April 29, 2025 - 23:23
Netopsiyon Online Logo
File Upload and Security Measures with PHP Image
PHP

File Upload and Security Measures with PHP

Comments

File upload functionality is a common feature in web applications that allows users to upload documents, images, or other media files. However, security precautions must be taken. Malicious users may upload harmful files that can compromise the system.

In this article, I will explain secure file upload methods with PHP step by step.

1. Basic File Upload Process with PHP

In PHP, the $_FILES superglobal is used for file upload operations.

1️⃣ HTML Form for File Upload

HTML 
<form action='upload.php' method='post' enctype='multipart/form-data'>
    <input type='file' name='dosya'>
    <input type='submit' value='Upload'>
</form>
  • 📌 Important: If enctype='multipart/form-data' is not added, the file upload will not work.
You can also add an accept attribute to restrict file types and prevent incorrect files from being uploaded:
<input type='file' accept='.pdf'> // Only .pdf files can be selected.
<input type='file' accept='.jpg, .jpeg, .png, .gif'> //The user can only upload .jpg, .jpeg, .png, or .gif files.
<input type='file' accept='image/*'> //All image files (.jpg, .png, .gif, .svg, etc.) are accepted.
<input type='file' accept='audio/*'> //This accepts all audio files like .mp3, .wav, .ogg.
<input type='file' accept='.pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx'> //Only specific document types can be uploaded.

2️⃣ Receiving and Saving the File in PHP

PHP 
if ($_FILES['dosya']['error'] == 0) {
    $hedef_klasor = 'uploads/';
    $hedef_dosya = $hedef_klasor . basename($_FILES['dosya']['name']);
    
    if (move_uploaded_file($_FILES['dosya']['tmp_name'], $hedef_dosya)) {
        echo 'File uploaded successfully: ' . $hedef_dosya;
    } else {
        echo 'Error uploading file.';
    }
}

This code moves the file to the uploads/ folder. However, security measures are needed to prevent the upload of malicious files.

2. Security Measures for File Upload in PHP

Important security measures to consider during file upload:

1️⃣ File Type Control (MIME Type Control)

You can increase security by allowing only specific file types:
PHP 
$allowed_types = array('image/jpeg', 'image/png', 'image/gif');
$file_type = mime_content_type($_FILES['dosya']['tmp_name']);

if (!in_array($file_type, $allowed_types)) {
    die('This file type is not allowed!');
}
  • Only image file types are accepted.

2️⃣ Making the File Name Secure

You can prevent malicious file execution by assigning random names to uploaded files:
PHP 
$file_extension = pathinfo($_FILES['dosya']['name'], PATHINFO_EXTENSION);
$new_file_name = uniqid() . '.' . $file_extension;
$target_file = 'uploads/' . $new_file_name;
  • This method makes the original file name secure.

3️⃣ Limiting the File Size

To prevent large files from being uploaded, you can limit the file size:
PHP 
$max_size = 2 * 1024 * 1024; // 2MB
if ($_FILES['dosya']['size'] > $max_size) {
    die('File size is too large!');
}
  • This prevents files larger than 2MB from being uploaded.

4️⃣ Allow Uploads Only to a Specific Folder

To ensure files are uploaded only to a specific folder:
PHP 
if (!is_uploaded_file($_FILES['dosya']['tmp_name'])) {
    die('Invalid file upload!');
}
  • This checks if the file was uploaded directly by the client.

5️⃣ Security Measures with PHP Configuration

By adjusting the settings in the php.ini file, you can increase security:
INI 
file_uploads = On
upload_max_filesize = 2M
post_max_size = 3M
  • These settings limit the upload size.

3. Example Project: Image Upload and Display

Now, let's create an image upload and display script that incorporates all the security measures.

1️⃣ HTML Form

HTML 
<form action='upload.php' method='post' enctype='multipart/form-data'>
    <input type='file' name='dosya'>
    <input type='submit' value='Upload'>
</form>

2️⃣ Secure PHP Upload Script

PHP 
if ($_FILES['dosya']['error'] == 0) {
    $allowed_types = array('image/jpeg', 'image/png', 'image/gif');
    $file_type = mime_content_type($_FILES['dosya']['tmp_name']);
    
    if (!in_array($file_type, $allowed_types)) {
        die('This file type is not allowed!');
    }
    
    $file_extension = pathinfo($_FILES['dosya']['name'], PATHINFO_EXTENSION);
    $new_file_name = uniqid() . '.' . $file_extension;
    $target_file = 'uploads/' . $new_file_name;
    
    if (move_uploaded_file($_FILES['dosya']['tmp_name'], $target_file)) {
        echo 'File uploaded successfully: <img src='$target_file' width='200'>';
    } else {
        echo 'Error uploading file.';
    }
}
  • This script performs a secure upload and displays the uploaded image.
Share: Facebook X LinkedIn WhatsApp
Previous Post
Hotlink Protection (with .htaccess)
Next Post
Common cPanel Errors and Solutions - Part 1

Related Articles

Reusable PHP Functions for Various Projects Image
Reusable PHP Functions for Various Projects
0 Comments
Protecting Against DDoS and Brute Force Attacks with PHP Image
Protecting Against DDoS and Brute Force Attacks with PHP
0 Comments
Secure Encryption and Data Protection Techniques with PHP Image
Secure Encryption and Data Protection Techniques with PHP
0 Comments

Comments ()

No comments yet. Be the first to comment!

Leave a Comment

Sponsors
Sponsor 1 Sponsor 2 Sponsor 2
Apps
Google Play Huawei AppGallery