In this tutorial i will teach you how you can upload files to your website using PHP. I will teach you the basics and show you how to manage witch files may be uploaded.
A very useful aspect of PHP is its ability to manage file uploads to your server. Allowing users to upload a file to your server can be a security risk, so please be careful when uploading files.
Before you can use PHP to manage your uploads, you must build an form that lets users select a file to upload.
Let’s start by creating the file upload form:
Files are uploaded from the browser using an input tag, with the type parameter set to “file”. This is supported by all browsers currently available on the market.
The important thing is to set the ENCTYPE attribute of the form to “multipart/form-data” and set the form’s action to the file upload page. The file upload page will handle the actual file uploading.
We can set a filesize limit by adding a hidden input element with the NAME attribute set to “MAX_FILE_SIZE” and the VALUE parameter to the max allowed filesize (in bytes).
file: uploadform.php
<input type="hidden" name="MAX_FILE_SIZE" value="30000">
<fieldset>
<legend>File upload:</legend>
<dl>
<dt>
<label for="file">File:</label>
</dt>
<dd>
<input tabindex="1" accesskey="b" name="file" type="file" id="file" />
</dd>
</dl>
<input tabindex="2" accesskey="l" type="submit" name="cmdupload" value="Upload" />
</fieldset>
</form>
After the user clicks the Upload button, the data will be posted to the server and the user will be redirected to upload.php. This PHP file is going to process the form data and validate the uploaded file.
NOTE: You will need to create a new directory in the directory where upload.php resides, called “upload”, as we are going to be saving files there.
Now let’s begin creating the upload script:
In PHP, uploaded files are accessed via the $_FILES array:
- $_FILES[”file”][”name”]: The original filename on the client’s machine.
- $_FILES[’file’][’type’]: The mime type of the file.
- $_FILES[’file’][’size’]: The size, in bytes, of the uploaded file.
- $_FILES[’file’][’tmp_name’]: The temporary filename of the file in which the uploaded file was stored on the server.
We start our script by setting the upload directory and the name of the log file.
Now we declare a filetype blacklist, this is an array that contains all filetypes that are NOT allowed in the filename.
Now we declare a list of filetypes that are allowed, again this is an array that contains all types that are allowed.
Then we check to see if the upload directory exits and if it’s writable.
Now we check to see if the user has pressed the upload button on the upload form. If he has not pressed the button the user will be redirected back to the upload form.
Then we check to see if $_FILES[’file’][’error’] reports an error.
Now it’s time to check if a item from the blacklist has been found in the filename. if not the script continues, if so the script will display an error and log the attempt to the log file.
Next we check if the filetype is allowed, if not the script exits and informs the user, again the attempt will be logged to the log file.
Now we check to see if there already is a file with the same name, if so the script exits and display’s an error.
Next is checking to see if a file has been uploaded with the name $_FILES[’file’][’tmp_name’].
The temporary copied files disappears when the script ends. To store the uploaded file we need to copy it to a different location:
The move_uploaded_file() function will move the temporary file to the desired location.
The file is now uploaded, now we log the uploader’s IP, the date and the time in an upload log.
The script is finished and displays a message saying that the file has been uploaded.
file: upload.php
$uploaddir = "upload/"; //Upload directory: needs write premissions
$log = "uploadlog.txt"; // Upload LOG file
// what file types do you want to disallow?
$blacklist = array(".php", ".phtml", ".php3", ".php4", ".php5", ".exe", ".js",".html", ".htm", ".inc");
// allowed filetypes
$allowed_filetypes = array('.jpg','.gif','.bmp','.png');
if (!is_dir($uploaddir)) {
die ("Upload directory does not exists.");
}
if (!is_writable($uploaddir)) {
die ("Upload directory is not writable.");
}
if ($_POST['cmdupload'])
{
$ip = trim($_SERVER['REMOTE_ADDR']);
if (isset($_FILES['file']))
{
if ($_FILES['file']['error'] != 0)
{
switch ($_FILES['file']['error'])
{
case 1:
print 'The file is to big.'; // php installation max file size error
exit;
break;
case 2:
print 'The file is to big.'; // form max file size error
exit;
break;
case 3:
print 'Only part of the file was uploaded';
exit;
break;
case 4:
print 'No file was uploaded</p>';
exit;
break;
case 6:
print "Missing a temporary folder.";
exit;
break;
case 7:
print "Failed to write file to disk";
exit;
break;
case 8:
print "File upload stopped by extension";
exit;
break;
}
} else {
foreach ($blacklist as $item)
{
if (preg_match("/$item\$/i", $_FILES['file']['name']))
{
echo "Invalid filetype !";
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | INVALID TYPE"."\r\n");
fclose($fp);
unset($_FILES['file']['tmp_name']);
exit;
}
}
// Get the extension from the filename.
