Kyle Florence Web Designer

tutorials

File uploading

  • Views1982
  • CategoriesPHP
  • Date PublishedJanuary 3, 2004

This will be a tutorial on file uploading. Even if you don't know much about uploading files, this should help you get a better understanding. It should be made known before we start that having a file like this on your server could be very dangerous. Unless you want anyone to have uploading capabilities, I would suggest password protecting the folder this file is in, or creating some way for only you to access it (authentication, password protection, login, whatever).

First off, create a new file called 'upload.html' and put this in it:

<html>
<title>file uploading</title>
<body>
<table>
<form action="post.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="do" value="upload">
Title: <input type="text" name="name" size="20" maxlength="40"><br>
File: <input type="file" name="file"><br>
<input type="submit" value="Upload">
</form>
</table>
</body>
</html>

This is very basic (and non-w3 complient) code. You should have enough knowledge of html to know what most of this does, but I'll explain a few things. First, we set the form to go to post.php after a user clicks on the 'upload' button. IMPORTANT - a common mistake that often causes file uploading not to work is when you forget to set the encryption type (enctype) to multipart/form-data. Another common error is forgetting to set the access rights of the folder you want to upload to (CHMOD 777 will give read and write access to everyone). This is required for your file to upload to the server!

Anyways, next we have a hidden field containing a variable "do" (PHP will get this variable as $_GET['do']) with value "uploads". This isn't really required in this instance because we are only doing one thing, but if you have multiple forms on one page its a good way to distinguish between what's being submitted. The next two lines are input boxes, one for text and one for the file.

Okay, now we need the PHP. First, you need to find the absolute path to your file upload folder. If you don't know the absolute path, create a blank PHP file and put this in it:

<?php echo getcwd(); ?>

Name the file whatever you like (cwd.php works fine) and upload it into the same folder you want your files to be stored in. Load the page in your browser and it will print your absolute path. Now that you have your file storage location, create a blank PHP document called 'post.php' and insert this:

<?php
$dir = '/home/usr/files/';

if ($_GET['do'] == 'upload') {
    if (is_uploaded_file($HTTP_POST_FILES['file']['tmp_name'])) {
        move_uploaded_file($HTTP_POST_FILES['file']['tmp_name'], $dir.$HTTP_POST_FILES['file']['name']);
        print 'File was successfully uploaded';
    } else {
        print 'File was not uploaded!';
        unlink($HTTP_POST_FILES['file']['tmp_name']);
    }
}
?>

This is very basic, as there are several more options you could use (see: file uploading(external link)). The variable $dir is to be changed to whatever your absolute path is. Ok, so this is how it works. First, we check to see if $do is "upload" so we know that its been triggered from the upload form. The next line makes sure that the file has been uploaded to the temporary directory, and if it has been, it will move it to the directory you specify. If it was not successful, it will tell you and unlink the file (delete what WAS uploaded, if anything). Otherwise, it will tell you the file has uploaded successfully and your new file should be stored in the specified upload folder.

There you have the basics of file uploading with PHP. A few things to keep in mind:

  1. Leaving a file upload form on your server in a non-secure location is a major security factor as basically anyone can upload anything they want to your server and potentially cause damage. Keep the file in a private, secure location or take the necessary precautions against public file uploads.
  2. Most PHP configurations have a limit to the size of file uploads (generally around 2-4MB). This can be changed only if you have permission to access your PHP configuration file (php.ini) -- contact your host if you're on a public server.
  3. You should NEVER rely on client side verification for file types, file sizes, or anything else as this data is subject to modification by the user and is a major security concern. You can do client side verification first, but before any action is taken it should be re-verified server-side.

question? comment? contact me