Viewers: in countries Watching now:
The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
File uploads are controlled by several PHP configuration directives. So it's a good idea to run phpinfo to see what limitations apply to your server's setup. I've got phpinfo in this file here, so let's just run it in a browser. And these are the configuration settings for my server. All the directives that relate to uploads are in the Core section close to the top. So let's just scroll down to find it. Here's the Core section. And the most important directive for file uploads is called file_uploads.
It's this one here. And of course, it goes without saying, that this must be on for file uploads to work. The other directives so spread out in different parts of this core list. So to make it easier to focus, I've listed them all together. Both file_uploads and upload_tmp_dir can be changed only by the server administrator in the main server configuration files. upload_tmp_dir controls where upload files are stored temporarily before being processed.
This normally defaults to the server's main temporary directory. If it points to a different location, the folder must be writeable by PHP. The remaining directives can be changed individually in an htaccess file on an Apache server, or in a user.ini file when PHP is running as FastCGI. max_file_uploads controls the maximum number of files that can be uploaded in a single operation. The default is 20.
If the maximum is exceeded, files over that limit are simply discarded without warning. Originally the value of max_file_uploads needed to be changed in the main PHP configuration, but it's been individually configurable since PHP 5.4. The limit on the size of individual files is set by upload_max_filesize, by default, it's two megabytes. But the overall limit is controlled by post_max_size, which is normally eight megabytes.
So although you can theoretically upload 20 files at a time, the actual limit will be considerably fewer if they're big. In fact, if the files are exactly two megabytes each, you'll be able to upload only three, not four. This is because post_max_size covers all POST data, and you need a few bytes for the upload form itself. max_input_time controls how long a script can spend receiving form input, including file uploads.
It's measured from the time all the data has been received by the server to the start of script execution. In some cases, this could cause large or multiple uploads to time out. Another time limit is set by max_execution_time, which defaults to 30 seconds. Again, the clock starts ticking only after the files have completed uploading. This is likely to affect you if you're doing a lot of heavy processing on files after they've been uploaded, for example, using the GD extension to process images.
There's one other factor you need to take into consideration if your script is doing heavy processing after the file has been uploaded. Make sure the server doesn't run out of memory. Since PHP 5.3, the default for memory_limit has been a generous 128 megabytes. But it might be set at a much lower value by the server administrator. Assuming that file_uploads are turned on, the most important directives are these three. max_file_uploads, upload_max_filesize, and post_max_size.
You can change their values if your server lets you use htaccess or user.ini configuration files. An htaccess file works only on Apache servers. If you put it in the site root, it affects the whole site. Alternatively, you can put it in an individual directory to change the settings for just that directory and any sub-directories. It's a plain text file with the name .htaccess and no filename extension. The syntax is php_value followed by the directive name, and then the value, each separated by a space.
The value for upload_max_filesize and post_max_size must be expressed in bytes. There are 1024 bytes in a kilobyte, and 1024 kilobytes in a megabyte. The examples shown here double the default values to four megabytes and 16 megabytes, respectively. If your server runs PHP as FastCGI, you can change the configuration with a user.ini file. Again, it's a plain text file with the name .user.ini.
Syntax is the same as in the main PHP configuration file, php.ini. The directive name is followed by an equal sign and the value. Although you can specify the value for upload_max_ filesize and post_max_size in bytes, it's easier to use the shorthand. Uppercase M for megabytes, and there should be no space between the number and the M. One final note for Mac users, the filenames for both htaccess and user.ini begin with a dot, which means they'll be hidden in the Mac Finder.
However, you should be able to see them in a script editor, such as Text Wrangler or PBEdit, that allows you to open hidden files.
There are currently no FAQs about Uploading Files Securely with PHP.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.