Jump to content

PHP Creating Secure File Upload


Recommended Posts


Hello, i have a problem in developing a secure file upload/download system using php, whereby in this code, there is no restriction in choosing any file type, but there is restriction on file size. and the file info will be stored in the database.

# i'm stucked in creating a upload form whereby there is an message box popped out saying "there is an error due to no file selected" when i click on the upload button without selecting any file
# need help in setting the file size below 3MB whereby if i upload file more than 3MB there will be a message box popped out saying "maximum file size!" instead of showing Undefined index: on top of the browser


Here are the code in uploadaction.php

include "db_connect.php";
$uploaddir 'folder/';
$uploadfile $uploaddir basename($_FILES['myfile']['name']);
move_uploaded_file($_FILES['myfile']['tmp_name'], $uploadfile);
$id 'id';
$filename $_FILES['myfile']['name'];
$title $_POST['title'];
// we got the name, so we just proceed to store them

$q mysql_query("INSERT INTO files values ('$id','$filename','$title','$name','$date','$time')");





here are the form in download.php

<form method='post' action='uploadaction.php' enctype='multipart/form-data'>

p>Title :  <input type='text' name='title'></p>

p>File   :  <input type='file' name='myfile'></p><br />
input type='hidden' name='name' maxlength='25' value='$username'>
input type='submit' value='Upload' name='submit'>


* the form is on download.php whereby it will refer to uploadaction.php to do the upload
i've tried to find code from other sources but it didnt help, would love if javascript coding can be added to improve this coding. Thank you so much~

Link to comment
Share on other sites

IMO there should always be a whitelist of file extensions so that users cannot download scripting files etc.

The $_FILES superglobal array gets populated with several bits of information about the file(s) that was uploaded via html form.

This includes (might forget some) ['size'], ['tmp_name'], ['name'], ['error'], ['type'].

Use this information to validate the file and check for any errors.

This might also help.

Link to comment
Share on other sites

i want to make this upload form to display a notification (there is no file chosen) when the submit button is clicked


and also to make the submit button allow file that is below 3MB to be uploaded and deny any file that is more than 3MB by displaying message (max file size)

Link to comment
Share on other sites

91weblessons: I would not recommend anyone following that tutorial: It is out of date, and quite lacking in security checks. Not to mention that the code blocks are nigh unreadable, thanks to the missing indentation and the fact that you don't check for errors but success. Which is causing nesting hell, and a disconnect between the error message and the actual check. (Exit early is a nice principle.)

We are already helping one person with cleaning up after your tutorials, I do not wish that number to increase. So, please clean them up, secure them, and make sure they are current.


xmuzukerx: What I suggest is that you take that list over conditions that you want to have met (or not), and set it up in a step-by-step list over what you want your code to do. Break it down to the smallest possible elements, preferably one a single verb-subject combination which accurately describes everything, in detail, that the code should do.

Once you have that list, you should pursue the docs as listen below, and try to figure out which functions and/or variables gives you what you need. Play around with the code a bit, use var_dump to echo out the contents of the variables, and see if you can't make the code match the logic you have on paper. ;)


What you have above is a good start, for a basic uploader. All you need to do now, is to add the error-checking and conditional logic to it.

Edited by Christian F.
Link to comment
Share on other sites

91weblessons: To be frank, don't give web lessons if you do not know what you are doing.


Your file upload backend code leaves a HUGE security hole that would allow me to pass any file I wanted to the server, not to mention what ChristianF already mentioned.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.