tkv
01-10-2008, 08:38 AM
Let’s start by creating the file upload form:
Files are uploaded from the browser using an input tag, with the type parameter set to “file”. This is supported by all browsers currently available on the market.
The important thing is to set the ENCTYPE attribute of the form to “multipart/form-data” and set the form’s action to the file upload page. The file upload page will handle the actual file uploading.
We can set a filesize limit by adding a hidden input element with the NAME attribute set to “MAX_FILE_SIZE” and the VALUE parameter to the max allowed filesize (in bytes).
file: uploadform.php
<form name="upload-form" id="upload-form" method="post" action="./upload.php" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="30000">
<fieldset>
<legend>File upload:</legend>
<dl>
<dt>
<label for="file">File:</label>
</dt>
<dd>
<input tabindex="1" accesskey="b" name="file" type="file" id="file" />
</dd>
</dl>
<input tabindex="2" accesskey="l" type="submit" name="cmdupload" value="Upload" />
</fieldset>
</form>
After the user clicks the Upload button, the data will be posted to the server and the user will be redirected to upload.php. This PHP file is going to process the form data and validate the uploaded file.
NOTE: You will need to create a new directory in the directory where upload.php resides, called “upload”, as we are going to be saving files there.
Now let’s begin creating the upload script:
In PHP, uploaded files are accessed via the $_FILES array:
$_FILES[”file”][”name”]: The original filename on the client’s machine.
$_FILES[’file’][’type’]: The mime type of the file.
$_FILES[’file’][’size’]: The size, in bytes, of the uploaded file.
$_FILES[’file’][’tmp_name’]: The temporary filename of the file in which the uploaded file was stored on the server.We start our script by setting the upload directory and the name of the log file.
Now we declare a filetype blacklist, this is an array that contains all filetypes that are NOT allowed in the filename.
Now we declare a list of filetypes that are allowed, again this is an array that contains all types that are allowed.
Then we check to see if the upload directory exits and if it’s writable.
Now we check to see if the user has pressed the upload button on the upload form. If he has not pressed the button the user will be redirected back to the upload form.
Then we check to see if $_FILES[’file’][’error’] reports an error.
Now it’s time to check if a item from the blacklist has been found in the filename. if not the script continues, if so the script will display an error and log the attempt to the log file.
Next we check if the filetype is allowed, if not the script exits and informs the user, again the attempt will be logged to the log file.
Now we check to see if there already is a file with the same name, if so the script exits and display’s an error.
Next is checking to see if a file has been uploaded with the name $_FILES[’file’][’tmp_name’].
The temporary copied files disappears when the script ends. To store the uploaded file we need to copy it to a different location:
The move_uploaded_file() function will move the temporary file to the desired location.
The file is now uploaded, now we log the uploader’s IP, the date and the time in an upload log.
The script is finished and displays a message saying that the file has been uploaded.
file: upload.php
<?php
$uploaddir = "upload/"; //Upload directory: needs write premissions
$log = "uploadlog.txt"; // Upload LOG file
// what file types do you want to disallow?
$blacklist = array(".php", ".phtml", ".php3", ".php4", ".php5", ".exe", ".js",".html", ".htm", ".inc");
// allowed filetypes
$allowed_filetypes = array('.jpg','.gif','.bmp','.png');
if (!is_dir($uploaddir)) {
die ("Upload directory does not exists.");
}
if (!is_writable($uploaddir)) {
die ("Upload directory is not writable.");
}
if ($_POST['cmdupload'])
{
$ip = trim($_SERVER['REMOTE_ADDR']);
if (isset($_FILES['file']))
{
if ($_FILES['file']['error'] != 0)
{
switch ($_FILES['file']['error'])
{
case 1:
print 'The file is to big.'; // php installation max file size error
exit;
break;
case 2:
print 'The file is to big.'; // form max file size error
exit;
break;
case 3:
print 'Only part of the file was uploaded';
exit;
break;
case 4:
print 'No file was uploaded</p>';
exit;
break;
case 6:
print "Missing a temporary folder.";
exit;
break;
case 7:
print "Failed to write file to disk";
exit;
break;
case 8:
print "File upload stopped by extension";
exit;
break;
}
} else {
foreach ($blacklist as $item)
{
if (preg_match("/$item\$/i", $_FILES['file']['name']))
{
echo "Invalid filetype !";
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | INVALID TYPE"."\r\n");
fclose($fp);
unset($_FILES['file']['tmp_name']);
exit;
}
}
// Get the extension from the filename.
