PHP file size upload condition not working

Question

Hi i am trying to upload file and sets the limit 1 mb. when file size is greater than 1 mb file doesn't move in folder but it updates in in mysql database.

<?php
$fileName = $_FILES['myfile']['name'];
$fileNameTmp = $_FILES['myfile']['tmp_name'];
$fileSize = $_FILES["myfile"]["size"];
$fileExtension = explode('.',$fileName);
$fileExtension = strtolower(end($fileExtension));
$maxsize = 1000000;
$fileUniqueName = uniqid().'.'.$fileExtension;
$store = 'uploads/'.$fileUniqueName;

if($fileSize>$maxsize)
{
echo 'size exceed';
}
else
{

    move_uploaded_file($fileNameTmp,$store);
    $query = mysql_query("update users set image = '$fileUniqueName' where id = '$_SESSION[id]'");
}
?>

Expected result: file name should not update in database if size exceeds 1 mb.

Stop using the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). — Alex Howansky, Apr 17 '17 at 13:36
Your code is likely vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Apr 17 '17 at 13:36
`var_dump($maxsize, $fileSize);` and check if the values are what you expect. — Qirel, Apr 17 '17 at 13:36

gaganshera · Accepted Answer · 2017-04-17T13:44:34.523

1

I'm guessing the file didn't upload and you're getting $fileSize equal to 0, bypassing your if condition.
Change it to if($fileSize > $maxsize || $fileSize == 0) to capture the error.

edited Apr 17 '17 at 13:44

answered Apr 17 '17 at 13:40

gaganshera

2,629
1
14
21

That's why your if condition is getting bypassed. Change it to `if($fileSize > $maxsize || $fileSize == 0)` – gaganshera Apr 17 '17 at 13:42
I've updated the answer to include the correction. Please mark it as correct :) – gaganshera Apr 17 '17 at 13:45

PHP file size upload condition not working

1 Answers1