. The size of the valid file is > therefore > zero. > > > That seems odd to me. > > But maybe that's > > the way it's SUPPOSED to work. That's why I started this thread out > > with "What am I missing?". > > > > Said another way: > > > > It seems that the server had to know the size of the file in order > > to know it exceeded MAX_FILE_SIZE. So how can my script find out the > > size? > > Can you use Javascript to check file size client side, send data via > AJAX then > issue warnings
This would be the exploitable 'feature' I mentioned... Client-side files should never be readable Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
