PHP Program to Demonstrate File Upload - Receiving Packages Safely

Learn PHP step by step.

All about PHP - File Upload - Receiving Packages Safely

Jan 29, 2026

## Chapter 16: File Upload - Receiving Packages Safely **File uploads are like receiving packages at your door - you need to check what's inside before bringing it in!** **Upload bugs are common because people trust users too much - always be suspicious!** ### The Security Checklist - Like a TSA Agent **Before accepting any file, check these things:** 1. ** Check the delivery method** - Was it actually uploaded? 2. ** Check the paperwork** - Any upload errors? 3. ** Check the size** - Not too big, not too small 4. ** Check the contents** - Is it really what they claim? 5. ** Check the label** - Allowed file types only 6. ** Hide the real name** - Use random names to prevent tricks Minimal example (`public/upload.php`): ```php <?php if ($_SERVER["REQUEST_METHOD"] !== "POST") { ?> <!doctype html> <html><body> <form method="post" enctype="multipart/form-data"> <input type="file" name="file"> <button>Upload</button> </form> </body></html> <?php exit; } if (!isset($_FILES["file"]) || $_FILES["file"]["error"] !== UPLOAD_ERR_OK) { echo "Upload failed."; exit; } $original = $_FILES["file"]["name"]; $tmpPath = $_FILES["file"]["tmp_name"]; $ext = strtolower(pathinfo($original, PATHINFO_EXTENSION)); $allowed = ["png", "jpg", "jpeg", "pdf"]; if (!in_array($ext, $allowed, true)) { echo "File type not allowed."; exit; } $safeName = bin2hex(random_bytes(16)) . "." . $ext; $targetDir = __DIR__ . "/uploads"; if (!is_dir($targetDir)) { mkdir($targetDir, 0777, true); } $target = $targetDir . "/" . $safeName; move_uploaded_file($tmpPath, $target); echo "Uploaded as: " . htmlspecialchars($safeName, ENT_QUOTES, "UTF-8"); ?> ``` ### Breaking Down the Upload Process **Step 1: Show the upload form** ```php <?php if ($_SERVER["REQUEST_METHOD"] !== "POST") { // Show form only when someone visits the page (not submitting) ?> <form method="post" enctype="multipart/form-data"> <input type="file" name="file"> <button>Upload</button> </form> <?php exit; } ?> ``` **Step 2: Check if upload actually happened** ```php <?php if (!isset($_FILES["file"]) || $_FILES["file"]["error"] !== UPLOAD_ERR_OK) { echo "Upload failed."; exit; } ?> ``` **Step 3: Get file details safely** ```php <?php $original = $_FILES["file"]["name"]; // Original filename (user provided) $tmpPath = $_FILES["file"]["tmp_name"]; // Temporary location on server $size = $_FILES["file"]["size"]; // File size in bytes ?> ``` **Step 4: Check file extension (first line of defense)** ```php <?php $ext = strtolower(pathinfo($original, PATHINFO_EXTENSION)); $allowed = ["png", "jpg", "jpeg", "pdf"]; if (!in_array($ext, $allowed, true)) { echo "File type not allowed."; exit; } ?> ``` **Step 5: Create a safe filename (prevent tricks)** ```php <?php $safeName = bin2hex(random_bytes(16)) . "." . $ext; // Example: "a3f2b8c9d1e4f5g6h7i8j9k0l1m2n3o4.jpg" ?> ``` **Step 6: Move file to final location** ```php <?php $targetDir = __DIR__ . "/uploads"; if (!is_dir($targetDir)) { mkdir($targetDir, 0777, true); } $target = $targetDir . "/" . $safeName; move_uploaded_file($tmpPath, $target); ?> ``` ### Common Upload Mistakes (The Dangerous Ones!) | Mistake | What Happens | How Bad? | How to Fix | |---------|---------------|------------|------------| | Trusting original filename | Users upload `hack.php` instead of `photo.jpg` | CRITICAL | Always rename files | | No file type checking | Users upload `.exe` files | CRITICAL | Check extensions AND MIME types | | No size limits | 10GB uploads crash server | MEDIUM | Set `upload_max_filesize` in php.ini | | Wrong permissions | Files can't be accessed | MINOR | Use proper folder permissions (755) | | No error checking | Silent failures confuse users | MINOR | Always check `$_FILES["file"]["error"]` | ### Practice Exercises **Exercise 1: Add File Size Checking** ```php <?php $maxSize = 2 * 1024 * 1024; // 2MB if ($_FILES["file"]["size"] > $maxSize) { echo "File too large. Maximum 2MB allowed."; exit; } ?> ``` **Exercise 2: Add MIME Type Checking** ```php <?php $finfo = finfo_open(FILEINFO_MIME_TYPE); $mimeType = finfo_file($finfo, $_FILES["file"]["tmp_name"]); finfo_close($finfo); $allowedMimes = ["image/jpeg", "image/png", "application/pdf"]; if (!in_array($mimeType, $allowedMimes)) { echo "File type not allowed."; exit; } ?> ``` **Exercise 3: Create a File Upload Log** ```php <?php $logFile = __DIR__ . "/uploads.log"; $logEntry = date("Y-m-d H:i:s") . " - Uploaded: $safeName (original: $original)n"; file_put_contents($logFile, $logEntry, FILE_APPEND); ?> ``` ``` --- ## Conclusion In this article, we explored the core concepts of All about PHP - File Upload - Receiving Packages Safely. Understanding these fundamentals is crucial for any developer looking to master this topic. ## Frequently Asked Questions (FAQs) **Q: What is All about PHP - File Upload - Receiving Packages Safely?** A: All about PHP - File Upload - Receiving Packages Safely is a fundamental concept in this programming language/topic that allows developers to perform specific tasks efficiently. **Q: Why is All about PHP - File Upload - Receiving Packages Safely important?** A: It helps in organizing code, improving performance, and implementing complex logic in a structured way. **Q: How to get started with All about PHP - File Upload - Receiving Packages Safely?** A: You can start by practicing the basic syntax and examples provided in this tutorial. **Q: Are there any prerequisites for All about PHP - File Upload - Receiving Packages Safely?** A: Basic knowledge of programming logic and syntax is recommended. **Q: Can All about PHP - File Upload - Receiving Packages Safely be used in real-world projects?** A: Yes, it is widely used in enterprise-level applications and software development. **Q: Where can I find more examples of All about PHP - File Upload - Receiving Packages Safely?** A: You can check our blog section for more advanced tutorials and use cases. **Q: Is All about PHP - File Upload - Receiving Packages Safely suitable for beginners?** A: Yes, our guide is designed to be beginner-friendly with clear explanations. **Q: How does All about PHP - File Upload - Receiving Packages Safely improve code quality?** A: By providing a standardized way to handle logic, it makes code more readable and maintainable. **Q: What are common mistakes when using All about PHP - File Upload - Receiving Packages Safely?** A: Common mistakes include incorrect syntax usage and not following best practices, which we've covered here. **Q: Does this tutorial cover advanced All about PHP - File Upload - Receiving Packages Safely?** A: This article covers the essentials; stay tuned for our advanced series on this topic.

Next Chapter 17: Errors and Debugging - Your Detective Toolkit