Writing an upload process script

According to your own experience and the requirements mentioned just now, you may have guessed the process of file uploading.

• Visitors view HTML pages that contain forms specifically used to support file uploads.
• The visitor provides the file he wants to upload and submits the form.
• The browser encodes the file and sends it as part of a POST request issued to the server.
• PHP receives form submissions, decodes the file and saves it in a temporary location on the server.
• Responsible for handling the PHP script validation file for the form submission and processing it somehow, usually moving it from a temporary location to a more permanent location.

Adding file upload support requires you to create an HTML form to be presented to the user and a PHP script to handle files uploaded on the server.

HTML

HTML form provides the interface for user to initiate file upload. Remember that the method attribute of the <input> element must be set to post and the enctype attribute must be set to multipart/form-data. A file <input> element provides a field that specifies the file to be uploaded. Like any other form element, it is important to provide the name attribute so that you can reference it in a PHP script that processes the form. Here is an example of marking for a basic file upload form:

<code>file_uploads = On</code>

It is worth noting that different browsers will render file fields in different ways. IE, Firefox, and Opera display it as text fields with buttons marked Browse or Select next to them. Safari renders it as a button marked only as Select File. This is usually not a problem because the user is used to how the field is rendered in the browser of its choice and knows how to use it. However, sometimes you encounter clients or designers who insist on presenting it in some way. Due to security reasons imposed by the browser, the number of CSS and JavaScript that can be applied to file fields is very limited. Styled file fields can be difficult. If the appearance is important to you, I suggest you check out Peter-Paul Koch's Styled input type="file".

PHP

Information about file uploads is provided through multi-dimensional arrays $_FILES. This array is indexed by the name assigned to the file fields in the HTML form, just like $_GET and $_POST indexed by name. Then, the array of each file contains the following index:

• $_FILES["myFile"]["name"] Stores the original file name from the client.
• $_FILES["myFile"]["type"] The MIME type that stores the file.
• $_FILES["myFile"]["size"] Size of the file in bytes.
• $_FILES["myFile"]["tmp_name"] The name of the temporary file is stored.
• $_FILES["myFile"]["error"] Store any error codes generated during transfer.

move_uploaded_file() function moves the uploaded file from a temporary location to a permanent location. You should always use functions like move_uploaded_file() instead of copy() and rename() for this purpose, as it performs additional checks to make sure the file is indeed uploaded via HTTP POST request. If you plan to save files with the original file name provided by the user, it is best to make sure that this is safe. The file name should not contain any characters that may affect the destination path, such as slashes. Nor should the name cause the file to overwrite existing files with the same name (unless your application design does that). I ensure a safe file name by replacing any non-letter, number or a very limited set of punctuation characters with an underscore, and then appending incremented numbers when the file with the same name already exists. Here is an example of receiving and processing PHP file uploads:

<code>file_uploads = On</code>

This code first ensures that there are no errors in uploading the file. It then determines the secure file name (as I just mentioned) and uses move_uploaded_file() to move the file to its final directory. Finally, call chmod() to ensure reasonable access is set on the new file.

Safety Precautions

Most of us won't let a total stranger store random files on our PC, but when you allow files to be uploaded in our app, you're actually doing it. You may be planning to have the user upload his own photos as a profile page, but what if he tries to upload a specially made, virus-containing executable file? I want to share some steps you can take to minimize the inherent security risks of allowing file uploads. One of the steps is to verify that the uploaded file is correct. Depend on the value of $_FILES["myFile"]["type"] or extension of the file name is not safe, because both are prone to forgery. Instead, use a function like exif_imagetype() to check the contents of the file and determine if it is indeed GIF, JPEG, or several other supported image formats. If exif_imagetype() is not available (the function requires the Exif extension to be enabled), then getimagesize() can be used. getimagesize() The returned array will contain the image type (if recognized).

<code>upload_tmp_dir = "/tmp"

tboronczyk@zarkov:~$ ls -l / | grep tmp
drwxrwxrwt  13 root root 40960 2011-08-31 00:50 tmp</code>

For non-image files, you can use exec() to call the unix file utility. file determines the type of the file by looking for known binary signatures in the expected location.

<code>file_uploads = On</code>

Another step you can take is to impose a strict limit on the total size of the POST request and the number of files that can be uploaded. To do this, specify appropriate values ??for the upload_max_size, post_max_size, and max_file_uploads directives in php.ini. The upload_max_size directive specifies the maximum size for file uploads. In addition to uploaded size, you can also use the post_max_size directive to limit the size of the entire POST request. max_file_uploads is a newer directive (added in version 5.2.12) that limits the number of file uploads. These three instructions help protect your website from attacks that attempt to undermine its availability by causing a lot of network traffic or system load.

<code>upload_tmp_dir = "/tmp"

tboronczyk@zarkov:~$ ls -l / | grep tmp
drwxrwxrwt  13 root root 40960 2011-08-31 00:50 tmp</code>

The third step you can take is to use the virus scanner to scan the uploaded files. This is crucial in today’s era of widespread viruses and malware, especially when your website allows other individuals to download uploaded files later, such as attachments in web-based email clients or (legal) file sharing sites. There is a PHP extension that can access ClamAV, but, of course, you can call ClamAV's command-line utility like I demonstrated for file.

Summary

You have learned how easy it is to use your website or web-based application to support file uploads. For uploading to be successful, the HTML form must be submitted via a multipart/form-data-encoded POST request, and PHP must allow transfers specified using the file_uploads directive. After the file is transferred, the script responsible for handling the upload moves the file from the temporary directory to the desired location using the information found in the $_FILES array. I also share some additional precautions that you can take to protect yourself and your users from some of the risks associated with allowing file uploads. You see how to ensure file names are secure, verify file types, impose strict restrictions on upload traffic, and scan for viruses.

(Such content, such as the FAQ section, can be added as needed)