Wednesday, June 29, 2016

PHP File Upload

A very useful aspect of PHP is its ability to manage file uploads to your server. Allowing users to upload a file to your server opens a whole can of worms, so please be careful when enabling file uploads.

PHP - File Upload: HTML Form

Before you can use PHP to manage your uploads, you must first build an HTML form that lets users select a file to upload. See our HTML Form lesson for a more in-depth look at forms.

HTML Code:

<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>

Here is a brief description of the important parts of the above code:

  • enctype="multipart/form-data" - Necessary for our to-be-created PHP file to function properly.
  • action="uploader.php" - The name of our PHP page that will be created, shortly.
  • method="POST" - Informs the browser that we want to send information to the server using POST.
  • input type="hidden" name="MA... - Sets the maximum allowable file size, in bytes, that can be uploaded. This safety mechanism is easily bypassed and we will show a solid backup solution in PHP. We have set the max file size to 100KB in this example.
  • input name="uploadedfile" - uploadedfile is how we will access the file in our PHP script.

Save that form code into a file and call it upload.html. If you view it in a browser it should look like this:

Display:



Choose a file to upload:



After the user clicks submit, the data will be posted to the server and the user will be redirected to uploader.php. This PHP file is going to process the form data and do all the work.

PHP - File Upload: Whats the PHP Going to Do?

Now that we have the right HTML form we can begin to code the PHP script that is going to handle our uploads. Typically, the PHP file should make a key decision with all uploads: keep the file or throw it away. A file might be thrown away from many reasons, including:

  • The file is too large and you do not want to have it on your server.
  • You wanted the person to upload a picture and they uploaded something else, like an executable file (.exe).
  • There were problems uploading the file and so you cant keep it.
This example is very simple and omits the code that would add such functionality.

PHP - File Upload: uploader.php

When the uploader.php file is executed, the uploaded file exists in a temporary storage area on the server. If the file is not moved to a different location it will be destroyed! To save our precious file we are going to need to make use of the $_FILES associative array.

The $_FILES array is where PHP stores all the information about files. There are two elements of this array that we will need to understand for this example.

  • uploadedfile - uploadedfile is the reference we assigned in our HTML form. We will need this to tell the $_FILES array which file we want to play around with.
  • $_FILES[uploadedfile][name] - name contains the original path of the user uploaded file.
  • $_FILES[uploadedfile][tmp_name] - tmp_name contains the path to the temporary file that resides on the server. The file should exist on the server in a temporary directory with a temporary name.
Now we can finally start to write a basic PHP upload manager script! Here is how we would get the temporary file name, choose a permanent name, and choose a place to store the file.

PHP Code:

// Where the file is going to be placed
$target_path = "uploads/";
/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES[uploadedfile][name]);
$_FILES[uploadedfile][tmp_name];

NOTE: You will need to create a new directory in the directory where uploader.php resides, called "uploads", as we are going to be saving files there.

We now have all we need to successfully save our file to the server. $target_path contains the path where we want to save our file to.

PHP - File Upload: move_uploaded_file Function

Now all we have to do is call the move_uploaded_file function and let PHP do its magic. The move_uploaded_file function needs to know 1) The path of the temporary file (check!) 2) The path where it is to be moved to (check!).

PHP Code:

$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES[uploadedfile][name]);
if(move_uploaded_file($_FILES[uploadedfile][tmp_name], $target_path)) {
echo "The file ". basename( $_FILES[uploadedfile][name]).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}

If the upload is successful, then you will see the text "The file filename has been uploaded". This is because $move_uploaded_file returns true if the file was moved, and false if it had a problem.
If there was a problem then the error message "There was an error uploading the file, please try again!" would be displayed.

PHP - File Upload: Safe Practices!

Note: This script is for education purposes only. We do not recommend placing this on a web page viewable to the public.

These few lines of code we have given you will allow anyone to upload data to your server. Because of this, we recommend that you do not have such a simple file uploader available to the general public. Otherwise, you might find that your server is filled with junk or that your servers security has been compromised.

We hope you enjoyed learning about how to work with uploading files with PHP. In the near future we will be adding an advanced lesson that will include more security and additional features!