To upload files using PHP, create an HTML form with method="post" and enctype="multipart/form-data", then handle the upload securely in PHP. 1. Create an HTML form with an <input type="file"> element pointing to the PHP script. 2. In upload.php, use move\_uploaded\_file() to move the file after validating it by checking if it's an image, ensuring it doesn't already exist, limiting its size, and allowing only specific file types. 3. Secure uploads by renaming files, restricting types and sizes, setting proper directory permissions, storing files outside the web root, and adjusting php.ini settings like upload\_max\_filesize and post\_max\_size. Testing edge cases is essential for a robust implementation.

Uploading files to a server using PHP is pretty straightforward once you understand the basics. You need an HTML form that allows file selection, and a PHP script to handle the upload process securely.

Here’s how to do it step by step:

1. Create the HTML Upload Form

Before PHP can handle any file uploads, you need a way for users to select and send the file. That means creating an HTML form with the right attributes.

Make sure your form includes:

• method="post" — GET won’t work for file uploads
• enctype="multipart/form-data" — this is required for sending files
• An <input type="file"> element

Here's a basic example:

<form action="upload.php" method="post" enctype="multipart/form-data">
    Select file to upload:
    <input type="file" name="fileToUpload" id="fileToUpload">
    <input type="submit" value="Upload File" name="submit">
</form>

This creates a simple interface where users can pick a file and submit it.

2. Handle the Upload in PHP

Now create the PHP script (upload.php) that will receive and process the uploaded file.

PHP stores uploaded files in a temporary location first, so you’ll need to move them to a permanent directory using the move_uploaded_file() function.

Here’s a basic version of what that script might look like:

$targetDir = "uploads/";
$targetFile = $targetDir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;

// Check if file was uploaded without errors
if (isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if ($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}

// Check if file already exists
if (file_exists($targetFile)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}

// Check file size (e.g., limit to 5MB)
if ($_FILES["fileToUpload"]["size"] > 5000000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}

// Allow certain file formats
$imageFileType = strtolower(pathinfo($targetFile, PATHINFO_EXTENSION));
if (!in_array($imageFileType, ['jpg', 'png', 'jpeg', 'gif'])) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}

// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// Try to move the file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
        echo "The file " . htmlspecialchars(basename($_FILES["fileToUpload"]["name"])) . " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}

This script checks:

• If it's actually an image (optional but good for security)
• If the file already exists
• The file size
• Allowed file types Then tries to move it to the target folder if all conditions pass.

3. Secure Your Uploads

Letting users upload files comes with risks. Here are some things you should consider to make your script more secure:

• Rename uploaded files — Don't trust user-provided filenames. Use something random or sanitized.
• Restrict file types — Only allow specific extensions.
• Limit file size — Set a max limit both in PHP and on the form side.
• Set proper permissions — Make sure the upload directory isn’t executable (chmod 755 is often safe).
• Store outside web root — For sensitive uploads, don’t store them in publicly accessible folders.

Also, update your php.ini settings if needed:

upload_max_filesize = 10M
post_max_size = 10M
max_file_uploads = 5

These settings control how big files can be and how many can be uploaded at once.

That’s basically it. It’s not super complicated, but there are enough moving parts that you want to test thoroughly and make sure you’re handling edge cases like invalid file types, duplicates, and oversized files.

The above is the detailed content of How do I upload files to a server using PHP?. For more information, please follow other related articles on the PHP Chinese website!