The basic process of providing a HTML form for uploading user submitted files to the server with PHP is fairly easy and simple. But there are some security implications that many of us are unaware of. We will be building a custom PHP class for secure file upload. This class will check the type and size of the file and rename the file in case of duplication.
Those who are absolutely beginner in handling file upload, are requested to take a look at Enhance File Upload Security with PHP. That article will help you to better understand file uploading from scratch.
We will start our
Upload class with a blank constructor
Now we will add some properties to our class to store some data.
$config property holds the configurations like target directory, size limit etc.
$current refers to the current key of
$errors contains the errors encountered during process.
$new_name stores the name of the uploaded file to be set.
Now we are going to define some public methods to set up some configuration settings.
But first, we need to implement a method for handling errors.
This method will store error messages in the
$errors. This method will work as both a getter and setter.
Of course you want to prevent the users from uploading specified types of files. Here is the method for allowing or disallowing file types.
The allowed extensions will be stored in
$config['allowed_extensions'] and the disallowed extensions in
$config['disallowed_extensions']. You can either specify allowed file types or disallowed file types.
Now its time to specify where our uploaded images will live. We should add a method to setup this setting.
Obviously we want to limit the size of the files to be uploaded. But our specified limit cannot be greater than that specified in PHP config.
This will check the size limit from PHP configuration. If the specified limit is larger, it will automatically set the size from PHP config. For this method to work properly, we need to implement a helper method.
We need provide a way to specify whether we want to overwrite files or not.
Methods for the Magic
The methods mentioned till now are going to be used to set the configuration settings. For the actual file uploading process, we need to add a few more internal methods to check the settings or generate a new name for the file or upload the file etc.
Adding power to the Constructor
While we are able set configuration settings by calling respective methods, it will be more comprehensive if we can provide an option to set the configuration in the constructor.
To use this class, lets have a form first.
Add following lines of code at the top of the document.