Before you start uploading files, you can use phpinfo() to make sure that your server has the correct settings. Make sure that file_uploads is on. The default values for upload_max_filesize is 2MB and for post_max_size is 8MB. If those sizes are restrictive for you, contact your site administrator.
When making a form to upload files, you must take two precautions. First of all, if the file uploader is intended for your use only, you have to have some kind of security to make sure only you are using the form. For PHP to upload a file, it must have write permissions for the directory it is uploading to. On most servers, PHP runs as the same user as the web server. That means that if you set the permissions for PHP to write to that directory, anyone on the same server can also move, copy or write files in that directory. Secondly, you have to filter the input with trim() and use regular expressions to filter out illegal characters and undesired file types. Windows allows its users to name files with characters that are illegal for URLs and can result in corrupt files that your file manager will not remove.
A form for inputing a file accepts more than just text so the method will be post and it must use enctype="multipart/form-data". Before the file input, use a hidden input named MAX_FILE_SIZE with a value equal to the number of bytes you want to limit the file size to. This is easy to cicumvent but you should still use it. This must be before the file input. to work. Finally use <input type="file" />:
<form method="post" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="600000">
<input type="file" name="file_in"><br />
Rename to: <input type="text" name="file_name">
<input type="submit">
</form>
For computer users, that will create an input for them to browse their computer's files. Webtv users will see either an input to input vid caps or wav's depending on the device attribute.
To remove extra spaces, line breaks and illegal characters from the user submited new name, use trim() and preg_replace() For the regular expression string, use [^\w\.] to match any character that is not an alpha-numeric, underscore or period:
if ( isset($_POST[file_name]) )
{
$file_name = trim("$_POST[file_name]");
$file_name = preg_replace("@[^\w\.]@", "_", $file_name);
}
<?
session_start();
$password = "your_password";
$self = "$_SERVER[PHP_SELF]";
if ( isset($_POST[logout]) )
{
$_SESSION[pass] = "";
header("location:$self");
exit;
}
##
if ( $_POST[pass] == "$password" )
{
$_SESSION[pass] = "$password";
header("location:$self");
exit;
}
##
if ( isset($_POST[file_name]) )
{
$file_name = trim("$_POST[file_name]");
$file_name = preg_replace("@[^\w\.]@", "_", $file_name);
}
?>
<html>
<body>
<form method="post">
<center>
<input type="password" name="pass" value="<? echo $_SESSION[pass]; ?>" />
<input type="submit" value="Log In" />
<input type="submit" name="logout" value="Log Out" />
</center>
</form>
<?
if ( $_SESSION[pass] != "$password" )
{
echo "</body></html>";
exit;
}
?>
<hr>
<form method="post" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="600000">
<input type="file" name="file_in"><br />
Rename to: <input type="text" name="file_name"><br />
<input type="submit">
</form>
</body>
</html>
 |
|
 |
