FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!

How to build simple PHP upload form




I will try to explain here some simple way to creating PHP upload form. This is only example, and you must know how I cannot guaranty how is this the best way for uploading files. I like this way because I can simple to see any part of checking and I can change and improve check in any moment. Of course, you can always to try finding out on Internet more about file uploading and security.

Now, we can start. First of all you need two files (uploadform.php, uploadfile.php). First one will give us option for uploading file from our computer, and second one will process, check and save uploaded file. I am create both in root folder of my site.

Here is simple code for uploadform.php:
Code:
<?php
session_start();
// security part
$_SESSION['name'] = session_id();
?>
<html>
<head>
<title>Upload form</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body bgcolor="#FFFFFF" text="#000000">
<form enctype="multipart/form-data" action="uploadfile.php" method="post">
<?php
// display messages
echo @$message;
?>
Upload this file: <input name="upload_file" type="file" />
<input type="submit" value="Upload" />
</form>
</body>
</html>

How you can see, on the top of the page is one PHP script. This script will help us in simple security check and for comunication between uploadform.php and uploadfile.php. Second PHP script, (in the form), will display messages.

Now we can go to create uploadfile.php. Here we must do few different types of process/checking before we save chosen file. In most situations I define three for me important things before I start with checking: place where I will redirect users if file is uploaded or error occur (I always use back to form), destination where I will save files and max file size.
Code:
<?php
session_start();

// redirect path
$redirect = "http://your_site.com/uploadform.php";
// saving destination (folder)
$save = "upload";
// max file size
$size = 300000;
?>

Then we can do first security check. In uploadform.php we are define $_SESSION['name'] with session_id. Now we can see is it session_id in uploadfile.php the same with session_id in uploadform.php. If is not user is redirected back to form.
Code:
if($_SESSION['name'] != session_id()){
$_SESSION['message'] = 1;
header("Location:$redirect");
exit;
}

And then we are check file size and uploading errors. For example, if user didn't chose some file.
Code:
if(@$_FILES["upload_file"]["size"] > $size || $_FILES["upload_file"]["error"] > 0){
$_SESSION['message'] = 2;
header("Location:$redirect");
exit;
}

My next checking is it file name contain two or more dots in name (e.g. somefile.exe.jpg). Maybe is this unnecessary but I like to do it. This is my second security check.
Code:
if(substr_count($_FILES["upload_file"]["name"], ".") > 1){
$_SESSION['message'] = 3;
header("Location:$redirect");
exit;
}

Ok, we are finish with first few checking but this is not all. Next we must check is any file having a same name like uploaded file.
Code:
if(file_exists($save . "/" . $_FILES["upload_file"]["name"])) {
$_SESSION['message'] = 4;
header("Location:$redirect");
exit;
}

And now we are near to the end with uploadfile.php. But here we can include one more security check and if file pass this check we can save it in chosen directory. We will check type of file in two different ways.
Code:
list($name, $ext) = explode(".", $_FILES["upload_file"]["name"]);
if($_FILES["upload_file"]["name"]  != "images/jpeg" && $ext != "jpg") {
$_SESSION['message'] = 5;
header("Location:$redirect");
exit;
} else {
move_uploaded_file($_FILES["upload_file"]["tmp_name"], $save . "/" . $_FILES["upload_file"]["name"]);
$_SESSION['message'] = 6;
header("Location:$redirect");
exit;
}

How you can see before this last (type) checking you can include more other checking. This is simplest way to improve this script for your needs. You can find full code of uploadfile.php on the end of page.

But, before the end we must little bit to improve uploadform.php. With case/switch we will change and display right messages independent what number uploadfile.php send back to uploadform.php. How you can see, we don't need to send this information with POST or GET. Sessions are working big job for us.
Code:
//messages part
switch(@$_SESSION['message']) {
case "1": $message = "Sorry, some error occur! <br />"; break;
case "2": $message = "Sorry, you can upload only files up to 300 Kb. <br />"; break;
case "3": $message = "Sorry, file cannot contain two or more dots in the name. <br />"; break;
case "4": $message = "Sorry, file with same name already exist. <br />"; break;
case "5": $message = "Sorry, your file haven't jpg extension. <br />"; break;
case "6": $message = "Your file has been submitted successfully. <br />"; break;
default: "";
}

