Skip to main content

Handling file uploads in PHP

If you are just starting out with PHP and want to know how to handle forms, read the Handling forms in PHP tutorial before starting with this article. Handling file uploads in PHP is a breeze. It does most of the work for you and provides you with a super global $_FILES array which has all the information about uploaded files.

Creating the form

Below is a simple form with one text field and one file field. Notice that the enctype attribute of the form tag is set to “multipart/form-data”. This is important. Without this your file upload will not work. We have specified a PHP script, handler.php, as the form handler. Of course, you can specify any PHP script here.

<form action="handler.php" method="post" enctype="multipart/form-data">
<input name="fname" type="text" id="fname" />
<input name="image" type="file" id="image" />
<input type="submit" name="Submit" value="Submit">

handler.php script

Once you have filled in the values and submitted the form, the file will be uploaded to your server. PHP will save this uploaded file to a temporary directory. All uploaded files are by default saved to the default temporary directory of the server. However, this path can be changed to another location by setting the value of upload_tmp_dir directive in the php.ini file.

This temporary file exists for the duration of the request only. That is as soon as the execution of the handler.php script ends, this temporary file will be deleted. So if you want to manipulate this file in any way, you have to do it within the handler.php file itself.

Note: There is nothing special about the handler.php name. You can name your script anything you want.

$_FILES Array

$_FILES is a superglobal array and provides all the information you need about the uploaded files. Information which is of importance to us right now is:

  • $_FILES[‘image’][‘name’] – The original name of the file on the client machine.
  • $_FILES[‘image’][‘size’] – The size, in bytes, of the uploaded file.
  • $_FILES[‘userfile’][‘tmp_name’] – The temporary file name.
  • $_FILES[‘image’][‘error’] – The error code associated with this file upload.

Checking whether the file upload was successful

$_FILES[‘image’][‘error’] returns the error code associated with the file upload. If the upload was successful and there were no errors, $_FILES[‘image’][‘error’] should be equal to constant UPLOAD_ERR_OK.

if($_FILES['image']['error'] == UPLOAD_ERR_OK) {
	echo 'Upload successful'; }
else {
	echo 'File upload error';

Its also a good idea to add the is_uploaded_file check. This function checks whether the file you are trying to move, was actually uploaded via POST request. move_uploaded_file function also performs this check.

The complete script

//Check for valid upload
if($_FILES['image']['error'] != UPLOAD_ERR_OK) {
	echo 'Upload file error';

//Check for valid upload
if(!is_uploaded_file($_FILES['image']['tmp_name'])) {
	echo 'Invalid request';

//Sanitize the filename (See note below)
$remove_these = array(' ','`','"','\'','\\','/');
$newname = str_replace($remove_these, '', $_FILES['image']['name']);

//Make the filename unique
$newname = time().'-'.$newname;

//Save the uploaded the file to another location
$upload_path = "/home/mysite/public_html/uploads/$newname";
move_uploaded_file($_FILES['image']['tmp_name'], $upload_path);

Sanitize the file name

Users often upload files which have quotes (’, “) in the filenames. Its important that you strip out these characters from the filename before saving the file. For example, a user uploads a file named o’brian.txt . If magic_quotes_gpc settings is turned on for your server, all quotes will be automatically escaped by a backslash.

This additional backslash (\) will result in file name o\’brian.txt . You might face problems accessing this file through your FTP client. That is, you might not be able to download or delete this file using FTP.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.