PHP allows files to be uploaded to the server by users via the web browser using an HTML form (form input is covered in the HTML Forms Input and Textarea tutorial).
Note: Allowing users to upload files to your server presents a security risk. Never allow executable files to be uploaded and make sure you understand all the potential risks and how to guard against them.
The HTML form element requires three attributes.
enctype="multipart/form-data" - this specifies the content type.
action = "file_handling_script.php" - this is the name of a script that will handle the file data.
method = "post" - the post method is used.
The attribute type of the input element is set to file and the name attribute is set to a name that will be used by the file handling script to identify the uploaded file.
The input element displays a text box and browse button to allow the user to either enter the path to the file or to browse for the file on their machine.
When the file is uploaded it's placed in a temporary directory by the server and is deleted when the script ends, unless something is done to handle it.
Information about the uploaded file can be found in the global variable $_FILE in an associative array.
Note: If your version of PHP is earlier than 4.1.0 then use $_HTTP_POST_FILES.
The first element in the associative array holds the name that was used in the HTML form - in this case 'userfile'.
$_FILES['userfile']['name'] - 'name' is the original name of the file on the user's machine.
$_FILES['userfile']['tmp_name'] - 'tmp_name' is the temporary name of the file on the server.
$_FILES['userfile']['type'] - 'type' is the mime type of the uploaded file e.g. "image/gif".
$_FILES['userfile']['size'] - 'size' is the size in bytes of the uploaded file.
$_FILES['userfile']['error'] - 'error' is an error code associated with the file upload (available from PHP 4.2.0 onwards).
Once a file has been uploaded you have choices about what you will do with it. You may want to perform file operations on it or move it to somewhere on the server as is.
Security Considerations
Whatever you decide to do with the file, before you do it, you must test for a malicious upload that could wreak havoc on your server.
Using is_uploaded_file()
If you intend to perform file operations on the file rather than move it to somewhere on the server as is then you should use this function, which will return TRUE if the file was actually uploaded to the server using the post request.
Example of is_uploaded_file()
<?php
if (is_uploaded_file ($_FILE(['userfile']['tmp_name']))
{
// The file is OK so perform file operations
}else{
echo ('There was an error');
exit;
}
?>
Using move_uploaded_file()
This function also returns TRUE if the file was actually uploaded to the server using the post request so if used, is_uploaded_file is not required.
As well as the first two arguments, which are the same as is_uploaded_file(), a third argument is required. This holds the file name and path on the server where the file is to be placed.
However, before a file is moved a check should be made on the size and type of the file. A huge file could overwhelm your server and an executable file could be uploaded and run from the user's browser to create mischief.
For example if the user is required to upload a .jpg file then only allow this type or if various types are allowed then check for each with a switch statement.
Example of move_uploaded_file()
<?php
// Check the file size
if ($_FILE['userfile']['size'] > 655367)
{
echo ('File size too large!');
exit;
{
// Check the file type
if ($_FILE['userfile']['type'] != 'image/pjpeg')
{
echo ('Invalid file type!');
exit;
{
if (move_uploaded_file ($_FILE(['userfile']['tmp_name'], 'images/photo.jpg'))
{
echo {'Your file has been uploaded.');
}else{
echo ('There was an error with your file!');
}
?>
Free Web Design Tutorials
Previous - Include and Require Next - File Functions 
Uploading FilesFile FunctionsSession Variables
