Uploading Files with PHP

A handy trick with PHP is uploading files to your server using a web browser. You can do this with most versions of HTML as well, but using PHP allows you to put more limits and security on the upload. Warning: if you put this code on your page without also putting some security on it as well, it's easy for anyone who finds the page to upload any files they want to your web server. Your easiest way out is to put this script on a page that is behind some password protection.

Like all other PHP scripts, the uploading script is embedded in standard HTML.

<form enctype="multipart/form-data" action="upload.php" method="POST">
<input type="hidden" name="sizelimit" value="100000" />
What's the name of the file you want to upload? <input name="newfile" type="file" />
<input type="submit" value="Upload File" /> </form>

This is all HTML code, standard form stuff. In case you don't use forms, this is what the different parts of the code means:

Once this form code is finished and placed in a regular web page, save it. Ours is saved as upload.html.

When a user browses this file, he will see a page that has your question, a blank with a Browse button next to it you can scan your own hard drive or other files for the file you want to upload, and a Submit button - about as simple as it gets. The user selects the file he or she wants and clicks Submit.

At this point, your server takes over. The data is posted to the server as a request to upload.php, the script you're going to create now. In this file, your form data is processed and the file that was uploaded is redirected to the proper location on your server.

Creating upload.php

Your PHP script normally would perform two basic tasks: it will decide whether to keep or discard the file, depending on how big it is and what type it is, and it will determine where to direct the file for storage. This one's only going to store the file.

When the form is executed on the web page, the uploaded file exists in a kind of computer limbo on the server. It is not moved to permanent storage unless your PHP script takes action; since it's only held in a temporary file, it will vanish if it's not stored.

Your PHP script is going to use the $_FILES associative array to store this file.

$_FILES Array

This array is where PHP stores all information associated with files. The two elements and one variable you need to understand are:

Now that you know what your variables are, you can write your PHP upload manager script.

// This tells the server where you're going to
 put the new file
$target_path = "uploads/";

/* This part gives your new file a name on the server,
 with the structure "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

// And you pull the file in with this part
$_FILES['uploadedfile']['tmp_name'];

Before you can successfully run this script, you need to create a new directory where you want your uploaded files to go. It will need to be in the same directory that your upload script is saved in, and because of the way the script above is written, its name will need to be "uploads."

The function you are creating is going to be called move_new_file. It needs to know what the path of the temporary file is (you just told it) and the path it will be moved to (and you told it this as well.)

Your new code will be:

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['newfile']['name']);

if(move_new_file($_FILES['newfile']['tmp_name'], $target_path)) {
    echo "File ". basename( $_FILES['newfile']['name']). " has been uploaded";
} else{
    echo "There was an error uploading this file; please try again!";
}

This is very straightforward code. You've named your variables already. The first line tells it what your target path for the file is. The second line tells it what to do with the file and how to name it.

The "if" statement has the code return a message to you to tell you whether the file has been successfully moved or not.

The Problem With This Code

As was mentioned earlier in this document, this code, if you just put it on a public page, will result in anyone being able to upload files to your server, including malicious executables. Never put this on a public area. Instead, place it in a private part of your website that is only available to those with a password, or put it on a secure intranet.

There are things you can add to this code to make it both more secure and more robust. For instance, you can use it to screen out file types you don't want, or to allow only certain file types. Unfortunately, these functions are too advanced for this article to address them.