Here is the end. Below is full code for both pages:
upladform.php
Code:
<?php
session_start();

// security part
$_SESSION['name'] = session_id();

//messages part
switch(@$_SESSION['message']) {
case "1": $message = "Sorry, some error occur! <br />"; break;
case "2": $message = "Sorry, you can upload only files up to 300 Kb. <br />"; break;
case "3": $message = "Sorry, file cannot contain two or more dots in the name. <br />"; break;
case "4": $message = "Sorry, file with same name already exist. <br />"; break;
case "5": $message = "Sorry, your file haven't jpg extension. <br />"; break;
case "6": $message = "Your file has been submitted successfully. <br />"; break;
default: "";
}
unset($_SESSION['message']);
?>
<html>
<head>
<title>Upload form</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>

<body bgcolor="#FFFFFF" text="#000000">
<form enctype="multipart/form-data" action="uploadfile.php" method="post">
<?php
// display messages
echo @$message;
?>
Upload this file: <input name="upload_file" type="file" />
<input type="submit" value="Upload" />
</form>
</body>
</html>


uploadfile.php
Code:
<?php
session_start();
error_reporting(E_ALL);
ini_set("display_errors", "1");

// redirect path
$redirect = "http://your_site.com/uploadform.php"; // type here right URL
// saving destination
$save = "upload";
// max size
$size = 300000;

// first security check
if(@$_SESSION['name'] != session_id()){
$_SESSION['message'] = 1;
header("Location:$redirect");
exit;
}

// check file size and errors in uploading
if(@$_FILES["upload_file"]["size"] > $size || $_FILES["upload_file"]["error"] > 0){
$_SESSION['message'] = 2;
header("Location:$redirect");
exit;
}

// check for more then one dot in the name
if(substr_count($_FILES["upload_file"]["name"], ".") > 1){
$_SESSION['message'] = 3;
header("Location:$redirect");
exit;
}

// check names of existing files
if(file_exists($save . "/" . $_FILES["upload_file"]["name"])) {
$_SESSION['message'] = 4;
header("Location:$redirect");
exit;
}

// check is it file right type
list($name, $ext) = explode(".", $_FILES["upload_file"]["name"]);
if($_FILES["upload_file"]["name"]  != "images/jpeg" && $ext != "jpg") {
$_SESSION['message'] = 5;
header("Location:$redirect");
exit;
} else {
move_uploaded_file($_FILES["upload_file"]["tmp_name"], $save . "/" . $_FILES["upload_file"]["name"]);
$_SESSION['message'] = 6;
header("Location:$redirect");
exit;
}
?>

Wink Good luck,
Sonam



8 blog comments below

Thanks a lot for this tutorial man. I was looking for something like this since I lost my old script. Thanks a lot.
mtorregiani on Sat Oct 20, 2007 5:51 pm
You are welcome, I am happy if this tutorial help you. Very Happy
sonam on Mon Oct 22, 2007 5:45 am
Page bookmarked! This isn't something I can just have a glance over and remember so I'll come back to it if and when I ever need to use php uploading - which I may, we'll have to see. It's a great guide, thanks. Wink
ninjakannon on Tue Oct 23, 2007 7:48 pm
Quote:
It's a great guide, thanks.


He, he, he, with my bad English. Wink
sonam on Sat Oct 27, 2007 12:50 am
Great guide indeed.

However, i was wondering. Could you post some additional code, so if you upload a file, the message "file uploaded succesfully" appears and it also displays the location of the file
eg: http://www.host.com/uploadfolder/file.jpg

I need a way to do this and I hope you can give me one

cheers
wout000 on Mon Oct 29, 2007 10:29 am
Just so you know (@ wout000), using your proposed script on Frihost wouldn't be allowed.
mathiaus on Mon Oct 29, 2007 12:18 pm
I have copy this script and execute it. It work perfectly ! But now, I'm looking for something based on phpOO. I mean the POO.
ordi on Thu Jun 04, 2009 4:53 pm
Sorry but I cannot help you with poo. Sad
sonam on Thu Jun 04, 2009 9:32 pm



FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.