El elemento MAX_FILE_SIZE no puede especificar un tamaño de fichero
mayor que el establecido en la directiva upload_max_filesize
del fichero php.ini. Por defecto es 2 megabytes.
Si hay un límite de memoria habilitado, podría ser necesario un valor de memory_limit más grande. Asegúrese de establecer un valor de memory_limit lo suficientemente grande.
Si el valor de max_execution_time
es demasiado pequeño, la ejecución del script podría exceder este valor. Asegúrese
de establecer un valor de max_execution_time lo suficientemente grande.
Nota: max_execution_time solo afecta al tiempo de ejecución del propio script. Todo tiempo empleado en actividades externas a la ejecución del script, tales como las llamadas al sistema con system(), la función sleep(), las consultas a base de datos, el tiempo que tarda el proceso de subida de ficheros, etc., no se incluye para determinar el tiempo máximo que el script ha estado en ejecución.
max_input_time establece el tiempo
máximo, en segundos, que al script se le permite recibir información; esto incluye
la subida de ficheros. Para ficheros grandes o varios ficheros, o usuarios con conexiones más lentas,
podría excederse el valor predeterminado de 60 segundos.
Si el valor de post_max_size se establece demasiado
pequeño, los ficheros grandes no podrán ser subidos. Asegúrese de establecer
post_max_size lo suficientemente grande.
El ajuste de configuración max_file_uploads
controla el número máximo de ficheros que se pueden subir en una
petición. Si se suben más ficheros que el límite establecido,
$_FILES parará de procesar ficheros una vez se alcance
este límite. Por ejemplo, si
max_file_uploads se establece a
10, $_FILES nunca contendrá
más de 10 elementos.
No validar sobre qué fichero se opera podría significar que los usuarios pueden acceder a información delicada de otros directorios.
Por favor, observe que el CERN httpd parece quitar todo lo que empieza con primer espacio en blanco en la cabecera de tipo de contenido MIME que recibe desde el cliente. Mientras este sea el caso, el CERN httpd no tendrá soporte para la funcionalidad de subida de ficheros.
Debido a la gran cantidad de estilos de listados de directorios, no podemos garantizar que los ficheros con nombres exóticos (como el que contiene espacios en blanco) se manejen adecuadamente.
Los desarrolladores no deben mezclar los campos input normales con los de subida de ficheros en la misma
variable de formulario (mediante un nombre de input como foo[]).
Note that, when you want to upload VERY large files (or you want to set the limiters VERY high for test purposes), all of the upload file size limiters are stored in signed 32-bit ints. This means that setting a limit higher than about 2.1 GB will result in PHP seeing a large negative number. I have not found any way around this.If using IIS 7.0 or above, the Request Filtering is enabled by default and the max allowed content length is set to 30 MB.
One must change this value if they want to allow file uploads of more than 30 MB.
Sample web.config entry:
<configuration>
</system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="314572800"/>
</requestFiltering>
</security>
</system.webServer>
</configuration>
The above setting will allow 300 MB of data to be sent as a request. Hope this helps someone.[Editor's note: to be more precise, MAX_FILE_SIZE can't exceed PHP_INT_MAX before PHP 7.1.]
Please note that the field MAX_FILE_SIZE cannot exceed 2147483647. Any greater value will lead to an upload error that will be displayed at the end of the upload
This is explained by the related C code :
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
max_file_size = atol(value);
}
The string is converted into a long int, which max value is... 2147483647
Seems to be corrected since php-7.1.0beta3 (https://github.com/php/php-src/commit/cb4c195f0b85ca5d91fee1ebe90105b8bb68356c)The macintosh OS (not sure about OSx) uses a dual forked file system, unlike the rest of the world ;-). Every macintosh file has a data fork and a resource fork. When a dual forked file hits a single forked file system, something has to go, and it is the resource fork. This was recognized as a problem (bad idea to begin with) and apple started recomending that developers avoid sticking vital file info in the resource fork portion of a file, but some files are still very sensitive to this. The main ones to watch out for are macintosh font files and executables, once the resource fork is gone from a mac font or an executable it is useless. To protect the files they should be stuffed or zipped prior to upload to protect the resource fork.
Most mac ftp clients (like fetch) allow files to be uploaded in Macbinhex, which will also protect the resource fork when transfering files via ftp. I have not seen this equivilent in any mac browser (but I haven't done too much digging either).
FYI, apple does have an old utility called ResEdit that lets you manipulate the resource fork portion of a file.In case of non-deterministic occurence of the UPLOAD_ERR_PARTIAL error: The HTTPD (e.g. Apache) should respond with a 'Accept-Ranges: none' header field.Here is another that may make your upload fall over. If you are using Squid or similar proxy server make sure that this is not limiting the size of the HTTP headers. This took me weeks to figure out!For apache, also check the LimitRequestBody directive.
If you're running a Red Hat install, this might be set in /etc/httpd/conf.d/php.conf.
By default, mine was set to 512 KB.A responce to admin at creationfarm dot com, Mac OS X and Windows running on a NTFS disk also uses a multi stream file system. Still only the data stream in transfared on http upload. It is preferable to pack Mac OS X files in .dmg files rathere then zip but the avarage user will find zip much easir and they are supported on more platforms.Please be advised that setting a large post_max_size or upload_max_filesize for a complete server or a complete virtual host is not a good idea as it may lead to increased security risks.
The risk is that an attacker may send very large POST requests and overloading your server memory and CPU as it has to parse and process those requests before handling them to your PHP script.
So it's best to limit changing this setting to some files or directories. For example if I want to /admin/files/ and /admin/images/ I can use:
<If "%{REQUEST_URI} =~ m!^/admin/(files|images)/! && -n %{HTTP_COOKIE}">
php_value post_max_size 256M
php_value upload_max_filesize 256M
</If>
I also require the request to have a cookie to avoid basic attacks. This will not protect you against attacks coming from non-authenticated users, but may delay any attack.
This setting can be used in Apache server configuration files, and .htaccess files as well.Took me a while to figure this one out...
I think this is actually a header problem, but it only
happens when doing a file upload.
If you attept a header("location:http://...) redirect after
processing a $_POST[''] from a form doing a file upload
(i.e. having enctype="multipart/form-data"), the redirect
doesn't work in IE if you don't have a space between
location: & http, i.e.
header("location:http://...) vs
header("location: http://...)
===================================
<?php
if ($_POST['submit']=='Upload') {
// Process File and the redirect...
header("location: http://"..."/somewhere.php");
exit;
}
?>
<html><head></head><body>
<form enctype="multipart/form-data" action="upload.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="20000">
Your file: <input name="filename" type="file">
<input name="submit" type="submit" value="Upload">
</form>
</body></html>
===================================
This only happens if all of the following are true:
header("location:http://...) with no space
Form being processed has enctype="multipart/form-data"
Browser=IE
To fix the problem, simply add the space.
Hope this helps someone else.If you want to use open_basedir for securing your server (which is highly recommended!!!) remember to add your tmp dir to the open_basedir value in php.ini.
Example: open_basedir = <your htdocs root, etc...>:/tmp
(Tested on gentoo Linux, Apache 2.2, PHP 5.1.6)