PHP Uploading Files

PHP Uploading Files has many great purposes, but it is also one of the biggest places to create a security risk. You absolutely have to make sure you do this correctly. If not, I will hunt you down and upload a script on your site that will make you wish you had. Not really, but you should build it like I might. When uploading a file, we will generally use a form to allow users to find the file they want to upload on their computer.

PHP Uploading Files


HTML File Upload Form

Example

<form enctype="multipart/form-data" action="#" method="POST">
    <input type="hidden" name="MAX_FILE_SIZE" value="10000" />
    Choose a GIF file to upload: <input name="uploadedFile" type="file" /><br />
    <input type="submit" value="Upload File" />
</form>

Now, that is a cool form, but we don’t have any supporting server side code to tell it what to do. We need to craft a PHP file that will process the upload and check it to make sure it is the type of file that we want.

PHP Upload Files

Example

<?php
if ($_FILES["uploadedFile"]["size"] < 10000)
{
    if ($_FILES["uploadedFile"]["type"] == "image/gif")
    {
        if ($_FILES["uploadedFile"]["error"] == 0)
        {
            $filePath = "testFolder/";
            $filePath = $filePath . basename( $_FILES['uploadedFile']['name']);
            if(move_uploaded_file($_FILES['uploadedFile']['tmp_name'], $filePath))
            {
                echo "The file ".  basename( $_FILES['uploadedFile']['name'])." was uploaded successfully.";
            }
            else
            {
                echo "A problem occurred while uploading your file, please try again.";
            }
        } 
        else
        {
            echo "Something went wrong...";
        }
    }
    else
    {
        echo "Your file is not a gif filetype..";
    }
}
else
{
    echo "Your file exceeds the maximum size of 10KB.";
}
?>

In our massively packed if statement example, you can see our server side checks. You must check to make sure the file’s attributes are exactly what you want. Here, we only check for file size and file type.

We first check the file size by using $_FILES[“uploadedFile”][“size”], where “uploadedFile” is the name of our upload in the HTML form. The 10000 is the file size in bytes, which translates to about 10kb in this example. Next, we only want gif file types.

So, we check the $_FILES[“uploadedFile”][“type”], or the file type, to see if it is a gif. Finally, our last check is to make sure no errors have come up by checking if $_FILES[“uploadedFile”][“error”] equals 0.

Now, we come to the heart of the uploading process. We set our folder path with the $filePath variable. Then, we reset it with the folder path and the actual file name with basename( $_FILES[‘uploadedFile’][‘name’]).

Finally, we upload the file in an if statement to check for final errors with move_uploaded_file($_FILES[‘uploadedFile’][‘tmp_name’], $filePath). The move_uploaded_file function takes two parameters: the file name, which is $_FILES[‘uploadedFile’][‘tmp_name’], and the file path. This moves the file to a specific location so that we can view it later. See uploading is easy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.