Allow File Uploads With PHP

01
of 06
The HTML Form

If you want to allow visitors to your website to upload files to your web server, you need to first use PHP to create an HTML form that allows people to specify the file they want to upload. Although the code is all assembled later in this article (along with some warnings about security), this portion of the code should look like this:

<form enctype="multipart/form-data" action="upload.php" method="POST">

Please choose a file: <input name="uploaded" type="file" /><br /> <input type="submit" value="Upload" />

</form>

This form sends data to your web server to the file named "upload.php," which is created in the next step.

02
of 06
Uploading the File

The actual file upload is simple. This small piece of code uploads files sent to it by your HTML form.

<?php  
$target = "upload/";  
$target = $target . basename( $_FILES['uploaded']['name']) ;  
$ok=1;  if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))

echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; 
}  
else { 
echo "Sorry, there was a problem uploading your file."; 

?>

The first line $target = "upload/"; is where you assign the folder where files are uploaded. As you can see in the second line, this folder is relative to the upload.php file. If your file is at www.yours.com/files/upload.php, then it would upload files to www.yours.com/files/upload/yourfile.gif. Be sure you remember to create this folder.

Then, you move the uploaded file to where it belongs using move_uploaded_file (). This places it in the directory specified at the beginning of the script. If this fails, the user is given an error message; otherwise, the user is told that the file has been uploaded.

03
of 06
Limit the File Size

You may want to limit the size of files being uploaded to your website. Assuming that you didn't change the form field in the HTML form—so it is still named "uploaded"—this code checks to see the size of the file. If the file is larger than 350k, the visitor is given a "file too large" error, and the code sets $ok to equal 0.

if ($uploaded_size > 350000) 

echo "Your file is too large.<br>";  
$ok=0; 
}

You can change the size limitation to be larger or smaller by changing 350000 to a different number. If you don't care about file size, leave these lines out.

04
of 06
Limit Files by Type

Setting restrictions on the types of files that can be uploaded to your site and blocking certain file types from being uploaded are both wise.

For example, this code checks to be sure the visitor is not uploading a PHP file to your site. If it is a PHP file, the visitor is given an error message, and $ok is set to 0.

if ($uploaded_type =="text/php") 

echo "No PHP files<br>"; 
$ok=0; 
}

In this second example, only GIF files are allowed to be uploaded to the site, and all other types are given an error before setting $ok to 0. 

if (!($uploaded_type=="image/gif")) { 
echo "You may only upload GIF files.<br>"; 
$ok=0; 
}

You can use these two examples to allow or deny any specific file types.

05
of 06
Putting It All Together

Putting it all together, you get this:

<?php 
 $target = "upload/"; 
 $target = $target . basename( $_FILES['uploaded']['name']) ; 
 $ok=1; 
 
 //This is our size condition 
 if ($uploaded_size > 350000) 
 { 
 echo "Your file is too large.<br>"; 
 $ok=0; 
 } 
 
 //This is our limit file type condition 
 if ($uploaded_type =="text/php") 
 { 
 echo "No PHP files<br>"; 
 $ok=0; 
 } 
 
 //Here we check that $ok was not set to 0 by an error 
 if ($ok==0) 
 { 
 Echo "Sorry, your file was not uploaded"; 
 } 
 
 //If everything is ok we try to upload it 
 else 
 { 
 if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
 { 
 echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; 
 } 
 else 
 { 
 echo "Sorry, there was a problem uploading your file."; 
 } 
 } 
 ?>

Before you add this code to your website, you need to understand the security implications outlined on the next screen.

06
of 06
Final Thoughts About Security

If you allow file uploads, you leave yourself open to people willing to unload undesirable things. One wise precaution is not to allow the upload of any PHP, HTML or CGI files, which could contain malicious code. This provides some safety, but it is not sure-fire protection.

Another precaution is to make the upload folder private so that only you can see it. Then when you see the upload, you can approve—and move it—or remove it. Depending on how many files you expect to receive, this could be time-consuming and impractical.

This script is probably best kept in a private folder. Don't put it somewhere where the public can use it, or you may end up with a server full of useless or potentially dangerous files. If you really want the general public to be able to upload to your server space, write in as much security as possible.