Viewers: in countries Watching now:
The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
We've created a form with a file input field, and we're now ready to start processing the file when the form is submitted. We'll begin by examining the contents of the superglobal array that PHP uses to handle file uploads. The action attribute reloads the page when the form is submitted. So let's create a PHP code block above the doc type to handle a form data. We want the code in this code block to be executed only after the form has been submitted. The name of the submit button is upload.
And we're using the post method. So the condition here needs to be if isset, and we're looking for the POST superglobal array, and the name of that submit button, upload. So we can now add our code inside that conditional block. Now although the form is submitted using the post method, the file is in a separate superglobal array called files. And we can use print_r to examine the contents of the files array.
To make it easier to read, we'll format it using some HTML text, some pretext. So echo, then pre, then we can use print_r. And the file superglobal array, in common with other superglobals, starts with an underscore after the $, and then it's all in upper case, FILES. And then we need that closing pre tag. So if we save, that and run the page, and we can select the file, clicking the Choose File button, doesn't matter which file you choose.
And then submit the form using Upload File. And there are the contents of the file superglobal array displayed. Let's just zoom in a little bit so we can see it more easily. And the files superglobal array is a multi-dimensional associative array. And the first element there is filename, which was the name that we gave to file input field. And that contains another array with five elements. name, which is the name of the file. Type, which is the MIME type usually.
Tmp_name, which is the temporary name and the location of the file, when it's uploaded by PHP. And error code, in this case, it's 0, which means there's no error at all. And then the size expressed in bytes. So this is vital information for handling the uploaded file. The only thing that you can't rely on 100% is the value of type. That's what the browser reports as being the file's type. It's usually the MIME type, but not always.
But let's see what happens when you submit the form without selecting a file. So let's just click Upload File. The files array is still there, because we've got that file input field in the form called filename. But the first three elements of the sub array are empty. And the error is 4, which means that no file was selected. And quite naturally, because no file was selected, its size is 0 bytes. So clearly, it's important to check the error code before trying to process an uploaded file.
The only purpose of the form in this page is to upload a file, but you might have a form with other fields, where uploading a file is optional. So we've seen two error codes, but there are eight of them altogether. So let's examine what they are. As we've already seen, zero means the file was uploaded successfully. Error codes one and two mean the file was too big. In the case of error code one, it means it exceeds the size set down in the upload_max_ filesize directive in the PHP configuration.
On the other hand, error code two means it was bigger than the value specified in a hidden form field. We'll look at both of these later in the chapter. Error code three means the file was only partially uploaded. As we've just seen, four means no file was selected for upload. There's no error code five, but six means the server doesn't have a temporary upload folder. And seven means PHP couldn't write the file to disk. The final error code eight means that a PHP extension prevented the file from being uploaded. However, there's no way of identifying which extension was responsible. So those are the eight error codes.
Let's just return to the browser and refresh our memory about what the file's superglobal array contains. If you get error code four, that means that no file has been selected, so let's just select another file, and test that. What we get in that file's superglobal array, is the name of the file, its type, which is usually the MIME type, but is sometimes a guess by the browser. The temporary name where it's stored, the error code, and the size in bytes.
There are currently no FAQs about Uploading Files Securely with PHP.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.