#PHP

Purpose of MAX_FILE_SIZE & How to Use It for PHP Form Validation

by Radu

I’ve seen several people asking what’s the purpose of MAX_FILE_SIZE and how to integrate it in their PHP form validation.

Some believe it’s useless and will tell you not to add it, but I believe it’s useful, as you’ll see below.

So, let’s see what’s the deal with it.

What’s the Purpose of MAX_FILE_SIZE?

MAX_FILE_SIZE is used in a hidden input field, in an HTML form, to handle the file size validation on the client-side.

<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<input name="file" type="file" />

Its purpose is to stop the file transfer if the file is larger than the value (in bytes) specified in value="".

But isn’t the file size handled with $_FILES['file']['size']?

Yes, but there’s a difference.

Example

Let’s say that you only allow files up to 2 MB.

Now, if a user uploads a 20 GB file and you only rely on $_FILES['file']['size'], the user has to wait until those 20 GB are transferred, just to find out that the file was too large and the transfer failed.

On the other hand, if you use MAX_FILE_SIZE, the file transfer will fail right after PHP notices that the specified value for MAX_FILE_SIZE was exceeded.

So, the user won’t have to wait until the 20 GB file was transferred to get an error.

Since MAX_FILE_SIZE is set on the client-side, it can be tampered with quite easily. So, don’t rely on it alone! Use $_FILES['file']['size'] for the file size in your validation as well.

How to Use MAX_FILE_SIZE in Your PHP Form Validation

If you set a MAX_FILE_SIZE field, the form won’t be sent if the file size is larger than the specified value.

But, of course, it won’t display any errors or perform any action. You’ll have to take care of that.

And some of you might be wondering how to integrate it with your current PHP form validation.

Well, you’ll be happy to know that it’s not hard.

If you go here on the PHP manual, you’ll notice that MAX_FILE_SIZE has an error code that belongs to the error segment of the file array.

That error code is UPLOAD_ERR_FORM_SIZE and it has a value of 2.

So, you can use something like this in your validation code to display an error or do something else if MAX_FILE_SIZE is triggered:

if ($_FILES['file']['error'] == 2) {
    // do something
}

$_FILES['file']['error'] is the error segment of the file array. It contains the error codes.

2 is the value for UPLOAD_ERR_FORM_SIZE, which handles MAX_FILE_SIZE.

Alternatively, you can use the error code itself instead of its value.

if ($_FILES['file']['error'] == UPLOAD_ERR_FORM_SIZE) {
    // do something
}

That’s a Wrap

I hope you found this guide comprehensive enough and you understood what’s the deal with MAX_FILE_SIZE and how to use it.

If some info is outdated or incorrect, or you have anything to add, say or ask, please contact me via Twitter or email.

About Radu

I've been working online, from home, for over 9 years. I learned a lot of different stuff related to websites. My main expertise is WordPress, but for some time, I started focusing more on web development.