←    Back

Enhance File Upload Security with PHP

We often face a situation where we need to provide our users a way to upload image, pdf, document etc. The basic html form for file upload is able to handle this with the help of PHP. The basic process of uploading user submitted files to the server with PHP is fairly easy and simple. But there should be some security measures. What will happen if a bad user uploads a malicious file to our server?

Here we will discuss some of this security measures to block the holes.

The Form

Before anything else, lets assume we have a form for the users to upload a file.

Remember to use method="post" whenever using a form for file upload. As you are already aware of, enctype="multipart/form-data" is necessary because it tells the browser how to handle the data submitted as a file.

$_FILES Array

As soon as the file uploads, its details become available in the PHP’s $_FILES superglobal array.

If you add the following lines at the top of your page,

and then you upload a file named flower.jpg. After you click ‘Upload File’ button, the details would be shown like this:

The Errors

Before we continue, lets take a look at the errors we can have. In the previous example, the error is 0 which means that there is no error and the file has been successfully uploaded.

Lets take a look at the various error codes and what they mean.


In some cases, you might want to limit the size of the file to be uploaded. The MAX_FILE_SIZE field tells the browser to prevent the upload if it exceeds certain size. To use this feature, add the following code before the file input field.

If a file larger than the size set, the error will be set to 2 and it will not be attempted to upload.

Upload Directory

When setting or specifying a directory to store the uploaded files, it is much professional to consider some points before doing so.

The directory where the uploaded file will live, must be set writable. In Linux, permission to the folder must be set to at least 755 or 775.

If the files are going to be accessible by public, the directory can be under the root of the server. But if the files are protected or contains sensitive data, then it is much wiser to put the directory outside the scope of the server root so that it cannot be accessible via public url.

Move Uploaded File

It is necessary to move the uploaded file to the directory specified for the files. Otherwise, the uploaded file will be lost as it is just saved as a temporary file at first.

To move the uploaded file, we will use move_uploaded_file() method:

Now the uploaded files will the saved in the ‘uploads’ directory.

We have improved to some extent but there is a long path to go. We have not implemented any check on file types, file names and we have not provided any support for uploading multiple files. Also, if the uploaded files have same filename, the older one will be overwritten.

To avoid these situations and implement more validation, we will handle the upload a bit differently. We will Create a File Upload Class in PHP to handle the file upload more efficiently.

The Author

Other Articles

  • How to use Zaq: Codeigniter Template Parser Engine

    Zaq is a PHP based template parser engine developed to work with Codeigniter. This library has been developed for developers to integrate php codes in views easily. Using this library will also allow the view file to be more readable. View files in Codeigniter (or in any other framework following MVC) always contains both html and php codes which make them a bit harder to read. This problem can be eradicated by using a parser engine which makes the view files a lot more easier to work with.

  • Category Pagination in Jekyll

    This site is built on Jekyll – a blog aware static site generator. When I was building this, I wanted to separate my blog from my portfolio. Of course I would be using custom post type for my portfolio if I was developing on Wordpress. Here I thought to stay straight and simple and I just created two site categories: portfolio and blog and I am using custom permalink which makes it difficult to use the default pagination setup. And I also want to paginate only the blog category.

  • 15 Best Bootstrap Alternatives for Web Developers

    Choosing the right framework that is the perfect fit for your projects could be a little bit overwhelming – there are a lot to choose from. Perhaps, you want to go with popular choices like Bootstrap or Foundation, but if your website is going to be a fairly simple one, you won’t be needing most of the building blocks and materials included in the default package. The good news is that there are a handful of alternatives that are much leaner than Bootstrap or Foundation. Most of these frameworks ship with just the right amount of styles and components to help you get started, while allowing you to be able to extend them in the direction you want for your project.

  • 8 Icon Fonts to speed up Website Design Process

    Icon Fonts are nothing but fonts. But, instead of containing letters or numbers, they contain symbols and shapes. You can style them with CSS in the same way you style regular text. They’re ideal for small, frequently used shapes such as email, envelopes, telephones, widget controls and social media logos. Here is a list of most popular and easy-to-use icon font sets.

  • Download ZIP File Dynamically with PHP

    Here we will see how we can make a webpage act as an initializer to download a zip file. We will just provide the location of the file and PHP will download it to the user. In the back-end, the HTTP headers are responsible for the download. We will set the headers with PHP.

  • How to Add Scalable Vector Graphics (SVG) to Web Page

    Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. If you want to embed your hand-crafted SVG in your web page, you can use any of the methods discussed here.