Uploading files is a common task in web applications. PHP provides an easy way to handle file uploads via the $_FILES superglobal. In this section, we’ll demonstrate how to create a file upload form, process the uploaded file, and handle errors. We will also cover security measures to ensure that only valid files are uploaded.

We will cover:

• Creating the File Upload Form
• Processing the Uploaded File
• Handling Errors and Validating File Types
• Security Measures for File Uploads

The first step is to create an HTML form where users can select a file to upload. You must ensure that the form's enctype attribute is set to multipart/form-data, which is required for file uploads.

<form action="upload.php" method="POST" enctype="multipart/form-data">
    <label for="file">Choose a file:</label>
    <input type="file" name="fileToUpload" id="file" required><br>

    <input type="submit" value="Upload File">
</form>

• The enctype="multipart/form-data" attribute ensures that the file data is sent properly to the server.
• The input type "file" creates a file picker for the user to select a file to upload.
• The form submits to the upload.php script, which will handle the uploaded file.

Once the user submits the form, PHP will process the uploaded file. The file data is stored in the $_FILES superglobal array. You can access the file's name, temporary location, and any errors that occurred during the upload.

<?php
// Check if the form is submitted and a file is uploaded
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_FILES['fileToUpload'])) {
    $target_dir = "uploads/";  // Directory where files will be uploaded
    $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);  // Full path of the file
    $uploadOk = 1;  // Flag for file upload success
    $fileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));  // Get the file extension

    // Check if the file already exists
    if (file_exists($target_file)) {
        echo "Sorry, file already exists.";
        $uploadOk = 0;
    }

    // Check file size (e.g., limit to 2MB)
    if ($_FILES["fileToUpload"]["size"] > 2000000) {
        echo "Sorry, your file is too large.";
        $uploadOk = 0;
    }

    // Allow certain file formats (e.g., jpg, jpeg, png)
    if ($fileType != "jpg" && $fileType != "png" && $fileType != "jpeg" && $fileType != "gif") {
        echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
        $uploadOk = 0;
    }

    // Check if $uploadOk is set to 0 by an error
    if ($uploadOk == 0) {
        echo "Sorry, your file was not uploaded.";
    } else {
        // If all checks pass, try to upload the file
        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
            echo "The file " . htmlspecialchars(basename($_FILES["fileToUpload"]["name"])) . " has been uploaded.";
        } else {
            echo "Sorry, there was an error uploading your file.";
        }
    }
}
?>

• The $_FILES array contains the uploaded file's information:
  • $_FILES['fileToUpload']['name']: The original name of the file.
  • $_FILES['fileToUpload']['tmp_name']: The temporary location of the file on the server.
  • $_FILES['fileToUpload']['size']: The size of the file.
  • $_FILES['fileToUpload']['error']: Error code if the upload failed.
• The move_uploaded_file() function moves the uploaded file from the temporary location to the target directory.

In the previous example, we included checks to ensure that:

• The file does not already exist.
• The file size is within a specified limit (2MB in this case).
• The file is of an acceptable type (e.g., JPG, PNG, GIF).

You can customize these validations as needed for your application.

• UPLOAD_ERR_OK: No error.
• UPLOAD_ERR_INI_SIZE: The uploaded file exceeds the upload_max_filesize directive in php.ini.
• UPLOAD_ERR_FORM_SIZE: The uploaded file exceeds the MAX_FILE_SIZE directive in the HTML form.
• UPLOAD_ERR_PARTIAL: The file was only partially uploaded.
• UPLOAD_ERR_NO_FILE: No file was uploaded.
• UPLOAD_ERR_NO_TMP_DIR: Missing a temporary folder.
• UPLOAD_ERR_CANT_WRITE: Failed to write the file to disk.
• UPLOAD_ERR_EXTENSION: A PHP extension stopped the file upload.

if ($_FILES["fileToUpload"]["error"] != UPLOAD_ERR_OK) {
    echo "Error uploading file: " . $_FILES["fileToUpload"]["error"];
    $uploadOk = 0;
}

File uploads can introduce security risks, such as allowing malicious users to upload harmful files (e.g., executable files, scripts). To prevent these risks, you should:

• Always validate file types and extensions.
• Use a unique file name for each uploaded file (to avoid overwriting existing files).
• Store uploaded files in a directory that is not directly accessible from the web (e.g., outside the public HTML directory).
• Ensure proper file permissions for uploaded files.

You can rename the uploaded file to avoid conflicts and make it unique:

$target_file = $target_dir . uniqid() . "." . $fileType;  // Create a unique file name

In this section, we covered the process of handling file uploads in PHP. Here's a summary of what we learned:

• Creating the File Upload Form: Using the enctype="multipart/form-data" attribute in HTML to enable file uploads.
• Processing the Uploaded File: Using $_FILES to get information about the uploaded file and move it to the desired location.
• Handling Errors and Validating File Types: Checking for errors, validating file size and type, and ensuring the file meets your application's requirements.
• Security Measures: Renaming files, validating file types, and protecting your application from malicious uploads.

With this knowledge, you can create a secure and functional file upload system in your PHP applications.