tkv
12-28-2007, 07:17 PM
Many sites allow users to upload files through an HTML form. While there are many security issues that should be addressed before allowing file uploads, the actual mechanisms to allow this are fairly easy.
The first task is to construct an HTML form as an interface for a user to upload his file:
<form action="upload.php" method="post" enctype="multipart/form-data">
<p>File Upload</p>
<label for="file">File</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
You've probably noticed two differences from other forms you may have designed: the enctype attribute of the form tag and the type attribute of the input tag. The form element's enctype specifies which content-type to use when submitting information back to the server. The input element's type is used designate the input element as a file select control. You'll also notice when you view the HTML in a browser that you'll also have a "Browse" button, which is part of the file select control.
The viewer will enter the URI of a file in the input field and a copy of the file will be sent to the server when he submits the form. When received, the file is stored temporarily on the server.
PHP Code
The file is available by referencing the superglobal $_FILES array. The first index is the form's input name and the second index can be either "name", "type", "size", "tmp_name" or "error".
$_FILES["file"]["name"] holds the name of the file uploaded from the client
$_FILES["file"]["type"] holds the mimetype of the uploaded file
$_FILES["file"]["size"] holds the size in bytes of the uploaded file
$_FILES["file"]["tmp_name"] holds the name of the temporary copy of the file stored on the server
$_FILES["file"]["error"] holds any error code resulting from the file transferFor a listing of possible error codes, see www.php.net/manual/en/features.file-upload.errors.php (http://codewalkers.com/tutorials/48/www.php.net/manual/en/features.file-upload.errors.php).
Example code using $_FILES might look like this:
<?php
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
echo "Uploading " . $_FILES["file"]["name"];
echo " (" . $_FILES["file"]["type"] . ", ";
echo ceil($_FILES["file"]["size"] / 1024) . " Kb).<br />";
echo "File is temporarily stored as " . $_FILES["file"]["tmp_name"];
?>
However, you will want to keep in mind some of the potential hazards of allowing files to be uploaded to your server... be sure to use type, size and error in determining how to process the file.
<?php
if (($_FILES["file"]["type"] == "image/gif") &&
($_FILES["file"]["size"] < 15000)) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
echo "Uploading " . $_FILES["file"]["name"];
echo " (" . $_FILES["file"]["type"] . ", ";
echo ceil($_FILES["file"]["size"] / 1024) . " Kb).<br />";
echo "File is temporarily stored as ". $_FILES["file"]["tmp_name"];
} else
echo "Sorry, we only accept .GIF images under 15Kb for upload.";
?>
Since the temporary file will be deleted once the script is done processing and the HTTP connection closes, our next task is to copy the temporary file to a safe location. For this we have the function move_uploaded_file.
Finishing it up
The move_uploaded_file function takes two string arguments: the name of the temporary file and the destination. Note that the uploaded file will overwrite any pre-existing files so you should check first to see if a file of that same name already exists. Also ensure the directory to which the file will be copied has the appropriate permissions.
<?php
if (($_FILES["file"]["type"] == "image/gif") &&
($_FILES["file"]["size"] < 15000)) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
echo "Uploading " . $_FILES["file"]["name"];
echo " (" . $_FILES["file"]["type"] . ", ";
echo ceil($_FILES["file"]["size"] / 1024) . " Kb).<br />";
if (file_exists("uploads/" . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
echo "Please delete the destination file and try again.";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"],
"uploads/" . $_FILES["file"]["name"]);
echo "File has been stored in your uploads directory.";
}
} else
echo "Sorry, we only accept .GIF images under 15Kb for upload.";
?>
good luck
The first task is to construct an HTML form as an interface for a user to upload his file:
<form action="upload.php" method="post" enctype="multipart/form-data">
<p>File Upload</p>
<label for="file">File</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
You've probably noticed two differences from other forms you may have designed: the enctype attribute of the form tag and the type attribute of the input tag. The form element's enctype specifies which content-type to use when submitting information back to the server. The input element's type is used designate the input element as a file select control. You'll also notice when you view the HTML in a browser that you'll also have a "Browse" button, which is part of the file select control.
The viewer will enter the URI of a file in the input field and a copy of the file will be sent to the server when he submits the form. When received, the file is stored temporarily on the server.
PHP Code
The file is available by referencing the superglobal $_FILES array. The first index is the form's input name and the second index can be either "name", "type", "size", "tmp_name" or "error".
$_FILES["file"]["name"] holds the name of the file uploaded from the client
$_FILES["file"]["type"] holds the mimetype of the uploaded file
$_FILES["file"]["size"] holds the size in bytes of the uploaded file
$_FILES["file"]["tmp_name"] holds the name of the temporary copy of the file stored on the server
$_FILES["file"]["error"] holds any error code resulting from the file transferFor a listing of possible error codes, see www.php.net/manual/en/features.file-upload.errors.php (http://codewalkers.com/tutorials/48/www.php.net/manual/en/features.file-upload.errors.php).
Example code using $_FILES might look like this:
<?php
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
echo "Uploading " . $_FILES["file"]["name"];
echo " (" . $_FILES["file"]["type"] . ", ";
echo ceil($_FILES["file"]["size"] / 1024) . " Kb).<br />";
echo "File is temporarily stored as " . $_FILES["file"]["tmp_name"];
?>
However, you will want to keep in mind some of the potential hazards of allowing files to be uploaded to your server... be sure to use type, size and error in determining how to process the file.
<?php
if (($_FILES["file"]["type"] == "image/gif") &&
($_FILES["file"]["size"] < 15000)) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
echo "Uploading " . $_FILES["file"]["name"];
echo " (" . $_FILES["file"]["type"] . ", ";
echo ceil($_FILES["file"]["size"] / 1024) . " Kb).<br />";
echo "File is temporarily stored as ". $_FILES["file"]["tmp_name"];
} else
echo "Sorry, we only accept .GIF images under 15Kb for upload.";
?>
Since the temporary file will be deleted once the script is done processing and the HTTP connection closes, our next task is to copy the temporary file to a safe location. For this we have the function move_uploaded_file.
Finishing it up
The move_uploaded_file function takes two string arguments: the name of the temporary file and the destination. Note that the uploaded file will overwrite any pre-existing files so you should check first to see if a file of that same name already exists. Also ensure the directory to which the file will be copied has the appropriate permissions.
<?php
if (($_FILES["file"]["type"] == "image/gif") &&
($_FILES["file"]["size"] < 15000)) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
echo "Uploading " . $_FILES["file"]["name"];
echo " (" . $_FILES["file"]["type"] . ", ";
echo ceil($_FILES["file"]["size"] / 1024) . " Kb).<br />";
if (file_exists("uploads/" . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
echo "Please delete the destination file and try again.";
} else {
move_uploaded_file($_FILES["file"]["tmp_name"],
"uploads/" . $_FILES["file"]["name"]);
echo "File has been stored in your uploads directory.";
}
} else
echo "Sorry, we only accept .GIF images under 15Kb for upload.";
?>
good luck