Restrict Upload File Size In PHP (Very Simple Example)

Welcome to a tutorial on how to restrict the upload file size in PHP. So you want to set a limit, or change the maximum upload file size in PHP?

To enforce or change the upload file size limit in PHP:

  1. We can set the upload_max_filesize and post_max_size directives in php.ini.
    • upload_max_filesize = 10M
    • post_max_size = 10M
  2. Do a programmatic check upon file upload.
    • $max = 1000000;
    • if ($_FILES["upload"]["size"] < $max) { move_uploaded_file($_FILES["upfile"]["tmp_name"], DESTINATION); }

That covers the quick basics, but read on for more detailed examples!

ⓘ I have included a zip file with all the source code at the start of this tutorial, so you don’t have to copy-paste everything… Or if you just want to dive straight in.

 

 

TLDR – QUICK SLIDES

Fullscreen Mode – Click Here

 

TABLE OF CONTENTS

 

DOWNLOAD & NOTES

Firstly, here is the download link to the example code as promised.

 

QUICK NOTES

If you spot a bug, feel free to comment below. I try to answer short questions too, but it is one person versus the entire world… If you need answers urgently, please check out my list of websites to get help with programming.

 

EXAMPLE CODE DOWNLOAD

Click here to download all the example source code, I have released it under the MIT license, so feel free to build on top of it or use it in your own project.

 

 

PHP UPLOAD FILE SIZE RESTRICTION

All right, let us now get into examples of how to restrict the upload file size in PHP.

 

PART 1) PHP.INI FILE SIZE RESTRICTION

php.ini
file_uploads=On
post_max_size=10M
upload_max_filesize=10M
max_file_uploads=20

If you are new to PHP, this is something to take extra note of. There are “hardcoded limits” set in php.ini itself.

  • file_uploads Allows file uploads.
  • post_max_size Maximum allowed POST size. Technically, this should be set equal to or greater than the allowed upload file size.
  • upload_max_filesize Self-explanatory, the maximum allowed upload file size.
  • max_file_uploads Maximum simultaneous file uploads.

Captain Obvious to the rescue, these will take precedence over PHP scripts. For example, the PHP script will throw an error instantly on a file upload if file_uploads=Off.

 

PART 2) HTML UPLOAD FORM

2-upload.html
<form action="4-upload.php" method="post" enctype="multipart/form-data" onsubmit="return check()">
  <input type="file" id="up" name="up" required>
  <input type="submit" value="Upload">
</form>

Look no further, this is just a “regular file upload form”. But take note that we are using Javascript onsubmit="return check()" to do a check before submitting it to the PHP.

 

 

PART 3) JAVASCRIPT FILE SIZE CHECK

3-upload.js
function check () {
  // (A1) MAX FILE SIZE
  const max = 10000000;
 
  // (A2) CHECK FILE SIZE
  let f = document.getElementById("up").files[0];
  if (f.size <= max) {
    return true;
  } else {
    alert(`Max allowed file size is ${max} bytes.`);
    return false;
  }
}

Sadly, there is no such thing as <input type="file" maxsize="XYZ"> at the time of writing. But we can still get the file size in Javascript and do a check – Don’t allow the upload if it is over the allowed limit.

 

PART 4) PHP UPLOAD HANDLER

4-upload.php
<?php
// (A) ERROR - NO FILE UPLOADED
if (!isset($_FILES["up"])) { exit("No file uploaded"); }
 
// (B) FILE SIZE
$max = 10000000; // 10 MB
 
// (C) SAVE FILE ONLY IF LESSER THAN MAX ALLOWED
if ($_FILES["up"]["size"] <= $max) {
  echo move_uploaded_file($_FILES["up"]["tmp_name"], $_FILES["up"]["name"])
    ? "OK" : "ERROR" ;
} else { echo "Max allowed file size is $max bytes"; }

Lastly, we do a file size check in PHP before saving the uploaded file. Some sharp code ninjas should have realized – Why are we doing checks in both Javascript and PHP?

  • Remember that Javascript is client-side and PHP is server-side.
    • Javascript does the file size check before the form is submitted.
    • PHP does the file size check after the form is submitted.
  • Why do we need both?
    • Javascript is “cosmetics” to show a “nice message” before submission. But it is unsafe – max can be easily changed by opening the developer’s console.
    • PHP is “security”. The hard coded PHP limits cannot be changed in the developer’s console.

 

 

EXTRA BITS & LINKS

That’s all for the tutorial, and here is a small section on some extras and links that may be useful to you.

 

UPLOADING LARGE FILES?

If you are dealing with large uploads, raising the file size limit in php.ini is one lazy and easy way to do it. But that is not the best solution, you cannot keep raising the limits forever. There are better and more reliable ways to handle large uploads, check out my other tutorial on large uploads. Links are right below.

 

LINKS & REFERENCES

 

INFOGRAPHIC CHEAT SHEET

Restrict Upload File Size In PHP (Click To Enlarge)

 

THE END

Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!

Leave a Comment

Your email address will not be published. Required fields are marked *