$ext = substr($_FILES['file']['name'], strpos($_FILES['file']['name'],'.'), strlen($_FILES['file']['name'])-1);
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | INVALID TYPE"."\r\n");
fclose($fp);
die('The file you attempted to upload is not allowed.');
}
if (!file_exists($uploaddir . $_FILES["file"]["name"]))
{
// Proceed with file upload
if (is_uploaded_file($_FILES['file']['tmp_name']))
{
//File was uploaded to the temp dir, continue upload process
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir . $_FILES['file']['name']))
{
// uploaded file was moved and renamed succesfuly. Display a message.
echo "Upload successful !";
// Now log the uploaders IP adress date and time
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | OK"."\r\n");
fclose($fp);
} else {
echo "Error while uploading the file, Please contact the webmaster.";
unset($_FILES['file']['tmp_name']);
}
} else {
//File was NOT uploaded to the temp dir
switch ($_FILES['file']['error'])
{
case 1:
print 'The file is to big.'; // php installation max file size error
break;
case 2:
print 'The file is to big.'; // form max file size error
break;
case 3:
print 'Only part of the file was uploaded';
break;
case 4:
print 'No file was uploaded</p>';
break;
case 6:
print "Missing a temporary folder.";
break;
case 7:
print "Failed to write file to disk";
break;
case 8:
print "File upload stopped by extension";
break;
}
}
} else {
echo "Filename already exists, Please rename the file and retry.";
unset($_FILES['file']['tmp_name']);
}
}
} else {
// user did not select a file to upload
echo "Please select a file to upload.";
}
} else {
// upload button was not pressed
header("Location: uploadform.php");
}
?>
This is great, easy to understand code and good instructions. However, I have been at it for hours and can not get it to work. I read the instructions to a tee and no joy.
After several attempts to get the directory folder correct, which I’m still not sure it is, it would just gives me a browser error. I caught that my file upload page was mispelled and corrected that, so now it does not appear to redirect to update.php. If it does, its so fast you can not see it run the upload page at all. So now it just “submits” and lands back on the upload page.
I’m using WAMP server on my local machine with all the latest updates for PHP and MYSQL.
Please tell me I’ve overlooked something simple…anyone?
I don’t know why it does not work for you but it does seem to work for me.
I’m using XAMPP by the way, but I don’t think that has any bearing on the subject. try printing every variable both global or local just to check what values are going in the conditions of the different statements. Thank you, I hope I contributed something. Although I can’t seem to make it work if an array is used rather than the switch case statement.
Awesome Script…It works like a charm…Thank you for doing such a great job. I was looking for something like this for few days and am new to PHP…
Great job…
oh tats working great really a great job and thanx
Hey
That script worked right out of the box!!!
Cool…Now if only somebody would write how to get over the 2MB limit for
uploads….(in php.ini)…my server does not permit editing php.ini
Iqbal
What should I do if there is an error: Upload directory is not writable.
good
This is great! I’m rather new to PHP and have been messing around as of late, teaching myself new things. Your script was straight forward and very easy to read, and made the uploading extremely easy. Thank you!
Great script, any idea how I can tweak this script to define the files to be uploaded (specific path on local machines), so basically I would like to save the users the time to browse to the log files as I know where my application is storing these.
How can I specify the path and file names instead of a browse button functionality?
Any help is much appreciated!
