Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm trying to make an upload script with html forms and PHP, I've seen a lot of people using move_uploaded_file and I can't figure out what it does, I looked around and all other websites are too complex for me. Can someone "dumb" it down a bit for me?
An example of what i saw:
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
Also can someone explain $_FILES to me aswell?
move_uploaded_file — Moves an uploaded file to a new location
This function checks to ensure that the file designated by filename is
a valid upload file (meaning that it was uploaded via PHP's HTTP POST
upload mechanism). If the file is valid, it will be moved to the
filename given by destination.
This sort of check is especially important if there is any chance that
anything done with uploaded files could reveal their contents to the
user, or even to other users on the same system.
Which part of that Manual you need help with?
$_FILES from the PHP Manual:
An associative array of items uploaded to the current script via the HTTP POST method.
move_uploaded_file() from the PHP Manual:
bool move_uploaded_file ( string $filename , string $destination )
This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.
You can use it like this:
if(move_uploaded_file($_FILES['picture']['tmp_name'], './uploads/'.$_FILES['picture']['name']))
echo 'File successfully uploaded';
else
echo 'File could not be uploaded';
$_FILES['picture']['tmp_name']:
The temporary filename of the file in which the uploaded file was stored on the server.
$_FILES['picture']['name']:
The original name of the file on the client machine.
For more information check out POST Method Uploads
$_FILES is a superglobal, much like $_GET or $_POST, that stores the information about the uploaded file.
If the name of your upload input form element is 'myfile' then, after uploading you will have an assiciative array $_FILES['myfile'] storing all the data about the uploaded file. To learn about it, just var_dump() it:
var_dump($_FILES['myfile']);
All the uploaded files are usually first uploaded to the /tmp directory (or whatever directory is set for this purpose in the php.ini file). After doing some sanity checks about the file (like testing for the right mime type), you will want to move the file to it's final destination. That's what the move_uploaded_file() function is intendedn for.
In this case $_FILES['userfile']['tmp_name'] is the temporary file path of the uploaded file and $uploadfile should store the final path of the file.
Related
why should I use this code to get the name of the file?
$filename = pathinfo($_FILES['file']['name'], PATHINFO_FILENAME)
If I could also get the name through this code:
$filename = $_File['file']['name']
Thank you very much! I'm a beginner in PHP, so sorry if the question is too dumb :D
Because $_File['file']['name'] comes from the user end, and although ordinarily it is just the file name, an ill-intentioned user can actually set it to whatever he wants (example: full path name to overwrite files in the server) and you have to filter it just like every other user input to prevent an attack vector in your system.
Same is true for everything in $_FILE, don't trust the informed MIME type, don't save files without checking if the extension is safe (saving a .php file will be a disaster) etc.
For example, I've seen a system that would trust files of type equal to image/jpeg and other image types, and then saves it without checking the actual file extension. A forged request can inject a .php shell script to this website's upload folder and be used to take control.
I have a HTML Form which deals with uploading files.
I use the PHP variables $_FILES (name, type, error, size, tmp_name) to store the values in my database and also validate the uploaded file.
I do most validations fine by checking mime types and what not. However when it comes to checking the size of the document, after research I have heard that the user can easily modify the content of $_FILES["size"] and make a fake value inside there.
This is a problem for my website as i am planning on restricting certain users to 20MB upload and higher ranked members to uploading a max of 100mb, and so on...So of course it is problematic if a regular user tricks the code to saying the size is lower then 20mb, whereas the file could actually be over 20MB.
So the question is, how do i tackle this sittuation and check the file size properly?
Note, i cannot use getimagesize() since the files being uploaded are not images.
It's normal
everyone can change request headers
the user also could change $_FILES[*]['type'], so you have to be carefull about it
you have to use filesize() php function http://php.net/manual/en/function.filesize.php
<?php
echo filesize($_FILES['myFile']['tmp_name']);
?>
hope help you
try using the filesize function php,
for instance
<?php
$filename = $_FILES['File']['tmp_name'];
echo $filename . ': ' . filesize($filename) . ' bytes';
?>
Read the documentation in php manual filesize
I found a good function on github for uploading images using php, but I do not know one of its arguments.
upload_image($_FILES,'file',250,'city',500,'../../uploaded/',1048576);
Function on Github
What is 'file' in this function?
Is this a trusted function to use in my website?
Considering the lines:
$file[$fileIndex]['tmp_name']
$file[$fileIndex]['error']
$file[$fileIndex]['name']
$file[$fileIndex]['type']
$file[$fileIndex]['size']
$file is a three-dimensional array, composed of arrays of name, tmp_name, type, size, error.
It is the kind of array you see when uploading files in PHP.
It calls move-uploaded-file, which moves an uploaded file to a new location.
This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism).
If the file is valid, it will be moved to the filename given by destination.
Is there any way for a php script to choose the name for a file after it's been uploaded by the user using an HTML form? I am wanting to allow users to upload an avatar for their account and would like it named with their userid instead of whatever the name of it is on their computer. I'm using a basic HTML upload form which only allows jpegs and png files with a 10MB file limit, similar to the file upload code give on http://www.w3schools.com/php/php_file_upload.asp Any help you can give will be greatly appreciated.
Put the desired filename in the second argument of move_uploaded_file().
You can specify the filename when using move_uploaded_file(), otherwise you can rename() the file.
$userid = 5; // say you fetch it from database
$ext = explode("\/",$_FILES["file"]["type"]); //extract the file extension
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$userid.$ext[1]);
UPDATE:
I think you don't need to extract file extension.
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$userid);
I'm trying to upload a file to Amazon S3 using Zend. Everything is working except I can't get access to the file in the POST[] array.
Is there anyway I can easily take the file from the form. All the documentation examples only show you how to do this when uploading a file to your local file system.
It is quite straight forward once you get the hang of it.
$form->image->setDestination('path/to/images');
if($form->isValid($_POST)){
if($form->image->isUploaded()){
if($form->image->receive()){
// For example, get the filename of the upload
$filename = $form->image->getFilename();
}
} else {
// Not uploaded
}
} else {
// Not valid
}
Note that in my example image is the name of the upload element.
A small correction on the above it should be getFileName with a capital N.
$filename = $form->image->getFileName();
If you are uploading a file to your PHP script from a form, and then intend to upload that file to S3, you're looking in the wrong superglobal.
File uploads live in $_FILES, not $_POST. Check out the PHP documentation on handling file uploads for information on how to use it best.