PHP Managing File Uploads

File uploads are an important feature for many Web applications; improperly handled, they are also extremely dangerous—imagine how much damage allowing an arbitrary file to be uploaded to a sensitive location on your server’s hard drive could be!

A file can be uploaded through a “multi-part” HTTP POST transaction. From the perspective of building your file upload form, this simply means that you need to declare it in a slightly different way:

<form enctype="multipart/form-data" action="index.php" method="post">

<input type="hidden" name="MAX_FILE_SIZE" value="50000" />

<input name="filedata" type="file" />

<input type="submit" value="Send file" />

</form>

As you can see, the MAX_FILE_SIZE value is used to define the maximum file size allowed (in this case, 50,000 bytes); note, however, that this restriction is almost entirely meaningless, since it sits on the client side—since any moderately crafty attacker will be able to set this parameter to an arbitrary value, you can’t count on it preventing any attempt to overwhelm your system by sending files that are so large as to deplete its resources.

You can limit the amount of data uploaded by a POST operation by modifying a number of configuration directives, such as post _max_size, max_input_time and upload_max_filesize.

Once a file is uploaded to the server, PHP stores it in a temporary location and makes it available to the script that was called by the POST transaction (index.php in the example above). It is up to the script to move the file to a safe location if it so chooses—the temporary copy is automatically destroyed when the script ends. Inside your scr ipt, uploaded files will appear in the $_FILES superglobal array. Each element of this array will have a key corresponding to the name of the HTML element that uploaded a fil e (filedata in our case). The element will, itself, be an array with the following elements:

name

The original name of the file

type

The MIME type of the file provided by the browser

size

The size (in bytes) of the file

tmp_name

The name of the file’s temporary location

error

The error code associated with this file. A value of UPLOAD_ERR_OK indicates a successful transfer, while any other error indicates that something went wrong (for example, the file was bigger than the maximum allowed size).

GET or POST?

PHP makes it very easy to handle data sent using either POST or GET. However, this doesn’t mean that you should choose one or the other at random.

From a design perspective, a POST transaction indicates that you intend to modify data (i.e.: you are sending information over to the server). A GET transaction, on the other hand, indicates that you intend to retrieve data instead. These guidelines are routinely ignored by most Web developers—much to the detriment of proper programming techniques. Even from a practical perspective, however, you will have to use POST in some circumstances; for example:

•         You need your data to be transparently encoded using an arbitrary character set

•         You need to send a multi-part form—for example, one that contains a file

•         You are sending large amounts of data

Share this

blogger