$ext = substr($_FILES['file']['name'], strpos($_FILES['file']['name'],'.'), strlen($_FILES['file']['name'])-1);
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | INVALID TYPE"."\r\n");
fclose($fp);
die('The file you attempted to upload is not allowed.');
}
if (!file_exists($uploaddir . $_FILES["file"]["name"]))
{
// Proceed with file upload
if (is_uploaded_file($_FILES['file']['tmp_name']))
{
//File was uploaded to the temp dir, continue upload process
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir . $_FILES['file']['name']))
{
// uploaded file was moved and renamed succesfuly. Display a message.
echo "Upload successful !";
// Now log the uploaders IP adress date and time
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | OK"."\r\n");
fclose($fp);
} else {
echo "Error while uploading the file, Please contact the webmaster.";
unset($_FILES['file']['tmp_name']);
}
} else {
//File was NOT uploaded to the temp dir
switch ($_FILES['file']['error'])
{
case 1:
print 'The file is to big.'; // php installation max file size error
break;
case 2:
print 'The file is to big.'; // form max file size error
break;
case 3:
print 'Only part of the file was uploaded';
break;
case 4:
print 'No file was uploaded</p>';
break;
case 6:
print "Missing a temporary folder.";
break;
case 7:
print "Failed to write file to disk";
break;
case 8:
print "File upload stopped by extension";
break;
}
}
} else {
echo "Filename already exists, Please rename the file and retry.";
unset($_FILES['file']['tmp_name']);
}
}
} else {
// user did not select a file to upload
echo "Please select a file to upload.";
}
} else {
// upload button was not pressed
header("Location: uploadform.php");
}
?>
Have fun !!!
Files are uploaded from the browser using an input tag, with the type parameter set to “file”. This is supported by all browsers currently available on the market.
The important thing is to set the ENCTYPE attribute of the form to “multipart/form-data” and set the form’s action to the file upload page. The file upload page will handle the actual file uploading.
We can set a filesize limit by adding a hidden input element with the NAME attribute set to “MAX_FILE_SIZE” and the VALUE parameter to the max allowed filesize (in bytes).
file: uploadform.php
<form name="upload-form" id="upload-form" method="post" action="./upload.php" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="30000">
<fieldset>
<legend>File upload:</legend>
<dl>
<dt>
<label for="file">File:</label>
</dt>
<dd>
<input tabindex="1" accesskey="b" name="file" type="file" id="file" />
</dd>
</dl>
<input tabindex="2" accesskey="l" type="submit" name="cmdupload" value="Upload" />
</fieldset>
</form>
After the user clicks the Upload button, the data will be posted to the server and the user will be redirected to upload.php. This PHP file is going to process the form data and validate the uploaded file.
NOTE: You will need to create a new directory in the directory where upload.php resides, called “upload”, as we are going to be saving files there.
Now let’s begin creating the upload script:
In PHP, uploaded files are accessed via the $_FILES array:
$_FILES[”file”][”name”]: The original filename on the client’s machine.
$_FILES[’file’][’type’]: The mime type of the file.
$_FILES[’file’][’size’]: The size, in bytes, of the uploaded file.
$_FILES[’file’][’tmp_name’]: The temporary filename of the file in which the uploaded file was stored on the server.We start our script by setting the upload directory and the name of the log file.
Now we declare a filetype blacklist, this is an array that contains all filetypes that are NOT allowed in the filename.
Now we declare a list of filetypes that are allowed, again this is an array that contains all types that are allowed.
Then we check to see if the upload directory exits and if it’s writable.
Now we check to see if the user has pressed the upload button on the upload form. If he has not pressed the button the user will be redirected back to the upload form.
Then we check to see if $_FILES[’file’][’error’] reports an error.
