Anthony Rutledge Anthony Rutledge - 3 months ago 9
PHP Question

PHP: In the $_FILES superglobal, is the 'size' element supplied by the client?

I have created a nifty class for sanitizing inputs based on their source using PHP filter functions, but there is no

INPUT_FILES
for
filter_input_array()
.

Obviously, the routine for checking out a file is very involved and that is not the focus of this question (so, you can skip the php.ini, examine the file, copy the file, don't use the user supplied file name, tricks of the trade stuff, references to the manual, etc).

I simply want to know, what is the source of the value for the
size
element in the
$_FILES
superglobal array. Yes, I still perform tests on it (and the actual file), but I would like to know the origin of the value. The origin of the 'key' is obviously PHP.

A YouTube video on file upload progress bars (8:50 - 9:10) shows a JavaScript method of determining the file size on the client. If that is true, the file size can definitely come from the user agent and then passed on to the web server / PHP via headers.

Answer

No, the size is provided by the server, but the mime-type (type) is provided by the client, so don't trust this value and check for yourself.