CS479/579 - Web Programming II

Lesson 11

Uploading files:

To upload a file or files, the enctype for a form must be 'multipart/form_data':

  <form ... enctype="multipart/form-data">
   <input type="file" name="x" multiple>

The input presents as a file label with a button that when clicked opens a file selector dialog that allows selecting a filename. The (optional) multiple attribute on the input type=file input allows the user to select more than one file for uploading.

The $_FILES PHP Super-global

A file does not appear the $_POST or $_GET maps, but instead in the $_FILES super-global:


where 'x' == name of the file input element. If 'x' allows multiple files to be uploaded, then $_FILES['x']['__'] is an array. 'x' can also be in array notation:

    <input type=file name='x[]'>
    <input type=file name='x[]'>


  • The original name of the file on the client machine.


  • The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.


  • The size, in bytes, of the uploaded file.


  • The temporary filename of the file in which the uploaded file was stored on the server.


  • The error code associated with this file upload.

Simple upload.php


$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
  echo "File is valid, and was successfully uploaded.\n";
} else {
  echo "Possible file upload attack!\n";

echo 'Here is some more debugging info:';

print "</pre>";


Consider using a hash for the file-name on the server. This prevents file-name attacks and allows for easier de-duplication. $uploadfile = $uploaddir . sha1_file($_FILES['x']['tmp_name'])



header('Content-Type: text/plain; charset=utf-8');

try {

    // Undefined | Multiple Files | $_FILES Corruption Attack
    // If this request falls under any of them, treat it invalid.
    if (
        !isset($_FILES['upfile']['error']) ||
    ) {
        throw new RuntimeException('Invalid parameters.');

    // Check $_FILES['upfile']['error'] value.
    switch ($_FILES['upfile']['error']) {
        case UPLOAD_ERR_OK:
        case UPLOAD_ERR_NO_FILE:
            throw new RuntimeException('No file sent.');
        case UPLOAD_ERR_INI_SIZE:
        case UPLOAD_ERR_FORM_SIZE:
            throw new RuntimeException('Exceeded filesize limit.');
            throw new RuntimeException('Unknown errors.');

    // You should also check filesize here.
    if ($_FILES['upfile']['size'] > 1000000) {
        throw new RuntimeException('Exceeded filesize limit.');

    // DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
    // Check MIME Type by yourself.
    $finfo = new finfo(FILEINFO_MIME_TYPE);
    if (false === $ext = array_search(
            'jpg' => 'image/jpeg',
            'png' => 'image/png',
            'gif' => 'image/gif',
    )) {
        throw new RuntimeException('Invalid file format.');

    // You should name it uniquely.
    // DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
    // On this example, obtain safe unique name from its binary data.
    if (!move_uploaded_file(
    )) {
        throw new RuntimeException('Failed to move uploaded file.');

    echo 'File is uploaded successfully.';

} catch (RuntimeException $e) {

    echo $e->getMessage();