Now it’s time to check if a item from the blacklist has been found in the filename. if not the script continues, if so the script will display an error and log the attempt to the log file.
Next we check if the filetype is allowed, if not the script exits and informs the user, again the attempt will be logged to the log file.
Now we check to see if there already is a file with the same name, if so the script exits and display’s an error.
Next is checking to see if a file has been uploaded with the name $_FILES[’file’][’tmp_name’].
The temporary copied files disappears when the script ends. To store the uploaded file we need to copy it to a different location:
The move_uploaded_file() function will move the temporary file to the desired location.
The file is now uploaded, now we log the uploader’s IP, the date and the time in an upload log.
The script is finished and displays a message saying that the file has been uploaded.
file: upload.php
<?php
$uploaddir = "upload/"; //Upload directory: needs write premissions
$log = "uploadlog.txt"; // Upload LOG file
// what file types do you want to disallow?
$blacklist = array(".php", ".phtml", ".php3", ".php4", ".php5", ".exe", ".js",".html", ".htm", ".inc");
// allowed filetypes
$allowed_filetypes = array('.jpg','.gif','.bmp','.png');
if (!is_dir($uploaddir)) {
die ("Upload directory does not exists.");
}
if (!is_writable($uploaddir)) {
die ("Upload directory is not writable.");
}
if ($_POST['cmdupload'])
{
$ip = trim($_SERVER['REMOTE_ADDR']);
if (isset($_FILES['file']))
{
if ($_FILES['file']['error'] != 0)
{
switch ($_FILES['file']['error'])
{
case 1:
print 'The file is to big.'; // php installation max file size error
exit;
break;
case 2:
print 'The file is to big.'; // form max file size error
exit;
break;
case 3:
print 'Only part of the file was uploaded';
exit;
break;
case 4:
print 'No file was uploaded</p>';
exit;
break;
case 6:
print "Missing a temporary folder.";
exit;
break;
case 7:
print "Failed to write file to disk";
exit;
break;
case 8:
print "File upload stopped by extension";
exit;
break;
}
} else {
foreach ($blacklist as $item)
{
if (preg_match("/$item\$/i", $_FILES['file']['name']))
{
echo "Invalid filetype !";
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | INVALID TYPE"."\r\n");
fclose($fp);
unset($_FILES['file']['tmp_name']);
exit;
}
}
// Get the extension from the filename.
$ext = substr($_FILES['file']['name'], strpos($_FILES['file']['name'],'.'), strlen($_FILES['file']['name'])-1);
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | INVALID TYPE"."\r\n");
fclose($fp);
die('The file you attempted to upload is not allowed.');
}
if (!file_exists($uploaddir . $_FILES["file"]["name"]))
{
// Proceed with file upload
if (is_uploaded_file($_FILES['file']['tmp_name']))
{
//File was uploaded to the temp dir, continue upload process
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir . $_FILES['file']['name']))
{
// uploaded file was moved and renamed succesfuly. Display a message.
echo "Upload successful !";
// Now log the uploaders IP adress date and time
$date = date("m/d/Y");
$time = date("h:i:s A");
$fp = fopen($log,"ab");
fwrite($fp,"$ip | ".$_FILES['file']['name']." | $date | $time | OK"."\r\n");
fclose($fp);
} else {
echo "Error while uploading the file, Please contact the webmaster.";
unset($_FILES['file']['tmp_name']);
}
} else {
//File was NOT uploaded to the temp dir
switch ($_FILES['file']['error'])
{
case 1:
print 'The file is to big.'; // php installation max file size error
break;
case 2:
print 'The file is to big.'; // form max file size error
break;
case 3:
print 'Only part of the file was uploaded';
break;
case 4:
print 'No file was uploaded</p>';
break;
case 6:
print "Missing a temporary folder.";
break;
case 7:
print "Failed to write file to disk";
break;
case 8:
print "File upload stopped by extension";
break;
}
}
} else {
echo "Filename already exists, Please rename the file and retry.";
unset($_FILES['file']['tmp_name']);
}
}
} else {
// user did not select a file to upload
echo "Please select a file to upload.";
}
} else {
// upload button was not pressed
header("Location: uploadform.php");
}
?>
Have fun !!!