File Uploads in PHP

Written on October 9th, 2017 by Karl Hughes

A common function for most web applications is uploading and storing files from users. Doing this securely and reliably can be a challenge, but there are a couple options if you’re using PHP.

1. Use a File Upload Service

If you want to ensure that your file uploads are securely and reliably stored no matter what web hosting environment you use, you should use a file upload service rather than storing the files directly on your own server. This method ensures that your application follows the Twelve-Factor App guidelines, and it allows you to scale without relying on system admins.

For example, Amazon S3 will allow you to upload files in PHP:

Set up an Amazon AWS account, create a bucket in S3 and create an API Key and Secret.
Install the composer package on your local machine: composer require aws/aws-sdk-php.
Create a PHP file called upload.php in the same directory where you installed the composer package:

    <?php require('vendor/autoload.php');

    $config = [
        "bucket" => "...",        // Fill in with your aws bucket name
        "key" => "...",           // Fill in with your AWS Key
        "secret" => "...",        // Fill in with your AWS Secret
        "region" => "us-west-2",  // Fill in with your S3 Bucket's region
        "version" => "2006-03-01",
    ];

    $s3 = new Aws\S3\S3Client($config);

    ?>
    <html>
        <head><meta charset="UTF-8"></head>
        <body>
            <h1>Uploading files to Amazon S3</h1>
    <?php
    if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_FILES['userfile']) && $_FILES['userfile']['error'] == UPLOAD_ERR_OK && is_uploaded_file($_FILES['userfile']['tmp_name'])) {

    try {
            $upload = $s3->upload($config['bucket'], $_FILES['userfile']['name'], fopen($_FILES['userfile']['tmp_name'], 'rb'), 'public-read');
    ?>
            <p>Upload <a href="<?=htmlspecialchars($upload->get('ObjectURL'))?>">successful</a> :)</p>
    <?php } catch(Exception $e) { ?>
            <p>Upload error :(</p>
    <?php } } ?>
            <h2>Upload a file</h2>
            <form enctype="multipart/form-data" action="<?=$_SERVER['PHP_SELF']?>" method="POST">
                <input name="userfile" type="file"><input type="submit" value="Upload">
            </form>
        </body>
    </html>

Fill in your bucket name, key, secret, and region.
Run the file in PHP’s built in webserver: $ php -S localhost:8000 upload.php
Go to http://localhost:8000 and you should be able to upload a file and see it in Amazon S3. It’s just that simple!

Be sure to use secure environmental variables, perform file type validation, and set the permissions on your S3 bucket so that only users you want to have access can upload or view files.

The downside to using a file upload service is that because the files are not stored on the same server as your web application code, file manipulation and transfer can take longer. For most apps this is a non-issue (and the problem can be mitigated by putting your web server in the same data center or caching commonly used files on your server), but if you think that storing files on your own server is necessary read on.

2. Store the File on Your Server

While easier, this option is typically more prone to errors and security holes. Giving users the ability to upload files directly to your server means they can potentially upload malicious scripts or even modify or read your code. Be sure to read up on file upload permissions in PHP before you use this in live code.

Create a PHP file called upload.php:

    <?php

    if(isset($_POST["submit"])) {
        $target_file = basename($_FILES["fileToUpload"]["name"]);
        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
            echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
        } else {
            echo "Something went wrong";
        }
    }

    ?>
    <!DOCTYPE html>
    <html>
    <body>

    <form action="/" method="post" enctype="multipart/form-data">
        Select file to upload:
        <input type="file" name="fileToUpload" id="fileToUpload">
        <input type="submit" value="Upload Image" name="submit">
    </form>

    </body>
    </html>

Run the PHP webserver: php -S localhost:8000 upload.php
Go to http://localhost:8000/ and try uploading a file. You should then see the file right next to your upload.php file.

Like this Post?

Learn to build your first Dockerized PHP application.

In this book, PHP developers will learn everything they need to know to start building their applications on Docker, including:

Installing dependencies using Composer.
Getting data from a third-party API.
Saving data to a MySQL database.
Using a web framework (SlimPHP) for routing.
Storing environmental variables securely.
And much more!

You can buy this book on Leanpub today.

Buy it Now!

Building Your First PHP Application with Docker by Karl Hughes

Also available in Russian.