PHP File Upload Tutorial – Step by Step

Here’s a step-by-step guide on how to upload files in PHP:

Step 1: Create an HTML form for file upload Create an HTML form that has a “file” input field. This field will allow the user to choose the file they want to upload. Here’s an example:

<form action="upload.php" method="post" enctype="multipart/form-data">
    <input type="file" name="fileToUpload" id="fileToUpload">
    <input type="submit" value="Upload File" name="submit">

Note the “enctype” attribute set to “multipart/form-data“. This is required for uploading files.

Step 2: Create the PHP script to handle file upload Create a PHP script to handle the file upload. This script will receive the uploaded file and save it to a directory on the server. Here’s an example:

$target_dir = "uploads/"; // directory to save the uploaded file
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1; // flag to indicate if the file was uploaded successfully

// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;

// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;

// Allow only certain file types
$allowedTypes = array('jpg', 'jpeg', 'gif', 'png', 'pdf');
$fileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
if (!in_array($fileType, $allowedTypes)) {
    echo "Sorry, only JPG, JPEG, GIF, PNG, and PDF files are allowed.";
    $uploadOk = 0;

// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// If everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";

This script first checks if the file already exists, if it’s too large, or if it’s not an allowed file type. If any of these conditions are met, the script sets the $uploadOk flag to 0. If $uploadOk is still 1, the script uses the “move_uploaded_file” function to move the uploaded file to the “uploads” directory.

Step 3: Test the file upload Test the file upload by selecting a file in the HTML form and clicking the “Upload File” button. The PHP script will handle the file upload and display an appropriate message depending on whether the upload was successful or not.

That’s it! You should now have a working file upload system in PHP.

Security Checks

Absolutely! When creating a file upload system in PHP, it’s important to implement security measures to protect your website and your users. Here are some security checks you can implement for PHP file uploading:

Check the file type:

Attackers can change the file extension of malicious files to make them appear as harmless files, such as a PDF or an image file. To prevent this, you can check the MIME type of the uploaded file using the PHP function finfo_file(). This function detects the actual file type regardless of its extension.

Limit the file size:

You should set a limit on the size of the file that can be uploaded. This will prevent attackers from uploading large files that could consume your server’s resources or potentially crash your server. You can set the maximum file size by using the upload_max_filesize and post_max_size directives in the php.ini file or using the ini_set() function in your PHP script.

Check for script injection:

Attackers can inject malicious code into a file that can be executed on the server. You can prevent this by checking the file’s content and making sure it doesn’t contain any PHP code. You can do this by using the is_uploaded_file() function to ensure the file was uploaded through an HTTP POST request, and not through any other means.

Store the uploaded files outside of the web root directory:

Storing uploaded files inside the web root directory can make them accessible to anyone with a URL. To prevent this, you should store uploaded files outside of the web root directory. You can then use PHP to read and serve the file when needed.

Generate unique file names:

If you allow users to upload files with the same name, an attacker could overwrite an existing file. To prevent this, you should generate a unique name for each uploaded file. You can use a combination of the current timestamp, the user’s ID, and a random string to create a unique name.

By implementing these security checks, you can help ensure the safety of your website and your users’ data.

Leave you thoughts

Search Here

Free Python Course

Recent Blog