Upload Files in PHP.

Upload Files in PHP

The various HTML form fields that we've studied so far have dealt only with text-based data. HTML supports another variation of the INPUT tag to support uploading file-based data to the server. This includes both text files and binary files. <input type="file" size="30" name="fieldname"> A simple example of a complete form that will upload a file is shown below: <form enctype="multipart/form-data" action="scriptname.cgi" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" value="30000"> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" size="30" type="file"> <input type="submit" value="Send File"> </form> Send this file:

The enctype="multipart/form-data" is required in order for the browser to properly send binary-based files, such as graphics.
The MAX_FILE_SIZE hidden field (measured in bytes) must precede the file input field, and its value is the maximum filesize accepted. This is an advisory to the browser, PHP also checks it. Fooling this setting on the browser side is quite easy, so never rely on files with a greater size being blocked by this feature.
The PHP settings for maximum-size, however, cannot be fooled. This form element should always be used as it saves users the trouble of waiting for a big file being transferred only to find that it was too big and the transfer failed.
Any number of type=file form fields can be included in a single form. There is no mechanism, however, to simplify the process of uploading multiple files via the local filelist dialog.

---

Accessing Uploaded Files in PHP:
$_FILES array

Starting with PHP version 4.1, a superglobal array $_FILES is provided that stores information about files that are uploaded via the type=file field.

$_FILES['fieldname']['name'] The original name of the file on the client machine. $_FILES['fieldname']['type'] The mime type of the file, if the browser provided this information. An example would be "image/gif". $_FILES['fieldname']['size'] The size, in bytes, of the uploaded file. $_FILES['fieldname']['tmp_name'] The temporary filename of the file in which the uploaded file was stored on the server. $_FILES['fieldname']['error'] The error code associated with this file upload. This element was added in PHP 4.2.0

---

Dealing with File Uploads

The function is_uploaded_file(string filename) can be used to determine if the file named was uploaded via HTTP POST. The function returns TRUE if it was; false otherwise.

This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working -- for instance, /etc/passwd.
This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.
After it is determined that the value was actually uploaded, you can use the function:
move_uploaded_file (string filename, string destination)
This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.
If filename is not a valid upload file, then no action will occur, and it will return FALSE.
If filename is a valid upload file, but cannot be moved for some reason, no action will occur, and move_uploaded_file() will return FALSE. Additionally, a warning will be issued.
This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.
Files will be stored in the server's default temporary directory by default, unless another location has been given with the upload_tmp_dir directive in php.ini. The server's default directory can be changed by setting the environment variable TMPDIR in the environment in which PHP runs. Setting it using putenv() from within a PHP script will not work. This environment variable can also be used to make sure that other operations are working on uploaded files, as well.

// Move the uploaded file from the temporary directory // to the user's location $uploaddir = '/var/www/uploads/'; $uploadfile = $uploaddir . $_FILES['userfile']['name']; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) echo "File is valid, and was successfully uploaded.\n"; else echo "Move of uploaded file failed.\n";

The PHP script that receives the uploaded file should implement whatever logic is necessary for determining what should be done with the uploaded file. You can, for example, use the $_FILES['fieldname']['size'] variable to throw away any files that are either too small or too big.
You could use the $_FILES['fieldname']['type'] variable to throw away any files that didn't match a certain type criteria. As of PHP 4.2.0, you could use $_FILES['fieldname']['error'], and plan your logic according to the error codes.
Whatever the logic, you should either delete the file from the temporary directory or move it elsewhere.
If no file is selected for upload in your form, PHP will return $_FILES['fieldname']['size'] as 0, and $_FILES['fieldname']['tmp_name'] as none.
The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed.

---

A File Upload Extension

One concern people have for using file uploads in this manner is the lack of interaction while the upload is occurring. If you're uploading a relatively large file, the lack of interaction can be confusing to the user.
A free package is available, however, that provides a progress bar while a file is uploaded. This code can be found here:

Share on Google Plus

About M

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.