HTML form for the front end to upload a file:
1.The thing you should remmember with html form is you need to specify the method in the form. generally if you do not specify the form method it ill take get. The problem is you cannot upload file with a get method in the form.
2.Use the enctype=”multipart/form_data” in the form opening tag.
3.MAX_FILE_SIZE in html input tag. If you put this in hidden input tag just be careful you convert it into bytes and as same as in php file.
4.Who don’t know how to put MAX_FILE_SIZE in input tag..
"input type="hidden" name="MAX_FILE_SIZE" value="30000"
right after the form tag.
php file in the back end
1.If you are using PHP 5, make sure you are using $_FILES to collect your post files. using $HTTP_POST_FILES won’t be working on php5. $HTTP_POST_FILES was compatible with PHP 4, but you should always use the new method of something in your code!
2.Like i mention before you need to specify the exact max_file_size both for html and php and always round it up.
Like: if you want to restrict user to 30KB then max_file_size supposed to be 30720. you should use 30000 instead of the exact bytes because if you test it out then you will notice you can upload slightly bigger file than 30KB while mentioning the max_file_size to 30720.
3.Some information you need to know of uploaded files..
$_FILES["uploaded_file"]["name"] the original name of the file uploaded from the user's machine $_FILES["uploaded_file"]["type"] the MIME type of the uploaded file (if the browser provided the type) $_FILES["uploaded_file"]["size"] the size of the uploaded file in bytes $_FILES["uploaded_file"]["tmp_name"] the location in which the file is temporarily stored on the server $_FILES["uploaded_file"]["error"] an error code resulting from the file upload
4.check the extension, NOT the mime type.Why not? Just ask google 😉 I also do have some explanation of that.If you only check the mime-type I can upload a evil.php disguised as jpeg, which easy will fit in the size. The thing is, site.com/upload/evil.php will execute the php, yet site.com/upload/evil.jpeg will not execute any php, even if the .jpeg was a .php file.
Moral: check the extension, NOT the mime type.
Directory to keep file
many of us are dealing with large files and a lots of file upload every single day who are maintaining big projects or big websites. In this case we need to track all the uploaded photos and need to keep them in a proper way. if we use the normal way like /uploads/images/..then we can’t keep track of large amount of photos. So that some of us use the auto created directory for keeping the videos in the server. We write a script to specify the directory for every single upload. Better check the directory whether it exists or not then create new. i generally create the folder based on every day. that means I creat folders based on year/month/day….the whole oath after creating the directory it is look something like “../uploads/images/2009/10/15/”…We keep the file in this directory. if the directory exists the condition will compell the script to keep file there. And if the directory is not exists then script will create one to keep file. It’s that easy and simple.
There are some issue on server side that you need to know. Server permission and umask() function. please google the functions and I hope you will find the solution. some of us keep the files outside of webroot to protct ourselves from hackers. Some of us keep files in the database who are dealing with small amount of photos or upload.
database designing for keeping uploaded data information is another important part of saving the uploaded files. If your intention is to keep the files directly in the databse then you need to specify BLOB datatype for the table entity. if you want to keep the path nly for the uploaded files and want to keep the files somewhere else in the folder then specify the ‘varchar’ datatype with any length or values you want.
1.I have already mentioned some security hole of bad coding. hacker can easily upload some shell command in a php file to destroy and get inforation from your site.Coding line something like:
uploade through a perl script can be dangerous and can easily break the normal upload security. There are more security hole if yu don’t make your upload file function strict and secured.
There are some important functions that you need to know while creating script for uploading file.
<ul> <li>getimagesize($prm);</li> <li>move_uploaded_file($tmp_name, $uploading_path);</li> <li>exif_imagetype($file_name);</li> <li>mkdir('$string', (permission-->e.g 0777));</li> <li>umask();</li> </ul>
I will love to hear the weakness of my writing about those. And if you have something more valuable to share please go ahead an criticize my post. It will be great to discuss some issues.