If you want to give website visitors a way to upload files, you can do it through PHP to allow them to upload via a simple HTML form. This guide shows the process, but it doesn’t consider the many security threats that this can cause. These security risks should always be considered when giving anyone the ability to upload files to your server.
Here are the steps:
1. Turn Uploads On
On your server, locate the php.ini file and open it in a text editor. Search for "file_uploads" and change the parameter to "On".
file_uploads = On
2. Create the HTML Form
Here is an example of a basic HTML form:
<!DOCTYPE html>
<html>
<head>
<title>Basic File Upload sUsing PHP</title>
</head>
<body>
<p>Upload a file using the form below:</p>
<form enctype="multipart/form-data" action="upload.php" method="post" >
<label for="file">Select file to upload :</label><br />
<input name="file" type="file" id="file"><br /><br />Click to upload<br />
<input type="submit" value="Upload Image" name="submit" />
</form>
</body>
</html>
This form looks like this:
The important parts of the code above are:
· enctype="multipart/form-data" - this specifies the content-type
· action="upload.php" - this is where the data from the form is sent. We'll create this script below.
· method="post" - you must use the HTTP post method
3. Create a Directory for Uploaded Files
Create a directory called "uploaded_files". Put this directory and the PHP script you will be creating below into the same directory.
4. Create the PHP Script
You need to create a PHP script using the code below and save it as "upload.php".
<?php
$target_dir = "uploaded_files/";
$target_file = $target_dir . basename($_FILES["file"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image is real or fake
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["file"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "This is not an image file. Please upload another.";
$uploadOk = 0;
}
}
// Check if file already exists
if (file_exists($target_file)) {
echo "This file already exists – please upload another.";
$uploadOk = 0;
}
// Check file size
if ($_FILES["file"]["size"] > 1000000) {
echo "Your file is too big. Please try again";
$uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Only JPG, JPEG, PNG and GIF files are allowed. Please try again";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
echo "Your file was not uploaded.";
} else {
if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
echo "The file ". basename( $_FILES["file"]["name"]). " has been uploaded.";
} else {
echo "There was an error uploading your file.";
}
}
?>
This example script is for uploading images, and it does a number of things:
1. Checks if the image is real
2. Checks if the file has been uploaded before
3. Restricts the file size to 1MB
4. Limits the file types to commonly used image files - jpg, jpeg, png and GIF
When this script completes, the uploaded file will be in the directory uploaded_files.