13.6 Uploading Files in Forms

The <input type="file"> form element lets a user upload the entire contents of a file to your server. When a form that includes a file element is submitted, the PHP interpreter provides access to the uploaded file through the $_FILES auto-global array. Example 13-8 shows a form-processing program whose validate_form( ) and process_form( ) functions use $_FILES.

Example 13-8. A file upload form

if ($_POST['_stage']) {
    // If validate_form( ) returns errors, pass them to show_form( )
    if ($form_errors = validate_form( )) {
        show_form($form_errors);
    } else {
        // The submitted data is valid, so process it
        process_form( );
    }
} else {
    // The form wasn't submitted, so display
    show_form( );
}

function show_form($errors = '') {

    if ($errors) {
        print 'You need to correct the following errors: <ul><li>';
        print implode('</li><li>',$errors);
        print '</li></ul>';
    }

    print<<<_HTML_
<form enctype="multipart/form-data" method="POST"
      action="$_SERVER[PHP_SELF]">

File to Upload: <input name="my_file" type="file"/>

<input type="hidden" name="MAX_FILE_SIZE" value="131072"/>
<input type="hidden" name="_stage" value="1">
<input type="submit" value="Upload"/>
</form>
_HTML_;
}

function validate_form( ) {
    $errors = array( );

    if (($_FILES['my_file']['error'] =  = UPLOAD_ERR_INI_SIZE)||
        ($_FILES['my_file']['error'] =  = UPLOAD_ERR_FORM_SIZE)) {
        $errors[  ] = 'Uploaded file is too big.';
    } elseif ($_FILES['my_file']['error'] =  = UPLOAD_ERR_PARTIAL) {
        $errors[  ] = 'File upload was interrupted.';
    } elseif ($_FILES['my_file']['error'] =  = UPLOAD_ERR_NO_FILE) {
        $errors[  ] = 'No file uploaded.';
    }
    
    return $errors;
}

function process_form( ) {
    print "You uploaded a file called {$_FILES['my_file']['name']} ";
    print "of type {$_FILES['my_file']['type']} that is ";
    print "{$_FILES['my_file']['size']} bytes long.";

    $safe_filename = str_replace('/', '', $_FILES['my_file']['name']);
    $safe_filename = str_replace('..', '', $safe_filename);

    $destination_file = '/usr/local/uploads/' . $safe_filename;
    if (move_uploaded_file($_FILES['my_file']['tmp_name'], $destination_file)) {
        print "Successfully saved file as $destination_file.";
    } else {
        print "Couldn't save file in /usr/local/uploads.";
    }
}

The process_form( ) function in Example 13-8 uses the techniques from Example 10-23 to sanitize the uploaded filename and the built-in function move_uploaded_file( ) to relocate the uploaded file to a permanent place. These steps prevent security problems that can result from sloppy handling of uploaded files. The file_uploads and upload_max_filesize configuration directives, described in Table A-1, also affect the PHP interpreter's file upload-related behavior.

Read more about file upload in Sections 7.4.8 and 12.3 of Programming PHP (O'Reilly), PHP Cookbook (O'Reilly) in Recipe 9.6, and in the PHP Manual (http://www.php.net/manual/features.file-upload.php).