With PHP, it is possible to upload files to the server. You might want users to be able to submit files for review, like text documents, articles, and essays etc, but this data needs to be validated and checked before allowing it to be stored on your Web server.

Create the Upload-File Form

To allow users to upload files from a form can be very useful.

Look at the following HTML form for uploading files:

1
2
3
4
5
6
7
8
9
10

<html>
<body>
  <form action="upload_file.php" method="post" enctype="multipart/form-data">
    <label for="file">Filename:</label>
    <input type="file" name="file" id="file" />
    <br />
    <input type="submit" name="submit" value="Submit" />
  </form>
</body>
</html>

The following points can be taken from the HTML form above:

  • The enctype attribute of the <form> tag specifies which content-type to use when submitting the form. “multipart/form-data” is used when a form requires binary data ( like the contents of a file) to be uploaded.
  • The type=”file” attribute of the <input> tag specifies that the input should be processed as a file. For example, when viewed in a browser, there will be a browse-button next to the input field.

Create the “upload_file.php” Page

The “upload_file.php” file is the file that contains the PHP code to actually do the uploading process.

1
2
3
4
5
6
7
8
9
10
11
12
13

<?php
if ($_FILES["file"]["error"] > 0)
  {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  }
else
  {
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  }
?>

By using the global PHP $_FILES array you can upload files from a client computer to the remote server.

The first parameter (“file” in this case) is the form’s input name and the second index can be either “name”, “type”, “size”, “tmp_name” or “error”. Like this:

  • $_FILES["file"]["name"] – the name of the uploaded file
  • $_FILES["file"]["type"] – the type of the uploaded file
  • $_FILES["file"]["size"] – the size (in bytes) of the uploaded file
  • $_FILES["file"]["tmp_name"] – the name of the temporary copy of the file stored on the server
  • $_FILES["file"]["error"] – the error code resulting from the file upload (if necessary)

This is a very simple way of uploading files, but is not very secure. And when it comes to Website security, you can never be careful enough. So, for security reasons, you should add restrictions on what the user is allowed to upload.

Restrictions on Uploading

In this next script we add some restrictions to the file upload process. The user may only upload GIF or JPEG image files and the file size must be under 20 kb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<?php
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 20000))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Error: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Stored in: " . $_FILES["file"]["tmp_name"];
    }
  }
else
  {
  echo "Invalid file";
  }
?>

Note: For IE to recognize JPEG files the “type” must be “pjpe”g, and for Firefox it must be “jpeg”.

Saving the Uploaded File

The examples above only create a temporary copy of the uploaded files in the PHP temporary folder on the server.

The temporary copied files disappears when the script ends. To store the uploaded file we need to copy it to a different location. The following code includes all the previous code to execute the upload process and will also store the file in a directory called “upload”. It also checks if the file already exists, and if it does not, it copies the file to the specified folder.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

<?php
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 20000))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
    if (file_exists("upload/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "upload/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
      }
    }
  }
else
  {
  echo "Invalid file";
  }
?>