Previous Section  < Day Day Up >  Next Section

13.6 Uploading Files in Forms

The <input type="file"> form element lets a user upload the entire contents of a file to your server. When a form that includes a file element is submitted, the PHP interpreter provides access to the uploaded file through the $_FILES auto-global array. Example 13-8 shows a form-processing program whose validate_form( ) and process_form( ) functions use $_FILES.

Example 13-8. A file upload form
if ($_POST['_stage']) {

    // If validate_form( ) returns errors, pass them to show_form( )

    if ($form_errors = validate_form( )) {

        show_form($form_errors);

    } else {

        // The submitted data is valid, so process it

        process_form( );

    }

} else {

    // The form wasn't submitted, so display

    show_form( );

}



function show_form($errors = '') {



    if ($errors) {

        print 'You need to correct the following errors: <ul><li>';

        print implode('</li><li>',$errors);

        print '</li></ul>';

    }



    print<<<_HTML_

<form enctype="multipart/form-data" method="POST"

      action="$_SERVER[PHP_SELF]">



File to Upload: <input name="my_file" type="file"/>



<input type="hidden" name="MAX_FILE_SIZE" value="131072"/>

<input type="hidden" name="_stage" value="1">

<input type="submit" value="Upload"/>

</form>

_HTML_;

}



function validate_form( ) {

    $errors = array( );



    if (($_FILES['my_file']['error'] =  = UPLOAD_ERR_INI_SIZE)||

        ($_FILES['my_file']['error'] =  = UPLOAD_ERR_FORM_SIZE)) {

        $errors[  ] = 'Uploaded file is too big.';

    } elseif ($_FILES['my_file']['error'] =  = UPLOAD_ERR_PARTIAL) {

        $errors[  ] = 'File upload was interrupted.';

    } elseif ($_FILES['my_file']['error'] =  = UPLOAD_ERR_NO_FILE) {

        $errors[  ] = 'No file uploaded.';

    }

    

    return $errors;

}



function process_form( ) {

    print "You uploaded a file called {$_FILES['my_file']['name']} ";

    print "of type {$_FILES['my_file']['type']} that is ";

    print "{$_FILES['my_file']['size']} bytes long.";



    $safe_filename = str_replace('/', '', $_FILES['my_file']['name']);

    $safe_filename = str_replace('..', '', $safe_filename);



    $destination_file = '/usr/local/uploads/' . $safe_filename;

    if (move_uploaded_file($_FILES['my_file']['tmp_name'], $destination_file)) {

        print "Successfully saved file as $destination_file.";

    } else {

        print "Couldn't save file in /usr/local/uploads.";

    }

}

The process_form( ) function in Example 13-8 uses the techniques from Example 10-23 to sanitize the uploaded filename and the built-in function move_uploaded_file( ) to relocate the uploaded file to a permanent place. These steps prevent security problems that can result from sloppy handling of uploaded files. The file_uploads and upload_max_filesize configuration directives, described in Table A-1, also affect the PHP interpreter's file upload-related behavior.

Read more about file upload in Sections 7.4.8 and 12.3 of Programming PHP (O'Reilly), PHP Cookbook (O'Reilly) in Recipe 9.6, and in the PHP Manual (http://www.php.net/manual/features.file-upload.php).

    Previous Section  < Day Day Up >  Next Section