move_uploaded_file() / is_uploaded_file() Since: PHP 4(2000)
Safely handles files uploaded via HTTP. Validates the legitimacy of the upload and moves the file to the specified directory.
Syntax
// Moves an uploaded file to the specified destination. move_uploaded_file($from, $to); // Checks whether a file was uploaded via HTTP POST. is_uploaded_file($filename); // Upload file information is available through superglobal variables. $_FILES["field_name"]["name"]; // Original filename $_FILES["field_name"]["type"]; // MIME type $_FILES["field_name"]["tmp_name"]; // Temporary file path on the server $_FILES["field_name"]["error"]; // Error code $_FILES["field_name"]["size"]; // File size (in bytes)
Function List
| Function | Description |
|---|---|
| move_uploaded_file($from, $to) | Moves a temporary uploaded file to the specified destination. It internally runs is_uploaded_file() validation, making it safer than using rename() or copy() directly. |
| is_uploaded_file($filename) | Checks whether the specified file was uploaded via HTTP POST. This is a security function that detects spoofed file paths. |
| $_FILES | A superglobal variable that holds information about uploaded files. Use the name attribute of an HTML input type="file" element as the key to access the filename, size, temporary path, and more. |
$_FILES Error Codes
| Constant | Value | Description |
|---|---|---|
| UPLOAD_ERR_OK | 0 | No error. The upload succeeded. |
| UPLOAD_ERR_INI_SIZE | 1 | The file exceeds the upload_max_filesize directive in php.ini. |
| UPLOAD_ERR_FORM_SIZE | 2 | The file exceeds the MAX_FILE_SIZE value specified in the HTML form. |
| UPLOAD_ERR_PARTIAL | 3 | The file was only partially uploaded. |
| UPLOAD_ERR_NO_FILE | 4 | No file was selected. |
| UPLOAD_ERR_NO_TMP_DIR | 6 | The temporary folder could not be found. |
| UPLOAD_ERR_CANT_WRITE | 7 | Failed to write the file to disk. |
Sample Code
<?php
// Basic file upload handling
if ($_FILES["photo"]["error"] === UPLOAD_ERR_OK) {
$tmp_name = $_FILES["photo"]["tmp_name"];
$upload_dir = "/var/www/html/uploads/";
$filename = basename($_FILES["photo"]["name"]); // Prevent directory traversal
if (move_uploaded_file($tmp_name, $upload_dir . $filename)) {
echo "Upload complete.";
} else {
echo "Failed to move the file.";
}
} else {
echo "An upload error occurred.";
}
// Use is_uploaded_file() to validate the upload before processing.
if (is_uploaded_file($_FILES["document"]["tmp_name"])) {
echo "This is a legitimate uploaded file.";
} else {
echo "An invalid file path was specified.";
}
// Upload handling with security checks
$allowed_types = ["image/jpeg", "image/png", "image/gif"];
$max_size = 5 * 1024 * 1024; // 5MB
if ($_FILES["avatar"]["error"] !== UPLOAD_ERR_OK) {
die("An upload error occurred.");
}
// Validate the MIME type server-side. $_FILES["type"] is sent by the client and cannot be trusted.
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $_FILES["avatar"]["tmp_name"]);
finfo_close($finfo);
if (!in_array($mime_type, $allowed_types, true)) {
die("This file type is not allowed.");
}
// Validate the file size.
if ($_FILES["avatar"]["size"] > $max_size) {
die("The file exceeds the 5MB size limit.");
}
// Generate a random filename and save the file.
$ext = pathinfo($_FILES["avatar"]["name"], PATHINFO_EXTENSION);
$new_name = bin2hex(random_bytes(16)) . "." . $ext;
$dest = "/var/www/html/uploads/" . $new_name;
if (move_uploaded_file($_FILES["avatar"]["tmp_name"], $dest)) {
echo $new_name . " has been saved."; // Outputs the randomly generated filename.
}
Overview
move_uploaded_file() is a function for safely moving files uploaded via HTTP. Always use move_uploaded_file() to move uploaded files. It internally validates the legitimacy of the uploaded file, making it safer than calling rename() or copy() directly.
As security measures for file uploads, you must always implement the following: use basename() on the original filename to prevent directory traversal; do not trust $_FILES["type"] since it is set by the client — instead, validate the MIME type server-side using finfo_file(); enforce a maximum file size limit; and when possible, save the file under a randomly generated filename.
Your HTML form must include the enctype="multipart/form-data" attribute. You can also configure server-side upload limits using upload_max_filesize and post_max_size in php.ini.
If you find any errors or copyright issues, please contact us.
シェアする