How to detect if a user uploaded a file larger than post_max_size?

Question

How should I go about handling http uploads that exceeds the post_max_size in a sane manner?

In my configuration post_max_size is a few MB larger than upload_max_filesize The problems I'm having are:
If a user uploads a file exceeding post_max_size

• The _POST array is empty
• The _FILES array is empty, and of course any error codes therein are not present.
• No other info what kind of form post it is is accessible through theses means.

Part of the problem is that the receiving script takes different actions depending on the contents of the POST.

I do have access to the _SERVER variables and can get clues as to what happened, i.e. CONTENT_TYPE, CONTENT_LENGTH and REQUEST_METHOD. It does however seem very problematic to make guesses based on those contents.

MEMORY_LIMIT (set to 10 times the relevant sizes) and Apaches LimitRequestBody (set to unlimited) are found to not be at fault.

As it stands now I have a hard time even providing any meaningful messages to the user.

Is there any way to retain some form data to get better clues as to what has gone wrong? I'm very reluctant to move away from php.

Answer 1

For a simple fix that would require no server side changes, I would use the HTML5 File API to check the size of the file before uploading. If it exceeds the known limit, then cancel the upload. I believe something like this would work:

function on_submit()
{
  if (document.getElementById("upload").files[0].size > 666)
  {
    alert("File is too big.");
    return false;
  }

  return true;
}

<form onsubmit="return on_submit()">
<input id="upload" type="file" />
</form>

Obviously it's just a skeleton of an example, and not every browser supports this. But it wouldn't hurt to use this, as it could be implemented in such a way that it gracefully degrades into nothing for older browsers.

Of course this doesn't solve the issue, but it will at least keep a number of your users happy with minimal effort required. (And they won't even have to wait for the upload to fail.)

--

As an aside, checking $_SERVER['CONTENT_LENGTH'] vs the size of the post and file data might help detect if something failed. I think it when there is an error it will be non zero, while the $_POST and $_FILES would both be empty.

Answer 2

Per the PHP documentation:

If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. <form action="edit.php?processed=1">, and then checking if $_GET['processed'] is set.

If you need the limit increased for a specific script, you can try ini_set('post-max-size', $size_needed);. I'm not sure if it can be overridden within a script, though; that limit is probably there to specifically keep you from doing what you're trying to do.