PHP File Upload
File Upload is one of the very important functionality provided by PHP. Giving users option to upload files on your web server can invite trouble if you are not handling file uploads via PHP securely. The aim of this tutorial to teach you how to handle PHP File Upload.
We will start with a very basic HTML form -
<form action="upload.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" />
<input type="hidden" name="MAX_FILE_SIZE" value="300000"/>
<input type="submit" name="submit" value="Upload a File" />
In the code given above -
- enctype attribute of the <form> tag has been used and its value is multipart/form-data. This tells the browser that the data submitted is in binary form.
- MAX_FILE_SIZE is an hidden input and its value is used to decide the maximum allowable size of the uploaded file. Here it is 300kb.
- form action is defined as upload.php. This is the URL where the browser will be directed once the user clicks on Upload a File button after choosing a file.
- form method is here POST type.
- input type file gives the option in the browser to choose a file and later on its name value will be used to access various properties of the uploaded file and the file itself.
Save the above given code in a file with its name as upload.html. Your form will somewhat look like this -
Now once the user clicks on the Upload a file button all the form data will be submitted to upload.php and we can process the uploaded file data accordingly.
There are a number of reasons for which you might to validate and process the uploaded file data before actually saving the file on server.
- Users can upload files with malicious code especially if he/she is uploading a file having .exe as extension. So we need to check extension of the file after user uploads it.
- Similarly you might also want to put restriction on maximum allowed file size.
When the file is initially uploaded to the server after the form is submitted it is kept in temporary folder until the processing of the data has been done by the upload.php file and after that we will write a code in upload.php which will instruct the server to transfer the uploaded file to a permanent location.
To access uploaded file details we will be using $_FILES (a predefined PHP array). This array is a two dimensional array i.e. it has two elements. The first element is the name of the input type file in our case it is file only (see the HTML code above). The second element can be "name", "type", "size", "tmp_name" or "error". So we have -
- $_FILES["file"]["name"] - the name of the uploaded file
- $_FILES["file"]["type"] - the type of the uploaded file
- $_FILES["file"]["size"] - the size in bytes of the uploaded file
- $_FILES["file"]["tmp_name"] - the name of the temporary copy of the file stored on the server
- $_FILES["file"]["error"] - the error code resulting from the file upload
Now we are easily write the php code for upload.php. Check out the code given below -
/*Checking out the files extension and its size*/
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 30000))
/*Checking if some error took place while uploading file if not we are good to go :-) */
if (!$_FILES["file"]["error"] )
echo "File Name: " . $_FILES["file"]["name"] . "<br />";
echo "File Type: " . $_FILES["file"]["type"] . "<br />";
echo "File Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp File Name: " . $_FILES["file"]["tmp_name"] . "<br />";
if (file_exists("uploads/" . $_FILES["file"]["name"]))
echo $_FILES["file"]["name"] . " already exists. ";
/*Moving file to another location which is permanent */
move_uploaded_file($_FILES["file"]["tmp_name"],"uploads/" . $_FILES["file"]["name"]);
echo "Stored in: " . "uploads/" . $_FILES["file"]["name"];
echo "Some error took place while uploading the file. <br /> File Error Code: " . $_FILES["file"]["error"] . "<br />";
echo "Invalid file";
Save this php code into a file named upload.php. Firstly we check the type and size of the file being uploaded and if its a gif or jpeg file and its size is less than 300kb and if this whole set of condition is true then we move on to check whether the file has been uploaded properly or not. Once this is done we then use move_uploaded_file() function to move the file to a permanent location. Here we are moving the file inside the uploads folder. This folder must be present in the same folder in which upload.html and upload.php are present. If you are using linux system then make sure that the permission of this uploads folder is 777 otherwise server will fail to move the file.