Renaming Visitor Uploads in PHP

Woman working outside on a laptop — Electra K. Vasileiadou/Getty Images

By

Updated on January 09, 2019

When you allow visitors to your website to upload files, you may want to rename the files to something random, which you can do with PHP. This prevents people from uploading files with the same name and overwriting each other's files.

Uploading the File

The first thing to do is allow a visitor to your website to upload a file. You can do that by placing this HTML on any of your web pages that you want the visitor to be able to upload from.

<form enctype="multipart/form-data" action="upload.php" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

This code is separate from the PHP in the rest of this article. It points to a file called upload.php. However, if you save your PHP by a different name, you should change it to match.

Finding the Extension

Next, you need to look at the file name and extract the file extension. You'll need it later when you assign it a new name.

<?php
//This function separates the extension from the rest of the file name and returns it
function findexts ($filename)
{
$filename = strtolower($filename) ;
$exts = split("[/\\.]", $filename) ;
$n = count($exts)-1;
$exts = $exts[$n];
return $exts;
}
//This applies the function to our file
$ext = findexts ($_FILES['uploaded']['name']) ;

A Random File Name

This code uses the rand () function to generate a random number as the file name. Another idea is to use the time () function so that each file is named after its timestamp. The PHP then combines this name with the extension from the original file and assigns the subdirectory ... make sure this exists!

//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.
$ran = rand () ;

//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready for the file extension to be appended.
$ran2 = $ran.".";

//This assigns the subdirectory you want to save into... make sure it exists!
$target = "images/";

//This combines the directory, the random file name and the extension $target = $target . $ran2.$ext;

Saving the File With the New Name

Finally, this code saves the file with its new name onto the server. It also tells the user what it is saved as. If there is a problem doing this, an error is returned to the user.

if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file has been uploaded as ".$ran2.$ext;
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
?>

Other features such as limiting files by size or restricting certain file types can also be added to this script if you choose.

Limiting File Size

Assuming that you didn't change the form field in the HTML form—so it is still named "uploaded"—this code checks to see the size of the file. If the file is larger than 250k, the visitor sees a "file too large" error, and the code sets $ok to equal 0.

if ($uploaded_size > 250000)
{
echo "Your file is too large.<br>";
$ok=0;
}

You can change the size limitation to be larger or smaller by changing 250000 to a different number.

Limiting File Type

Setting restrictions on the types of files that can be uploaded is a good idea for security reasons. For example, this code checks to be sure the visitor is not uploading a PHP file to your site. If it is a PHP file, the visitor is given an error message, and $ok is set to 0.

if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}

In this second example, only GIF files can be uploaded to the site, and all other types receive an error before setting $ok to 0.

if (!($uploaded_type=="image/gif")) {
echo "You may only upload GIF files.<br>";
$ok=0;
}

You can use these two examples to allow or deny any specific file types.