FILE UPLOADSCHAPTER 11

THE BASIC PROCESS

1. The HTML form displays the control to locate and upload a file

2. Upon form submission, the server first stores the uploaded file in a temporary directory for validation

3. The php script then needs to copy the uploaded file to its intended directory

THE HTML

<form enctype="multipart/form-data" action="upload_image.php" method="post">

<input type="hidden" name="MAX_FILE_SIZE" value="2097152">

<p><b>Select File:</b>

<input type="file" name="upload"></p>

<input type="submit" name="submit" value="Submit">

</form>

For this enctype, the post method

must be used!

THE GLOBAL PHP $_FILES ARRAYThe first parameter is the variable name from the form's input file element

The second index can be any of the following:

• $_FILES['file']['name'] - the name of the uploaded file

• $_FILES['file']['type'] - the MIME (content) type of the uploaded file as

provided by the browser

• $_FILES['file']['size'] - the size in bytes of the uploaded file

• $_FILES['file']['tmp_name'] - the name of the temporary copy of the file

stored on the server

• $_FILES['file']['error'] - the error code resulting from the file upload

MIME TYPES

SECURITY ISSUES

For file uploads to be saved permanently, the containing directory needs to have write permissions assigned to it.

This means that virtually anyone can write to it.

A malicious user could save a problematic PHP script there.

But if it is outside of the public_html directory, it can't be run by a browser.

So create an uploads folder in your /home/usr/directory, and set permissions to 777, so that the files can be saved (written) there.

THE UPLOAD PHP

RECALL THE HTTP REQUEST/RESPONSE CYCLE

Request

Response

headers

DISPLAYING THE IMAGES

Because the images are stored outside of the public_html directory, they are not available to Web browsers

So these don't work:

• direct http:// reference • an HTML <img src = " "> tag

To make the content available through a web browser, you need a proxy script….

DISPLAYING THE IMAGES

A proxy script acts as the go-between from the user's browser to the images' location and back again.

In a response to a browser, there are a series of HTTP headers sent along with the HTML.

DISPLAYING THE IMAGES

The header () function:

There are several strings which can be used in the header function. The most common use is:

header('Location: http://…..'); which redirects the browser to a new page without requiring the user to click on anything.

This will be used in Chapter 12.

DISPLAYING THE IMAGESTo display images, we need three other headers:

header("Content-Type:….."); sends the MIME type of whatever follows

header("Content-Disposition: attachment; filename =\"somefile.xxx\"\n"); tells the browser to download the file. Alternatively, change attachment to inline to tell the browser to display the data.

header("Content-Length: xxx\n"); the size in bytes

HEADER FUNCTION

• When using headers, the code for the header() function call must come before anything is returned to the Web browser

• When multiple header calls are used in one script each should be terminated with \n

FUNCTIONS USED TO RETRIEVE AND DISPLAY IMAGES

scandir (string $dir) Returns an array of all files and directories found in the specified path

substr (string $string , int $start [, int $length ] )

Returns the portion of string specified by the start and length parameters

filesize (string $filename ) Returns the size of the file in bytes, or FALSE in case of an error

getimagesize (string $filename [, array &$imageinfo ]

Determines the size of any given image file and returns an array containing the dimensions along with the file type and a height/width text string to be used inside a normal HTML IMG tag and the corresponding HTTP content type

urlencode (string $str ) Returns a string in a format which is safe to pass in a URL

readfile (string $filename) Reads in a file and immediately sends the content to the Web browser

DISPLAYING THE IMAGES

Functions to use:

• scandir() - returns a list of files and directories as an array

The code:

$dir = '../../uploads'; // Define the directory to view.

echo $dir;

$files = scandir($dir); // Read all the images into an array.

DISPLAYING THE IMAGES

Process every image in the array skipping any hidden files which start with a period (non-Windows)

substr (string $string , int $start [, int $length ] )

Returns the portion of string specified by the start and length parameters.

foreach ($files as $image) {

if (substr($image, 0, 1) != '.') {

// Ignore anything starting with a period.

DISPLAYING THE IMAGES

getimagesize();

The getimagesize() function will determine the size of any given image file and return the dimensions along with the file type and a height/width text string to be used inside a normal HTML IMG tag and the corresponding HTTP content type.

DISPLAYING THE IMAGES// Get the image information

$info = getimagesize($image);

$fs = filesize($image);

// Send the content information:

header ("Content-Type: {$info['mime']}\n");

header ("Content-Disposition: inline; filename=\"$name\"\n");

header ("Content-Length: $fs\n");

// Send the file:

readfile ($image);

// There is no closing php tag intentionally to avoid sending //anything extra