Creating an Upload Form using PHP for Beginners

Date Published: 08/03/2009 01:19

Uploading files via HTTP is becoming more and more common across the net. Whether you are developing a CMS for clients or colleagues to add content to their site, or you are building a profile based web app which permits users to upload their photos being able to upload files is a vital skill. This is a basic beginners guide to uploading files with PHP. Uploading files to your server can of course be a security risk so you should always take extra care when attempting these techniques. This guide does not cover specific file types so please ensure that if security is a major concern of yours that you fully test and secure your form. This guide is for education purposes only and is not intended for use in a production environment.

Creating the HTML Form

To start creating an upload form you must first make a form element with the attribute enctype="multipart/form-data" along with method="post" and set action to whatever server side script you are using to handle the uploads. Within that form element you must create 3 input tags. The first is a hidden input field with the name "MAX_FILE_SIZE". You must set the value attribute of this hidden input to the maximum file size your users are allowed to upload in bytes. The next is the upload input which is an input element with the type set to "file". Don't forget to give your upload input a name or you will not see it on the server. The last is simply a submit input to post the form to the script you have set in the action attribute. Here is an example of the above.

<form method="post" action="/file_upload.php" enctype="multipart/form-data">
   <input type="hidden" name="MAX_FILE_SIZE" value="3000000" />
   <input type="file" name="file_upload" />
   <input type="submit" name="cmdSubmit" value="Upload this File" />

Handling the Uploads Server Side

Now that we have created the upload form we must handle the file which has been uploaded. What you do with that file is up to you based on what it will be used for. If the file does not need to be accessed later by a web user I would strongly recommend saving the file somewhere which is not web accessible. Doing this ensures a user cannot upload a malicious script and then execute it by accessing it via the web. When uploading images it is possible to re-size and modify them to suit the needs of the site. This can ensure that you can regulate how much server space is taken by each image. I will cover this in a later article. For now we are just going save the uploaded file to a folder on the server which cannot be accessed via the web.

When files are uploaded to a PHP script they are stored in a global array called $_FILES. In the files array there is an array associated with each file input which was submitted. This child array contains all necessary information about there file which was uploaded. Here is a sample $_FILES array after a jpeg image called Huskys_Profile.jpg was uploaded.

   [file_upload] => Array
      [name] => Huskys_Profile.jpg
      [type] => image/jpeg
      [tmp_name] => /tmp/phpgYIz6f
      [error] => 0
      [size] => 168226

As you can see from this example the array contains 5 pieces of information for each file. The name, the mime type, the temporary name, an error ID and the file size. This array contains all the information we need to save this file permanently on our server since right now it is just living in a temporary form and will be deleted unless it is moved. The script below saves the uploaded file in a folder called "uploads" which sits just outside of the document root.

$uploaded_file = $_FILES["file_upload"]["tmp_name"];
$new_file = $_SERVER["DOCUMENT_ROOT"] . "/../uploads/" . $_FILES["file_upload"]["name"];
move_uploaded_file($uploaded_file, $new_file);

The above is a very simple script to get you started and should never be used in a production environment. There are various methods you can use to validate what is uploaded by your users which I will cover in future articles but this is just to get you going. Once you understand how files are uploaded using PHP you can then go on to handling them as you require.


Sorry comments are currently disabled for maintenence

5 Most Recent Articles

Manually Triggering Events in ASP.NET from JavaScript

A quick guide for ASP.NET developers on how to manually trigger ASP.NET events from JavaScript.

Advanced Use of MySQL Stored Procedures

An article for users of MySQL databases describing how they can use advanced stored procedures to improve efficiently in their applications.

Using MySQL Stored Procedures and Extending MySQLi in PHP

A guide for LAMP developers to using stored procedures in MySQL and extending the MySQLi class.

Reading and Writing to Excel Spreadsheets in Python

An introduction to using the xlwt and xlrd modules for python to interact with Microsoft Excel spreadsheets.

Interact with the Web Using Python and the HTTP Library

This is an introduction to making HTTP requests from a python script/application using httplib.