Common PHP File Upload Restrictions

From family photos to business documents, file uploads power many of the major web applications.
A typical HTML form that allows the user to upload a file may look like this:


<form action="upload_file.php" method="post" enctype="multipart/form-data">
File Name:
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />


In this case, the only field displayed on the form is the “file” field.  This field allows the user to browse their hard drive for the file they wish to upload. The enctype “multipart/form-data” specifies that the field should be filled with binary data, as from a file, rather than typed input from the user.
PHP applications allow users to upload files through its $_FILES object. Developers can use the $_FILES object to check on the properties of an uploaded file:

  • $_FILES[“file”][“name”] – the name of the uploaded file
  • $_FILES[“file”][“type”] – the type of the uploaded file
  • $_FILES[“file”][“size”] – the size in bytes of the uploaded file
  • $_FILES[“file”][“tmp_name”] – the name of the temporary copy of the file stored on the server
  • $_FILES[“file”][“error”] – the error code resulting from the file upload

For files that upload successfully, the value of $_FILES[“file”][“error”] is 0. However, some developers may want to place restrictions on the files users can upload.

File Type

Developers can use the $_FILES[“file”][“type”] property to limit the types of files uploaded to those in use for specific applications. For instance, businesses may wish to restrict file types to documents, spreadsheets and presentations, but not allow users to post photos, videos or executable programs.

if (($_FILES["file"]["type"] != "application/msword")
|| ($_FILES["file"]["type"] != "application/ ")
|| ($_FILES["file"]["type"] != "application/"))

  echo "Invalid file type";

File Size

Network administrators may also choose to limit the size of files users can upload to a server in order to reduce bandwidth usage. Developers can set limits on the size of a file a user can upload.

if ($_FILES["file"]["size"] < 25000)) // Max File Size: 25KB
  echo "File size exceeds maximum.";

Upload Timed Out

Another method that administrators use to conserve bandwidth is to limit the time that a page can use to upload a file. Most PHP applications time out after 30 seconds, but the developer can set the time to as little or as much as needed by changing either the php.ini file on the server or setting the time in the application itself.
max_input_time 300

PHP Script

// code to upload file to temporary directory
ini_set('max_input_time', 300);
// code to move file to new directory

Assigning Upload Directory

The uploaded files then need to be placed into a directory on the server. The move_uploaded_file() method moves the uploaded file from a temporary directory to the assigned directory.

$uploaddir = '/user/www/uploads/'; //assigns upload directory
$uploadfile = $uploaddir . basename($_FILES['file']['name']); //assigns upload directory and file name

if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) { //checks file tmp_name for successful upload
    echo "File upload successful.\n";
} else {
    echo "File upload failed\n";

These restrictions can allow the user the freedom to upload the files they need, while preventing much of the malicious or accidental damage that can occur when files are transmitted over the network.

Gerald Hanks has been involved in web development applications since 1996. He has designed applications with JavaScript, ASP.NET and PHP, as well as building databases in MS SQL Server and MySQL. He lives in Houston, Texas. More articles by Gerald Hanks
Home CSS Deals DesignBombs HTML HTML5 JavaScript jQuery Miscellaneous Mobile MySQL News PHP Resources Security Snippet Tools Tutorial Web Development Web Services WordPress