MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
January
Sun Mon Tue Wed Thu Fri Sat
           
15
         
2005
Months
Jan


Sat, Jan 15, 2005 2:17 pm

Using PHP to Upload Files to a Website

You can use PHP to provide the capability for users to upload files to your website. First create an HTML file with a form for uploading a file. Specify the PHP file that will handle the uploads in the "action" part of the form.

For the form portion of the HTML file, I've named the PHP file I will use as "upload.php". You must specify "POST" rather than "GET" for "action". PHP on the server you are using is likely to have a maximum size for POST data of 8 MB. Look for the following lines in your php.ini file, which should be in the /etc directory on a Linux system, and adjust the size to what you consider to be an appropriate number.

; Maximum size of POST data that PHP will accept.
post_max_size = 8M

There is also another limiting factor, the maximum size for a file to be uploaded, which is controlled by upload_max_filesize, in php.ini. The default value is likely to be 2 MB. When you are transmitting a file via POST using a form on a webpage, there may be other data transmitted for other fields on the form as well plus MIME headers as well. So, if you wanted to be able to transmit a file of 8 MB, you would need to set the value of upload_max_filesize to 8M, and make post_max_size slightly larger. But for this example, I'm simply going to set them both to 8M, since the other data I'm transmitting is fairly small.

To adjust the maximum allowed size for file uploads, look for the following lines in php.ini. You can specify the number in bytes or in KiloBytes (KB) or MegaBytes (MB) by putting a "K" or "M" immediately after the number in the latter two cases. Keep in mind a KiloByte is 1,024 bytes and a MegaByte is 1,024 KiloBytes, so to determine the number of bytes equivalent to a certain number of MB use Bytes = MB * 1024 * 1024.

; Maximum allowed size for uploaded files.
upload_max_filesize = 2M

There are also other parameters to consider when using a form that calls a PHP script to upload files to your website. There is also a memory_limit value, which will be a factor if the enable-memory-limit is set. In my case, using Apache 2.0.40 and PHP 4.2.2 on a Fedora Linux system, the only parameters I needed to set in php.ini were upload_max_filesize (you can determine the versions by apachectl -v and php -v. For a complete discussion of the parameters to consider see How to optimize your PHP installation to handle large file uploads.

Once you have adjusted the upload_max_filesize and post_max_size to the desired values, you may need to restart your webserver software. If you are using Apache on a Linux system you will need to do so. Use apachectl restart to restart Apache. You will need to have root access to do so. If you are using Apache, you will also need to put the following lines in Apache's httpd.conf, likely located in /etc/httpd/conf, before restarting Apache.

<Files *.php>
  SetOutputFilter PHP
  SetInputFilter PHP
  LimitRequestBody 8388608
</Files>

The reason you will need to add the lines above to httpd.conf is that Apache has a default limit for LimitRequestBody that restricts the size of all POST data for any scripting language used on a webpage. Some Redhat Package Manager (RPM) installations may set this value at 512 KB.

The HTML code you should use for the form portion of your HTML file is shown below.

<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="upload.php" method="POST">
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file">
<input type="submit" value="Send File">
</form>

See upload.html for a complete HTML file to perform the upload.

For the PHP file, you can use the following code:

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = "../../uploads/";
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
   echo "File is valid, and was successfully uploaded.<br><br>";
   echo "<b>Name:</b> " . $_FILES['userfile']['name'] . "<br>";
   echo "<b>Type:</b> " . $_FILES['userfile']['type'] . "<br>";
   printf ("<b>Size:</b> %.2f KB ", $_FILES['userfile']['size'] / 1024);
   echo "(" . $_FILES['userfile']['size'] . " bytes)<br>";
}
else {
   echo '<pre>';
   echo "Possible file upload attack!\n\n";
   echo "Here is some more debugging info:\n";
   print_r($_FILES);
   print "</pre>";
}
?>

Be sure to put a "/" at the end of the directory name for the upload directory.

When a user uploads a file, it will go into whatever directory is specified as the temp directory in php.ini. If no temp directory is specified in php.ini, the files will go into the default temp directory for the system. When the PHP program completes, it will be moved into whatever directory you specified for the upload directory. You should change the permission of the upload directory to 733, e.g. chmod 733 uploads or grant permission for the user account under which your webserver software runs, e.g. Apache, to write to this directory. I would strongly advise you to use a directory outside the document root for your website, e.g. if all of your website HTML files go under a directory named "www" under your home directory, create another directory, e.g. "uploads" at the same level as the www directory, but not underneath the "www" directory. Otherwise, if some malicious user guesses where you are placing the uploaded files, he can store a file with executable code in that directory and then use a URL which includes the name of the file he just uploaded to execute its contents.

For example, let's suppose that you are putting the uploaded files in a directory called "uploads" that lies directly beneath the one where your upload.php file resides. Someone knows or guesses that you are using a directory with that name underneath the one containing the upload.php file. He then creates a file with PHP code within it and uploads it to your webserver. Let's suppose your upload.html file is at http://somewhere.com/files/upload.html and the upload.php file is at http://somewhere.com/files/upload.php. The malicious user puts the code below in showinfo.php and then uploads it. He knows it went into a directory called "uploads" beneath the "files" directory He can then use the URL http://somewhere.com/files/showinfo.php to execute the PHP file he just put on the site.

<?

$files = `ls -la`;
$users = `who`;

echo "<pre>";
echo "Directory \n";
echo $files . "\n";
echo "Users \n";
echo $users . "\n";
echo "</pre>";

?>

The code above is relatively innocous. On a Unix or Linux system, it will only display all files in the directory where it is located and a list of the users logged into the system. But code could just as easily be inserted to replace or delete files, including system files, so it is important to protect yourself against malicious individuals wishing to do damage to your system or compromise it. So put the uploaded files in a location where no one can execute the files.

You may also wish to password protect the directory where the upload.php file is located, so that you can limit who will be able to upload files.

References:

  1. Chapter 38. Handling file uploads
  2. File Uploads (tutorial)
  3. How do I do html form file uploads
  4. How to optimize your PHP installation to handle large file uploads
  5. ini_get (finding post_max_size)

[/languages/php] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo