[thelist] Web-Based Hidden Image Optimization

Matt Warden mwarden at gmail.com
Mon Jan 24 14:10:50 CST 2005


On Mon, 24 Jan 2005 09:23:48 -0600, Rob Smith <rob.smith at thermon.com> wrote:
> > but you can't stop them uploading a large file in the first place.
> On the contrary...
> from the form:
> <form method="post" name="whatever" action="page.php"
> enctype="multipart/form-data">
> <input type="file" name="ProductPicture" size="12">
> <input type="hidden" name="MAX_FILE_SIZE" value="4194304" />
> </form>
> from the parsing page:
> $disk_quota = mysql_result($results_file,0,"CustDiskQuota");
> if (($_FILES['ProductPicture']['size'] + $disk_quota) >
>   unlink($uploaddir . $ProductPicture);
>   // where $ProductPicture = aboslute path to image itself
>   // stop right here; quota exceeded. delete if uploaded.
> exit;
> :-) cool stuff

Firstly, as someone has already pointed out, this doesn't keep them
from uploading the file -- it allows you to delete it from temporary
storage after it has been uploaded (meaning your bandwidth is still

But, more importantly, what happens if I edit the value of the hidden
form field (this is very easy to do with Firefox and a plugin)? I
could make it a couple gigabytes and your script would never know the
difference. At the *very least* don't name it MAX_FILE_SIZE (that will
maybe keep an honest man honest). Really, though, you should have the
MAX_FILE_SIZE determined directly in your code or from your database
(i.e., something the control of which you don't hand over to your

Matt Warden
Miami University
Oxford, OH, USA

This email proudly and graciously contributes to entropy.

More information about the thelist mailing list