Basic File Uploading Using PHP
I create a lot of websites that allow administrators to upload files to their own website. Since allowing user customization has become more and more important on websites these days, I thought I'd share how easy it is to handle file uploads in PHP.
The XHTML Form
<form action="accept-file.php" method="post" enctype="multipart/form-data"> Your Photo: <input type="file" name="photo" size="25" /> <input type="submit" name="submit" value="Submit" /> </form>
You'll need to use the multipart/form-data value for the form's enctype property. You'll also obviously need at least one input element of the file type. The form's action tag must provide a URL which points the a file containing the piece of PHP below.
The PHP
//if they DID upload a file...
if($_FILES['photo']['name'])
{
//if no errors...
if(!$_FILES['photo']['error'])
{
//now is the time to modify the future file name and validate the file
$new_file_name = strtolower($_FILES['photo']['tmp_name']); //rename file
if($_FILES['photo']['size'] > (1024000)) //can't be larger than 1 MB
{
$valid_file = false;
$message = 'Oops! Your file\'s size is to large.';
}
//if the file has passed the test
if($valid_file)
{
//move it to where we want it to be
move_uploaded_file($_FILES['photo']['tmp_name'], 'uploads/'.$new_file_name);
$message = 'Congratulations! Your file was accepted.';
}
}
//if there is an error...
else
{
//set that to be the returned message
$message = 'Ooops! Your upload triggered the following error: '.$_FILES['photo']['error'];
}
}
//you get the following information for each file:
$_FILES['field_name']['name']
$_FILES['field_name']['size']
$_FILES['field_name']['type']
$_FILES['field_name']['tmp_name']
My commenting in the PHP above outlines the way the process works, so I'll just mention a few notes about file uploads in PHP:
- Many shared hosting servers allow a very low maximum file upload size. If you plan on accepting larger files, you should consider a dedicated or virtual dedicated server.
- To adjust the file upload size in PHP, modify the php.ini file's "upload_max_filesize" value. You can also adjust this value using PHP's .ini_set() function.
- The file upload counts towards the hosting environment's $_POST size, so you may need to increase the php.ini file's post_max_size value.
- Be sure to do a lot of file validation when allowing users to upload files. How horrible would it be to allow a user to upload a .exe file to your server? They could do horrible things on the server.
@Binny: Great work!
Greetings!
I’m a big admirer of your site David, you always get the important code or meaning across without distracting filler. It’s great :)
A couple of points regarding the above PHP upload script:
i)
$valid_fileis never declared true, so I added the following just before the'if($valid_file)'.else { $valid_file = true; }ii) I was unable to get it working with
strtolowerand theuploads/directory but this worked for me:Thanks again, have fun :D
Dave,
Thanks for your points man! 2nd point helped me big time!
This comment particularly was really helpful. Great blog article and great tips from the audience. Got the file upload working. Super cool!
Anyone have any best practices for testing against malicious uploads or “fake” images?
//if they DID upload a file…
if($_FILES[‘photo’][‘name’])
{
//if no errors…
if(!$_FILES[‘photo’][‘error’])
{
//now is the time to modify the future file name and validate the file
$new_file_name = strtolower($_FILES[‘photo’][‘tmp_name’]); //rename file
if($_FILES[‘photo’][‘size’] > (1024000)) //can’t be larger than 1 MB
{
$valid_file = false;
$message = ‘Oops! Your file\’s size is to large.’;
}
//if the file has passed the test
if($valid_file)
{
//move it to where we want it to be
move_uploaded_file($_FILES[‘photo’][‘tmp_name’], ‘uploads/’.$new_file_name);
$message = ‘Congratulations! Your file was accepted.’;
}
}
//if there is an error…
else
{
//set that to be the returned message
$message = ‘Ooops! Your upload triggered the following error: ‘.$_FILES[‘photo’][‘error’];
}
}
//you get the following information for each file:
$_FILES[‘field_name’][‘name’]
$_FILES[‘field_name’][‘size’]
$_FILES[‘field_name’][‘type’]
$_FILES[‘field_name’][‘tmp_name’]
$allowedExts = array(“jpg”, “jpeg”, “gif”, “png”);
$extension = end(explode(“.”, $_FILES[“file”][“name”]));
if ((($_FILES[“file”][“type”] == “image/gif”)
|| ($_FILES[“file”][“type”] == “image/jpeg”)
|| ($_FILES[“file”][“type”] == “image/png”)
|| ($_FILES[“file”][“type”] == “image/pjpeg”))
&& ($_FILES[“file”][“size”] 0)
{
$msg = “Error while upload!!! Return Code: ” . $_FILES[“file”][“error”];
}
else
{
$downloadspath = MAIN_PATH . “downloads/”;
$filename = $_FILES[“file”][“name”];
$filetype = $_FILES[“file”][“type”];
$filesize = ($_FILES[“file”][“size”] / 1024) . ” kB”;
if (file_exists(“downloads/” . $_FILES[“file”][“name”]))
{
echo $_FILES[“file”][“name”] . ” already exists. “;
}
else
{
move_uploaded_file($_FILES[“file”][“tmp_name”], $downloadspath . $_FILES[“file”][“name”]);
echo “Stored in: “. MAIN_PATH . “downloads/” . $_FILES[“file”][“name”];
}
$q = “INSERT INTO downloads (title ,filename ,filesize, filetype )VALUES (‘$filetitle’, ‘$filename’, ‘$filesize’, ‘$filetype’)”;
mysql_query($q);
}
}
else
{
$msg = “Invalid file!!!”;
}
great tutorial however after i upload my files i can’t access my images
why is this?
