-
-
Save taterbase/2688850 to your computer and use it in GitHub Desktop.
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title>Upload your files</title> | |
| </head> | |
| <body> | |
| <form enctype="multipart/form-data" action="upload.php" method="POST"> | |
| <p>Upload your file</p> | |
| <input type="file" name="uploaded_file"></input><br /> | |
| <input type="submit" value="Upload"></input> | |
| </form> | |
| </body> | |
| </html> | |
| <?PHP | |
| if(!empty($_FILES['uploaded_file'])) | |
| { | |
| $path = "uploads/"; | |
| $path = $path . basename( $_FILES['uploaded_file']['name']); | |
| if(move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $path)) { | |
| echo "The file ". basename( $_FILES['uploaded_file']['name']). | |
| " has been uploaded"; | |
| } else{ | |
| echo "There was an error uploading the file, please try again!"; | |
| } | |
| } | |
| ?> |
This is a terrible example of handling file uploads.
It does not check for file upload errors (via the 'errors' element under $_FILES).
The 'name' is specified by the client and should not be trusted. It may also contain characters that are not valid for filenames on the servers filesystem.
There's no handling of duplicate filenames - one file upload could overwrite a previous file upload.
This code does not check the content of the uploaded file. You may be expecting an image to be uploaded, but the client may upload a PHP script instead - if that file is uploaded to a web accessible directory, the client could then execute that PHP script. This would lead to further compromises of your server and/or your hosting being used for malicious purposes (phishing, illegal content).
You should always check the content of uploaded files using the fileinfo extension, mime_content_type(), or a function specific to the expected content type (eg. the type returned by getimagesize() for images)
Thank you very much, this one finally works!
For the ones complaining, the point of this script is that beginners can understand the base code for uploading files, and can add validation afterwards.
Thank you,
Late to the party, but THANK YOU for putting a dead simple minimalist version of an upload. The only other guides I saw had all this extra crap that caused errors, required multiple files, etc.
This file just works. You might need to change your download folder, but it's simple and solid.
Steps to Reproduce
For windows
- Run apache server or using Xampp run apache.
- Create an upload folder in
C:\xampp\htdocs - Also put this upload.php on the same folder
C:\xampp\htdocs
For *Nix
- Create an upload folder in
/var/www/html/ - Put the upload.php file in the same folder
/var/www/html/ - Run Apache service.
If someone needs similar (i.e. very simple) but a way more advanced and useful solution, please be my guest: https://github.com/sensboston/uploader
This sucks anyone would be able to upload a .php file and take control of your server, do NOT use it!