|
Uploading files using PHP
1. The HTML Form
This script will allow you to upload files from
your browser to your hosting, using PHP. The first
thing we need to do is create an HTML form that
allows people to choose the file they want to
upload.
|
<form enctype="multipart/form-data"
action="upload.php" method="POST">
Please choose a file: <input name="uploaded"
type="file" /><br />
<input type="submit" value="Upload"
/>
</form>
|
This form sends data to the file "upload.php",
which is what we will be creating next to actually
upload the file.
2. Uploading the File
The actual file upload is very simple:
|
<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name'])
;
$ok=1;
if(move_uploaded_file($_FILES['uploaded']['tmp_name'],
$target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
}
else {
echo "Sorry, there was a problem uploading
your file.";
}
?>
|
This very small piece of code will
upload files sent to it by your HTML form.
The first line $target = "upload/";
is where we assign the folder that files will
be uploaded to. As you can see in the second line,
this folder is relative to the upload.php file.
So for example, if your file was at
www.yours.com/files/upload.php then it would upload
files to www.yours.com/files/upload/yourfile.gif.
Be sure you remember to create this folder!
We are not using $ok=1; at the moment
but we will later in the tutorial.
We then move the uploaded file to
where it belongs using move_uploaded_file ().
This places it in the directory we specified at
the beginning of our script. If this fails the
user is given an error message, otherwise they
are told that the file has been uploaded.
3. Limit the File Size
|
if ($uploaded_size > 350000)
{
echo "Your file is too large.<br>";
$ok=0;
}
|
Assuming that you didn't change the
form field in our HTML form (so it is still named
uploaded), this will check to see the size of
the file. If the file is larger than 350k, they
are given a file too large error, and we set $ok
to equal 0.
You can change this line to be a larger or smaller
size if you wish by changing 350000 to a different
number. Or if you don't care about file size,
just leave these lines out.
4. Limit Files by Type
|
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
|
The code above checks to be sure the
user is not uploading a PHP file to your site.
If they do upload a PHP file, they are given an
error, and $ok is set to 0.
|
if (!($uploaded_type=="image/gif"))
{
echo "You may only upload GIF files.<br>";
$ok=0;
}
|
In our second example we only allow
users to upload .gif files, and all other types
are given an error before setting $ok to 0. You
can use these basic examples to allow or deny
any specific file types.
5. Putting It Together
|
<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name'])
;
$ok=1;
//This is our size condition
if ($uploaded_size > 350000)
{
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type
condition
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
//Here we check that $ok was
not set to 0 by an error
if ($ok==0)
{
Echo "Sorry your file was not uploaded";
}
//If everything is ok we try
to upload it
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'],
$target))
{
echo "The file ".
basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
}
else
{
echo "Sorry, there was a problem uploading
your file.";
}
}
?>
|
6. Final Thoughts
Obviously if you are allowing file uploads you
are leaving yourself open to people uploading
lots of undesirable things. One precaution is
not allowing them to upload any php, html, cgi,
etc. files that could contain malicious code.
This provides more safety but is not sure fire
protection.
Another idea is to make the upload folder private,
so that only you can see it. Then once you have
seen what has been uploaded, you can approve (move)
it or remove it. Depending on how many files you
plan on receiving this could be time consuming
and impractical.
In short, this script is probably
best kept in a private folder. We don't recommend
putting it somewhere where the public can use
it, or you may end up with a server full of useless
or potentially dangerous files. If you really
want the general public to be able to utilize
your server space, we suggest writing in as much
security as possible.
7. Some Precautions To Make File
Uploads With PHP Safer
When you allow users to upload files to your website,
you are putting yourself at a security risk. While
nobody is ever completely safe, here are some
precautions you can incorporate to make your site
safer.
Check the referrer:
Check to make sure that the information being
sent to your script is from your website and not
an outside source. While this information can
be faked, it's still a good idea to check.
Restrict file types:
You can check the mime-type and file extension
and only allow certain types to be uploaded.
Rename files:
You can rename the files that are uploaded. In
doing so, check for double-barreld extensions
like yourfile.php.gif and eliminate extensions
you don't allow, or remove the file completely.
Change permissions:
Change the permissions on the upload folder so
that files within it are not executable.
|
