Edit report at http://bugs.php.net/bug.php?id=50749&edit=1
ID: 50749 Updated by: cataphr...@php.net Reported by: anzenews at volja dot net Summary: max_file_uploads counts empty uploads as well Status: Bogus Type: Bug Package: PHP options/info functions Operating System: Linux PHP Version: 5.2.12 Block user comment: N New Comment: Fixed in revision 303970, see request #50692. Previous Comments: ------------------------------------------------------------------------ [2010-08-03 20:32:27] phazei at gmail dot com This is actually very similar to this bug: http://bugs.php.net/bug.php?id=50692 That was filed a few days earlier. Does it take significantly more resources than if someone simply tried to flood the server with a load of input type=text? Not being able to set this with ini_set (http://bugs.php.net/bug.php?id=50684 ) is a big issue as well that makes this an all or none problem rather than setting an exception for an admin page or something similar. ------------------------------------------------------------------------ [2010-01-15 16:03:27] ras...@php.net The server does actually need resources even for an empty upload because we don't necessarily know it is empty until late in the request. We have to create the filename and sit and wait for the data, even if none ever comes. So, from a server resource perspective there is very little difference between an empty upload and a non-empty one. ------------------------------------------------------------------------ [2010-01-15 10:15:59] anzenews at volja dot net Then this function is no better than the safe mode, magic quotes and similar fiascos of PHP - useless and will be avoided, at least by me. The purpose of this function is to protect the server from DOS attacks. Does the server need many resources to process the empty files? I would guess not. On the other hand this is very limiting for forms that wish to have many _optional_ file upload input fields (which was how I stumbled across this bug). Anyway, I'll just be careful to choose a host with this "feature" turned off in the future, the same as I did with safe mode. :( Oh, and by the way, turning it on by default in the very first incarnation of this option is not very nice IMHO. It took me quite some time to figure out what is going on since there are almost no pages with this setting described yet. :( ------------------------------------------------------------------------ [2010-01-15 08:55:11] j...@php.net Of course it does, that's exactly it's purpose: to limit maximum number of uploads. And yes, even "empty" upload is an upload. ------------------------------------------------------------------------ [2010-01-14 13:46:53] anzenews at volja dot net Description: ------------ Setting max_file_uploads limits the number of file input fields on HTML page instead of limiting the number of actually uploaded files. Reproduce code: --------------- <form name="formData" action="" enctype="multipart/form-data" method="post"> <?php for ($i=0;$i<30;$i++) { echo "File ".($i+1).":<br />\n". '<input name="file_'.$i.'" type="file" /><br />'."\n"; }; ?> <input value="OK!" type="submit" /> </form> <pre> <?php var_dump($_FILES) ;?> </pre> Expected result: ---------------- When you upload a single file (in the LAST!!! input box) and hit "OK!", you should see the uploaded file. Actual result: -------------- Instead you see just 20 empty file uploads. (if max_file_uploads is set to 20, as per default) The max_file_uploads setting should never count empty files. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=50749&edit=1
