Uploading Files Securely with PHP
Illustration by Don Barnett

Uploading Files Securely with PHP

with David Powers

Video: Displaying the server limits

To make the file upload form more user-friendly, it's a If that doesn't exist, we need to create it by querying the server configuration max_file_uploads will be a number, but post_max_size could be stored either So what we need to do is to use one of That's followed by two colons and then convertToBytes.
Expand all | Collapse all
  1. 4m 49s
    1. Welcome
      57s
    2. What you should know before watching this course
      2m 0s
    3. Using the exercise files
      1m 52s
  2. 33m 2s
    1. How PHP handles file uploads
      6m 16s
    2. Examining the $_FILES array
      5m 8s
    3. Setting the maximum file size
      5m 36s
    4. Preparing the upload folder
      3m 18s
    5. Moving the file to its destination
      6m 51s
    6. Limitations on file uploads
      5m 53s
  3. 47m 3s
    1. Planning the class's features
      3m 15s
    2. Creating and using a namespaced class
      5m 25s
    3. Creating the class constructor
      7m 26s
    4. Getting a reference to the uploaded file
      5m 9s
    5. Checking the error level
      5m 7s
    6. Displaying errors and other messages
      4m 51s
    7. Setting and checking the maximum file size
      7m 19s
    8. Strengthening the setMaxSize() method
      8m 31s
  4. 35m 30s
    1. Restricting acceptable MIME types
      5m 27s
    2. Removing spaces from file names
      5m 21s
    3. Restricting acceptable file-name extensions
      6m 10s
    4. Neutralizing potentially dangerous uploads
      5m 54s
    5. Renaming files with duplicate names
      7m 58s
    6. Moving the file to its destination
      4m 40s
  5. 10m 25s
    1. Understanding how the $_FILES array handles multiple files
      4m 42s
    2. Adapting the class to handle both single and multiple uploads
      5m 43s
  6. 38m 15s
    1. Overview of the UploadFile class
      5m 9s
    2. Setting up to use the class
      4m 11s
    3. Using the class
      8m 12s
    4. Reporting errors with multiple uploads
      4m 0s
    5. Displaying the server limits
      4m 51s
    6. Alerting the user about exceeding the server limits
      6m 14s
    7. Changing the class's defaults
      5m 38s
  7. 1m 38s
    1. Goodbye
      1m 38s

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now
please wait ...
Watch the Online Video Course Uploading Files Securely with PHP
2h 50m Intermediate Feb 24, 2014

Viewers: in countries Watching now:

The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.

At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.

Topics include:
  • How PHP handles file uploads
  • Setting the maximum file size
  • Moving the file to its destination
  • Creating and using a namespaced class
  • Displaying error messages
  • Restricting unacceptable MIME types and file extensions
  • Using the class
  • Reporting errors
  • Altering the user
Subject:
Developer
Software:
PHP
Author:
David Powers

Displaying the server limits

To make the file upload form more user-friendly, it's a good idea to display the server limits in the web page. You can do this by checking the server configuration, and then hard coding the values into the page. But actually, we've got all the tools necessary to get the values dynamically. Rather than querying the server each time the page loads, let's store the values as session variables. So, we'll need to initialize a session, and then we need to check if one of the session variables is being set.

We only need to check one because if one hasn't been set, none of them will have been. So, if and not isset, and what we're looking for is SESSION. And we'll look for maxfiles. If that doesn't exist, we need to create it by querying the server configuration and getting the value of max_file_uploads. So, SESSION maxfiles, and then we can use ini_get and it's the max_file_uploads that we are looking for. Then another SESSION variable, call this one postmax.

And we'll use that to get the value of post_max_size. max_file_uploads will be a number, but post_max_size could be stored either as bytes or using shorthand, such as 8M for eight megabytes. So to display it in a user-friendly way, we need to make sure that it's first in bytes, and then we can convert it to a user-friendly format. So what we need to do is to use one of the upload file classes static method to convert it to bytes.

At the moment, the class definition is being included only when the form has been submitted. So we need to move the include command from line 12, which is inside that conditional statement, and put it up after session_start. So, we can now call these static methods. So, let's insert our cursor here. And then we're looking for UploadFile. That's followed by two colons and then convertToBytes.

The value that we're going to convert is this ini_get post_max_size. So cut that and move it between these parentheses. So now we've got the value in bytes. We can convert it to a user-friendly format. So let's create another SESSION variable. And we'll call this one displaymax. And we'll use the UploadFile static method convertFromBytes. And the value that we will pass to it is SESSION postmax.

So now we've got post_max_size expressed both as bytes and in a user-friendly format. If you're wondering why we're saving post_max_size as a SESSION variable, it's because it will be useful in the next video to check whether the user has exceeded the server limit. So, we've now got the values here, we can display the values in an unordered list after the file input field. So let's scroll down to the file input field. And there it is, it's on line 54.

So we'll insert the unordered list between the two paragraphs. And to save a little bit of time, I'm going to paste my unordered list from a text file that I've created. And you can find a copy of the text file in the Exercise Files for this video. So let's just paste that in there. And what we've got here, the first list item up to, and then the number of max files can be uploaded simultaneously. Then the next one. Each file should be no more than, and then we use the static convertFromBytes method to convert max into the maximum size for an individual file.

And then we're using displaymax to show the maximum size of all the files that can be uploaded. So if we just save that and then run it in a browser, we're now displaying these values here. Up to 20 files can be uploaded simultaneously. Each file should be no more than 50 kilobytes, and the combine total should not exceed eight megabytes. So that is much more user-friendly. The upload form is now more informative, but it would be even more so if it actively alerted users when their selections of files exceeds the server limits.

We'll deal with that next.

There are currently no FAQs about Uploading Files Securely with PHP.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Uploading Files Securely with PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.