Limit Photo Size on Upload

>
> I'm worried about abuse... maybe too paranoid... I don't know, but I  
> would like to limit file size of uploads to 2.5 MB photos.
>
> When do we do that?  I don't think a file browser
> (  <input name="image" type="file" size="25" />) knows how big the  
> file is to actually stop the upload...
>
> so you have to handle it *after* receiving the post, right?
>
> if $_POST_RAW is not empty then
> # includes headers and filename and caption of course but no need be  
> too precise
> if len($_POST_RAW) > 2636822 then
> # exit out of processing the post
> # and return some response to the user "File Too Big."
>
> have I got this right?

> Jim Ault wrote:
>
>> One solution is use form validation in the browser before sending.
>> Here is a link to the Apple developer site showing a javascript  
>> example.
>>      http://developer.apple.com/internet/webcontent/validation.html
>> Also, try Googling "html form validation" for hundreds of sites  
>> with info.
>> If a Rev plugin is present, you could use Rev to check the size
>
> Though I try to stay away from JS as much as i can, looks very  
> useful. Only thing is: I don't see a function there to check file  
> size, and further research indicates that JS security constraints  
> bar JS from reading the file size and one can only do this with an  
> ActiveX thing in  I.E.
>
> So, it's back to a server side input data check...or
>
> I'll be patient and wait until next week and implement as a revlet  
> and then it will be easy. This will also constrain input from only  
> those who trust us, which is an excellent "screening" that the  
> revlet security provides.

> You should be able to specify the max file size in the <form> before
> the image is posted.
>
> And this link is a PHP solution that handles several errors and user
> feedback
> -- lots of notes on each line so that you know what is going on
> --    remember the PHP engine is running on the web host
> --    there is a multi-image file upload version at the bottom of this
> page
>
>     http://webdeveloper.com/forum/showthread.php?t=101466
>
> Note the line in the html body
>
>             <input type="hidden" name="MAX_FILE_SIZE" value="<?php
> echo $max_file_size ?>">
>
> thus a hidden value is sent to the server to limit the number of
> characters it will accept when the server creates the variable and
> loads the image data.  The result of trying to upload a very large
> image is that only part of it will be stored in a 'tmp_name' array
> variable in web server RAM,
>
> // now let's move the file to its final location and allocate the new
> filename to it
> @move_uploaded_file($_FILES[$fieldname]['tmp_name'], $uploadFilename)
>     or error('receiving directory insuffiecient permission',
> $uploadForm);
>
> and the user notified -- the PHP code directs the user to the page
> that outputs the error messages.
>
> // The following function is an error handler which is used
> // to output an HTML error page if the file upload fails
> function error($error, $location, $seconds = 5)
>
> At the top of the web page source is where the value of the PHP
> variable is set by:
>
> // set a max file size for the html upload form
> $max_file_size = 30000; // size in bytes
>
> When you are ready, you can use the download link to get the
>      upload.zip or the multifileupload.zip from the author.
>
> I would prefer a PHP solution to a javascript one, but that is my
> preference
>
> Jim Ault
> Las Vegas
>
> On Nov 6, 2009, at 11:46 AM, Sivakatirswami wrote:
>
>> Jim Ault wrote:
>>
>>> One solution is use form validation in the browser before sending.
>>> Here is a link to the Apple developer site showing a javascript
>>> example.
>>>      http://developer.apple.com/internet/webcontent/validation.html
>>> Also, try Googling "html form validation" for hundreds of sites with
>>> info.
>>> If a Rev plugin is present, you could use Rev to check the size
>>
>> Though I try to stay away from JS as much as i can, looks very
>> useful. Only thing is: I don't see a function there to check file
>> size, and further research indicates that JS security constraints bar
>> JS from reading the file size and one can only do this with an
>> ActiveX thing in  I.E.
>>
>> So, it's back to a server side input data check...or
>>
>> I'll be patient and wait until next week and implement as a revlet
>> and then it will be easy. This will also constrain input from only
>> those who trust us, which is an excellent "screening" that the revlet
>> security provides.
>
> _______________________________________________
> use-revolution mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>

