How to upload files in php

On 11/10/2014

File upload using PHP is a much discussed topic in web. It is one of the vulnerable spot of any website, and its security will be breeched if not handled properly. So understanding how to upload files in php in a secure way is a must for anyone who wants to learn php web development. No worries. Here is the way you can upload files using php more securely by providing appropriate filters.

how to upload files in php

Before starting, just make sure if your web server allows file uploading. Check for this line in the server's php.ini file.

file_uploads = On

If it is not set, then set it to 'On'.

How to Upload Files in PHP Securely

First let's create the html form for uploading the file. Add a file input and a submit button to the form. The file input is made especially to aid file uploading process, which comprises of a text box and a browse button. The user should click on the browse button to choose the file for uploading and the name of the selected file will be displayed in the nearby textbox.

We have to set the html form attributes, method="post" and enctype="multipart/form-data". The enctype stands for encryption type and should be set to "multipart/form-data" to upload files in php.

Here goes the html code for our php file upload form.

<form action="file_upload.php" name="uploadform" method="post" enctype="multipart/form-data">
    <input type="file" name="txt_filename" />
    <input type="submit" name="submit" value="Upload File" />

Next we'll move on to the PHP file upload script part. PHP does uses an associative array called "$FILES" where it stores all the information about the file selected by the user in the file input. Here are the properties of the array.

  1. $_FILES['file']['tmp_name'] - the temporary path of the uploaded file on the web server.
  2. $_FILES['file']['name'] - it's the actual name of the uploaded file.
  3. $_FILES['file']['size'] - uploaded file size in bytes.
  4. $_FILES['file']['type'] - MIME type of the uploaded file (ie, file extensions type).
  5. $_FILES['file']['error'] - if there is any error in the file uploading process, then the error code will be stored here.

As I said earlier in this article, we have to make sure the user uploads the proper file and not some malicious exe files or codes. So your php file upload script should always keep a check on the type of files that should be allowed for uploading by a user. For this tutorial sake, I'll set filters such as,

  1. The uploaded file type should be plain text or pdf files.
  2. The file size should not exceed 100KB.

Note: I'm just using these conditions for this tutorial purpose, but you can set your own filters like allowing only image files for uploading (eg., in case of user avatar field). The php image uploader script will be the same as the file upload code given in this tutorial, except that you have to check against the mime types of the images.

Here is the php script for file upload.

$submit = $_POST['submit'];

//check if form submitted
if ($submit=="Upload File")
    //get file name
    $filename = $_FILES["txt_filename"]["name"];

    //set target directory
    $target_path = "uploads/";
    //upload file
        //check if file type is of text or pdf, and of size less than 100KB
        if ((($_FILES["txt_filename"]["type"] == "application/pdf") || ($_FILES["txt_filename"]["type"] == "text/plain")) && ($_FILES["txt_filename"]["size"] <= 100000))
            move_uploaded_file($_FILES["txt_filename"]["tmp_name"],($target_path . $_FILES["txt_filename"]["name"]));
            echo "File Uploaded Successfully!";
            echo "Error!";

As you can see in the code, we used the conditions, $_FILES["txt_filename"]["type"]=="application/pdf" to check for the pdf file and $_FILES["txt_filename"]["type"]=="text/plain" to check for text file.

Here is the list of some other MIME types you can use for checking the different file extensions.

  1. image/jpeg - "*.jpeg"
  2. image/jpg - "*.jpg"
  3. image/gif - "*.gif"
  4. image/tiff - "*.tiff"
  5. image/png - "*.png"
  6. text/html - "*.html"
  7. text/css - "*.css"
  8. text/xml - "*.xml"
  9. text/json - "*.json"
  10. application/excel - "*.excel"
  11. audio/mp3 - "*.mp3"
  12. audio/wav - "*.wav"
  13. video/mpeg - "*.mpeg"
  14. application/zip - "*.zip"

We have used a php function move_uploaded_file(), which is to move the file from temporary directory to the target directory. Save the above piece of code in a separate php file and set the html form's action attribute to point to this file and you are done.

Hope now you have an idea on how to upload files in php in a more proper way. As I have said before, always handle the uploading process with care without compromising your website's security.


  1. Great Post, Actually PHP is a beautiful source for developing a database driven web application, I love this post, thanks for spending your time for discussing about this topic.
    PHP Course in Chennai

  2. Hello, I need help regarding blog. will you please reply me on


Contact Form


Email *

Message *