Thanks
Dan
i have a form ….name … ADDNEWMULTIMEDIA.php
Add New Multimedia
<<Back
Title: -
<input name=”tbtitle” type=”text” class=”inputtext” id=”tbtitle” value=”" />
File: -
Description: -
this form is posted to….. ADDNEWMULTIMEDIAACTION.php…
<?php
require_once(”../includes/allclasses.php”);
if ((($_FILES[”file”][”type”] == “image/gif”)
|| ($_FILES[”file”][”type”] == “image/jpeg”)
|| ($_FILES[”file”][”type”] == “image/pjpeg”))
&& ($_FILES[”file”][”size”] 0)
{
echo “Return Code: ” . $_FILES[”file”][”error”] . “”;
}
else
{
echo “Upload: ” . $_FILES[”file”][”name”] . “”;
echo “Type: ” . $_FILES[”file”][”type”] . “”;
echo “Size: ” . ($_FILES[”file”][”size”] / 1024) . ” Kb”;
echo “Temp file: ” . $_FILES[”file”][”tmp_name”] . “”;
if (file_exists(”upload/” . $_FILES[”file”][”name”]))
{
echo $_FILES[”file”][”name”] . ” already exists. “;
}
else
{
move_uploaded_file($_FILES[”file”][”tmp_name”],
“upload/” . $_FILES[”file”][”name”]);
echo “Stored in: ” . “upload/” . $_FILES[”file”][”name”];
}
}
}
else
{
echo “Invalid file”;
}
$title = “”;
$description = “”;
$file = “”;
$querystring = array();
if(isset($_REQUEST[’tbtitle’]) && !empty($_REQUEST[’tbtitle’]))
{
$title = trim($_REQUEST[’tbtitle’]);
$querystring[] = “tbtitle=”.urlencode($_REQUEST[’tbtitle’]);
}
if(isset($_REQUEST[’tbdescription’]) && !empty($_REQUEST[’tbdescription’]))
{
$description = trim($_REQUEST[’tbdescription’]);
$querystring[] = “tbdescription=”.urlencode($_REQUEST[’tbdescription’]);
}
if(isset($_REQUEST[’tbfile’]) && !empty($_REQUEST[’tbfile’]))
{
$file = trim($_REQUEST[’tbfile’]);
$querystring[] = “tbfile=”.urlencode($_REQUEST[’tbfile’]);
}
$qs = implode(”&”,$querystring);
$nid = $objmultimedia->addnewmultimedia($title, $description, $file);
if($nid>0)
{
header(”location:multimedia.php?msg=3″);
exit;
}
else
{
header(”location:addnewmultimedia.php?msg=4&”.$qs);
exit;
}
?>
but i can not save the selected(uploaded ) file to another location by move_uploaded_file()… i receive a warning message i.e
1- Warning: Undefined index: error in C:\Inetpub\wwwroot\icna\admin\addnewmultimediaaction.php on line 8
2-Warning: Unable to create ‘upload/navsep.jpg’: Permission denied in C:\Inetpub\wwwroot\icna\admin\addnewmultimediaaction.php on line 26
Warning: Unable to move ‘C:\PHP\uploadtemp\php23.tmp’ to ‘upload/navsep.jpg’ in C:\Inetpub\wwwroot\icna\admin\addnewmultimediaaction.php on line 26
Stored in: upload/navsep.jpg
Warning: Cannot add header information - headers already sent by (output started at C:\Inetpub\wwwroot\icna\admin\addnewmultimediaaction.php:8) in C:\Inetpub\wwwroot\icna\admin\addnewmultimediaaction.php on line 64
can antbody help me.????
fawadali123@gmail.com
kindly reply..
Very good
hi this is chetan, awesome script, it has helped me a lot…
i want to ask you guys a question that, if a file is present already at the server then it file already exists rename and retry error, but i want that the script shold check if the filee exists then it should rename the new file being uploaded and then upload it over the server…
so could you help me with that…
any help will be greatly appreciated…
thanks in the advance…
[…] PHP File Upload 16Apr08 1. PHP File Upload […]
Its an awesome article.I was struggling with file upload on server it works like a charm.Although its not exactly what I am looking for yet it is really good article.Thankyou for helping newbies like me!!
Great tutorial! I’m just a newbie and just learning the rudiments of php and mysql.
Add A Comment