> I don't think we can include
>
> <?php
>
> #whatever code
>
> ?>
>
> on a *.irev page....
>
> at least not yet.
>
> But bottom line is: you are measuring input data *after* the user hits
> "submit"
>
> I may as well just measure the $_POST_RAW  value before processing it.
>
> If some deranged person tries to upload a 100MB file, he will just be
> waiting forever. I don't think our server will care a whit about it. Once
> it's uploaded, the irev page will simply drop I could be sure by doing a
> "put empty" into the $_POST_RAW... I suppose there could be a RAM issue on
> the web server, but a linux machine, I believe will start using Virtual
> memory and nothing bad will happen (I hope)
>
> Perhaps the iRev engine has some hidden "agent" that can return a value for
> the amt of data that's been read "so far" before the complete post is
> received? If so, we could poll that and terminate, like the PHP thing does.
>
> skts
>
>
>
>
>
> Jim Ault wrote:
>
>> You should be able to specify the max file size in the <form> before the
>> image is posted.
>>
>> And this link is a PHP solution that handles several errors and user
>> feedback
>> -- lots of notes on each line so that you know what is going on
>> --    remember the PHP engine is running on the web host
>> --    there is a multi-image file upload version at the bottom of this
>> page
>>
>>    http://webdeveloper.com/forum/showthread.php?t=101466
>>
>> Note the line in the html body
>>
>>            <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo
>> $max_file_size ?>">
>>
>> thus a hidden value is sent to the server to limit the number of
>> characters it will accept when the server creates the variable and loads the
>> image data.  The result of trying to upload a very large image is that only
>> part of it will be stored in a 'tmp_name' array variable in web server RAM,
>>
>> // now let's move the file to its final location and allocate the new
>> filename to it
>> @move_uploaded_file($_FILES[$fieldname]['tmp_name'], $uploadFilename)
>>    or error('receiving directory insuffiecient permission', $uploadForm);
>>
>> and the user notified -- the PHP code directs the user to the page that
>> outputs the error messages.
>>
>> // The following function is an error handler which is used
>> // to output an HTML error page if the file upload fails
>> function error($error, $location, $seconds = 5)
>>
>> At the top of the web page source is where the value of the PHP variable
>> is set by:
>>
>> // set a max file size for the html upload form
>> $max_file_size = 30000; // size in bytes
>>
>> When you are ready, you can use the download link to get the
>>     upload.zip or the multifileupload.zip from the author.
>>
>> I would prefer a PHP solution to a javascript one, but that is my
>> preference
>>
>> Jim Ault
>> Las Vegas
>>
>> On Nov 6, 2009, at 11:46 AM, Sivakatirswami wrote:
>>
>>  Jim Ault wrote:
>>>
>>>  One solution is use form validation in the browser before sending.
>>>> Here is a link to the Apple developer site showing a javascript example.
>>>>     http://developer.apple.com/internet/webcontent/validation.html
>>>> Also, try Googling "html form validation" for hundreds of sites with
>>>> info.
>>>> If a Rev plugin is present, you could use Rev to check the size
>>>>
>>>
>>> Though I try to stay away from JS as much as i can, looks very useful.
>>> Only thing is: I don't see a function there to check file size, and further
>>> research indicates that JS security constraints bar JS from reading the file
>>> size and one can only do this with an ActiveX thing in  I.E.
>>>
>>> So, it's back to a server side input data check...or
>>>
>>> I'll be patient and wait until next week and implement as a revlet and
>>> then it will be easy. This will also constrain input from only those who
>>> trust us, which is an excellent "screening" that the revlet security
>>> provides.
>>>
>>
>> _______________________________________________
>> use-revolution mailing list
>> [hidden email]
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-revolution
>>
>>  _______________________________________________
> use-revolution mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>