help please
Great tutorial. Thanks for your work. It helped me a lot to learn about PHP file uploading process very easily. Specially the commenting inside the code is so cool.
tried using the code above though it works on my localhost but it’s not working on the online server, especially the move_ uploaded_ file statement. the file is not saving to the folder i specified.
tried using the code above though it works on my localhost but it’s not working on the online server, especially the move_ uploaded_ file statement. the file is not saving to the folder i specified.
this is the code
<?php
echo "”;
echo “Client Filename:
” . $_FILES[“fileToUpload”][“name”] . “”;
echo “File Type:
” . $_FILES[“fileToUpload”][“type”] . “”;
echo “File Size:
” . ($_FILES[“fileToUpload”][“size”] / 1024) . ” Kb”;
echo “Name of Temp File:
” . $_FILES[“fileToUpload”][“tmp_name”] . “”;
echo “”; move_uploaded_file($_FILES[“fileToUpload”][“tmp_name”], “user/” . $_FILES[“fileToUpload”][“name”]); ?>
i think you should correct this code
move_uploaded_file($_FILES[‘photo’][‘tmp_name’], ‘uploads/’.$new_file_name);
and make it
move_uploaded_file($_FILES[‘photo’][‘name’], ‘uploads/’.$new_file_name);
Hello
I am getting error here
if($_FILES['photo']['size'] > (1024000))From this line the entair coad is displaying
can any one help me
hello
help me to sort out my problem
i can upload image in localhost but not able to upload in hosted server,
output of
print_r($_FILES)isShould be
Easy explaination there is also a short and easy tutorial of how to upload images to database and in server on TalkersCode.com http://talkerscode.com/webtricks/upload%20image%20to%20database%20and%20server%20using%20HTML,PHP%20and%20MySQL.php
Well written, but when i read your code and tried to execute code, found a mistake in one place, you should use
$_FILES['photo']['name']insteadtmp_namewhen you used to set$new_file_namefirst time. Thanks for postingAlso to prevent diacritics that can make some truble, you can use the function bellow:
$title = mysql_real_escape_string($_POST['titlui']); $unwanted_array = array( 'ă'=>'a', 'Ă'=>'A', 'ș'=>'s', 'Ș'=>'S', 'ț'=>'t', 'Ț'=>'T', 'Š'=>'S', 'š'=>'s', 'Ž'=>'Z', 'ž'=>'z', 'À'=>'A', 'Á'=>'A', 'Â'=>'A', 'Ã'=>'A', 'Ä'=>'A', 'Å'=>'A', 'Æ'=>'A', 'Ç'=>'C', 'È'=>'E', 'É'=>'E', 'Ê'=>'E', 'Ë'=>'E', 'Ì'=>'I', 'Í'=>'I', 'Î'=>'I', 'Ï'=>'I', 'Ñ'=>'N', 'Ò'=>'O', 'Ó'=>'O', 'Ô'=>'O', 'Õ'=>'O', 'Ö'=>'O', 'Ø'=>'O', 'Ù'=>'U', 'Ú'=>'U', 'Û'=>'U', 'Ü'=>'U', 'Ý'=>'Y', 'Þ'=>'B', 'ß'=>'Ss', 'à'=>'a', 'á'=>'a', 'â'=>'a', 'ã'=>'a', 'ä'=>'a', 'å'=>'a', 'æ'=>'a', 'ç'=>'c', 'è'=>'e', 'é'=>'e', 'ê'=>'e', 'ë'=>'e', 'ì'=>'i', 'í'=>'i', 'î'=>'i', 'ï'=>'i', 'ð'=>'o', 'ñ'=>'n', 'ò'=>'o', 'ó'=>'o', 'ô'=>'o', 'õ'=>'o', 'ö'=>'o', 'ø'=>'o', 'ù'=>'u', 'ú'=>'u', 'û'=>'u', 'ý'=>'y', 'þ'=>'b', 'ÿ'=>'y' ); $title = strtr( $title, $unwanted_array );Awesome, well written tutorial man, thanks a lot
Hi David, thanks for the tutorial, it’s really good. it was working for me for a while, but suddenly
if ($_FILES['photo']['name']) {does not detect the file, matter what I try. in my error.log I get the error ‘Undefined index’. any ideas?
Did you try using
isset($_FILES['photo']['name'])? The problem happens because the name field is not set before the form is submitted.The variable
photois thename=""attribute on yourinput[type="file"]HTML element. So it is likely that you changed the name of your element, thus$_FILEScannot find your item. Changephototo thename="something"name of your element, or addphotoas in,$_FILES['photo']['tmp_name]gives a path which can’t be used properly to create the final file name inmove_uploaded_to.This example helped me a lot thanks man!
I found this file upload functionality as a nightmare when I start my web development career. I could wish this article would have been earlier.
Thanks David :)