Knowledge Essentials - 3Essentials Hosting

php upload: info and sample code

Article ID: 435

 Back to Search

Need a file upload solution via PHP?  The attached download is sample code whcih provides a html form page for selecting the file to upload, and posts to a php script which handles the upload.  This sample is configured to allow upload of image files only, if you require a different type of file to be uploaded, please modify the script to suit your requirements.

The script saves the uploaded file into the private folder of your domain and then prints a description about the uploaded file. Please submit a support request to have proper permissions granted to the private folder or modify the fields corresponding to "../private/" to the appropriate upload location. By default the script accepts files of size less than 20kb. You can modify it by changing the value 20000 in the upload.php file.

Some important notes:

  • the maximum size of the file you can upload will depend on several things...
    • CGItimeout value on the server: There is a limitation with the file upload feature on our shared hosting plans. The limitation is due to a CGI-timeout value in IIS, which limits a php script's (as a cgi app) execution to 300 seconds (or 5 minutes). So the amount of data you can upload will depend on the speed of your internet connection.
    • There are also settings in your php.ini file which can cause a limitation: upload_max_filesize,max_input_time,memory_limit,max_execution_time,post_max_size
  • HACKING VULNERABILITY: file upload functions are the single most common exploit for hacking... this is because people often put a file upload feature on their site, and don't secure it or limit it.  That allows a hacker to upload any code/script to your site, and execute it... modifying, deleting your files.  It is STRONGLY recommended you secure this feature on your site asnoted here:
    • Secure access to the upload page either through your own login code or thru the protected URL feature in your control panel.  Please refer the kb article http://knowledge.3essentials.com/index.asp?menu=a1_2&go=article&id=215 on using the protected url feature.
    • LIMIT FILE TYPES: write your upload feature to only allow certain file types... i.e., if it's for pictures, then ONLY allow image file extensions (jpg, jpeg, gif, bmp), or if it's an executable, make them zip it, and then upload it, and only allow upload of zip file extensions. Do not allow upload of php, cgi, asp, aspx files. 



 
Downloads Associated With This Article
upload.zip : php upload script