Uploading Files via an HTML Form

Contact Us or call 1-877-932-8228
Uploading Files via an HTML Form

Uploading Files via an HTML Form

In order to upload files via an HTML form, the form tag's method must be set to "post" and the enctype must be set to "multipart/form-data" as shown below.

For file uploads to work, the file_uploads flag in php.ini must be turned on.

Syntax

<form method="post" enctype="multipart/form-data">

The following example demonstrates how to safely allow the user to upload a file to the server.

Code Sample:

Files/Demos/FileUpload.php
<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>Resume Upload</title>
</head>
<body style="text-align:center">
<?php
	if (!array_key_exists('Submitted',$_POST)) {
?>
<h2>Resume Upload Form</h2>
<form method="post" enctype="multipart/form-data">
<input type="hidden" name="Submitted" value="true">
<table border="1">
<tr>
	<td>First Name</td>
	<td><input type="text" name="FirstName" size="20"></td>
</tr>
<tr>
	<td>Last Name</td>
	<td><input type="text" name="LastName" size="20"></td>
</tr>
<tr>
	<td>Resume</td>
	<td><input type="file" name="Resume"></td>
</tr>
<tr>
	<td colspan="2" align="center"><input type="submit" value="Upload"></td>
</tr>
</table>
</form>
<?php
} else {
	//process the  form
	$resumeFile = $_FILES['Resume']['tmp_name'];
	$fileSize = $_FILES['Resume']['size'];
	$fileType = $_FILES['Resume']['type'];
	$fileError = $_FILES['Resume']['error'];

	$resumeName=$_POST['FirstName'] . '_' .
			$_POST['LastName'] . '_Resume.txt';
	if ($fileError)
	{
		echo "We could not upload the file:<br>$fileError";
		endPage();
	}
	elseif ($fileType != 'text/plain')
	{
		echo "You have attempted to upload a file of type: $fileType.
				<br>Only text files allowed.";
		endPage();
	}

	$fileSavePath = 'Resumes/' . $resumeName;	
	if (is_uploaded_file($resumeFile))
	{
		if (!move_uploaded_file($resumeFile,$fileSavePath))
		{
			echo 'Could not save file.';
			endPage();
		}
	}
	else
	{
		//This case happens if somehow the file
		//we are working with was already on the server.
		//It's to stop hackers.
		echo 'Hey, what is going on here?
					Are you being bad?';
		endPage();
	}
	$resume=makeFileSafe($fileSavePath);
?>
	<h2>Thanks!</h2>
	<b>We got your resume.</b><hr>
	<form>
	<textarea cols="60" rows="20"><?echo $resume?></textarea>
	</form>
	</p>
<?php
}

function endPage()
{
	echo '</body></html>';
	exit;
}

function makeFileSafe($filePath)
{
	$fP = @fopen($filePath,'r+');
	if (!$fP)
	{
		return "Could not read file";
	}
	$contents = fread($fP,filesize($filePath));
	$contents = strip_tags($contents);
	rewind($fP);
	fwrite($fP,$contents);
	fclose($fP);
	return $contents;
}
?>
</body>
</html>

The first thing to notice about this page is that it submits to itself. The first time it is loaded, it will show the form. When the form is submitted, it will attempt to upload and save the user's resume.

  1. The form also has an input field of type file that is used to browse for the file to upload.
  2. When the form is submitted, the script assigns values to short named variables.
  3. The next block of code is the if-elseif-elseif statement, which checks for errors. If it finds any, it displays an appropriate message and calls the endPage() user function, which just closes the HTML page.
  4. The next piece of code attempts to upload the file:
    if (is_uploaded_file($resumeFile))
    {
    	if (!move_uploaded_file($resumeFile,$fileSavePath))
    	{
    		echo 'Could not save file.';
    		endPage();
    	}
    }
    else
    {
    	//This case happens if somehow the file
    	//we are working with was already on the server.
    	//It's to stop hackers.
    	echo 'Hey, what is going on here?
    				Are you being bad?';
    	endPage();
    }
  5. The last bit of PHP code on the page calls the makeFileSafe() user function which opens the resume file, strips out all the tags from its contents and closes it.
Next