PHP File Upload Script – Globals Off

by Hiroshi on November 7, 2008

in File Upload, Scripts, Security

It is easy to upload file when the Register_Globals are set to ON in the php.ini file (php configuration file) which is not recommended in any case for security reasons. When Globals are OFF then in this case I have tried this script and it works fine. Following is the script. Create two files. one html containing form and the other php file containing php script. This script will need a directory named as ‘img’ in root where this php script file is located according to the requirement of code. You can customize this code.

HTML Form Code

<form action="upload.php" method="post" enctype="multipart/form-data">
<table border="0" cellspacing="0" cellpadding="0">
<td>File Name </td>
<input name="uploadedfile" type="file" id="uploadedfile" />    </td>
<input type="submit" name="Submit" value="Submit" />

PHP Upload Code

// Check that file is transferring to PHP code or not
// print_r($_FILES);
// upload
	if ($_FILES['uploadedfile']['name'] != "")
        // img is our upload directory
	$sUploadDir = 'img/';
	$sUploadedFile = $sUploadDir . basename($_FILES['uploadedfile']['name']);
	if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $sUploadedFile))
	$sThumbnail = $_FILES['uploadedfile']['name'];
echo "  File Uploaded Successfully";

Download PHP File Upload Easy Way Script

*** Important ***

Never give a simple page to upload to your users if it is a website based on users. Always check that whether user is uploading image file, audio, video or script file. Check extension of file to be uploaded. Suppose you need jpg files to be uploaded. Set a check for script to upload just files with jpg extension and none other. If there is a bad user. He can upload a script file (php file) and damage your server. So security first. Checks are essential.

Security Checks For File To Be Uploaded

Check Extension

if (!($userfile_type =="image/pjpeg" OR $userfile_type=="image/gif"))
$msg=$msg."Your uploaded file must be of JPG or GIF. Other file types are unsupported<BR>";
// at file_upload false you can exit from script

Extract Base Name and Extension

      $file_basename = substr($filename, 0, strripos($filename, '.')); // strip extention
      $file_ext          = substr($filename, strripos($filename, '.'));
      // this will give us file extension to compare with our supported formats

Check Extension

$extension = '.jpg'
if(strpos($filename,$extension) === false)
printf("This is not a JPEG");

More Checks

$file = 'somefile.jpg';
// assuming you've already taken some other
// preventive measures such as checking file
// extensions...
$result_array = getimagesize($file);
if ($result_array !== false) {
    $mime_type = $result_array['mime'];
    switch($mime_type) {
        case "image/jpeg":
            echo "file is jpeg type";
        case "image/gif":
            echo "file is gif type";
            echo "file is an image, but not of gif or jpeg type";
} else {
    echo "file is not a valid image file";

Related Posts

Previous post:

Next post: