Is there a reason you aren't using a FTP client?

I have the same question, I have a blog and most of visitors are not good at computer/ftp, I want a easy way for them to send me big file.

Hi there hihidavid,

You are aware that default file size for uploading using php is 2MB I think, but you can increase it. Another alternative for larger file uploads is by using zip, or using shell commands to use an external program so that you don't give the parser a hernia ;)

Ftp client would be an easier option, but I agree with the reasoning behind your reluctance to do that. Only the webmaster should have FTP access IMO.

skoff: There are lots of file uploader scripts out there, try : [phpclasses.org ], this is one of my preferred places to go when I need something that I can cannibalise/tweek ;)

But, honestly, doing a simple uploader script - no bells, no whistles would be a good thing to learn should you want something like this in the future (not to mention your portfolio).

Hope this helps you in some way ;)

Just to hint at something here too:-

Receiving the data (php side):-

$_FILES['yourfilename']['name'];
$_FILES['yourfilename']['tmp_name'];
$_FILES['yourfilename']['size'];

This is the $_FILES multidimensional array, use this when making an uploader script, its not a $_POST superglobal as the form is constructed like so:-

<form action="process.php" method="post" enctype="multipart/form-data">

and the input type is declared like so (this is the one that gives you the browse button..):-

<input type="file" name="yourfilename" />

This is the difference between a normal form with just text to a form with additional data, BUT because you can still have text fields declared, you still require the method="post" defined in the form tag, therefore you still need the $_POST sanitising when processing the data.

And to make sure that you don't get anything unwanted uploaded, you can create an array of allowed extensions, then just read everything from the '.' to see what the extension is, of course, that is only checking an extension, but at least that way, you have a degree of security when getting things uploaded to your site.

$extensions = array('.gif','.jpg','.jpeg');

$ext = strrchr(strtolower($nameToCheck), '.');//just incase it came as uppercase, you never know ;)

if (!in_array($ext, $extensions)){
echo "Filetype not valid";
}

I just thought as I should mention those points.

Cheers,
MRb

You can also use the Curl functions to easily FTP a file to a server after uploading.

But I also have to ask why you don`t use an FTP client? If you want a simple option to upload a folder to your server, try Rightload. Or for a standard FTP client, Filezilla.

And to make sure that you don't get anything unwanted uploaded, you can create an array of allowed extensions, then just read everything from the '.' to see what the extension is, of course, that is only checking an extension, but at least that way, you have a degree of security when getting things uploaded to your site.

What if someone uploaded a file with a .php.jpg extension? For better security you should always rename uploaded files.

dc

What if someone uploaded a file with a .php.jpg extension?

$file_ext = strtolower(end(explode(".", $file_name)));
if(in_array($file_ext, $allowed_extensions)) {
// Valid
} else {
// Invalid
}

My method :)

Hi all,

Who is to say as it is a valid extension anyway? Its the content you really need to validate. You can mask a virus but still upload it as a legal file type.

In essence your trusting the user, and majority of people arnt savvy enough!

Cheers
MRb

But I also have to ask why you don`t use an FTP client?

Don't know why the OP wants to do this but having FTP capabilities in your browser means you can administer the FTP uploads from anywhere, even without FTP installed.

Not a bad feature.

However, if you have a control panel for your server such as Plesk or cPanel they already provide this capability, no need to reinvent the wheel.

Hi Readie,

If someone uploaded a file as '.php.jpg', your code would return valid and could still be executed as a PHP file, which is a major security issue. I wasn`t referring to the fact that the validation might fail on 2 extensions, I was referring to the fact that someone could execute a PHP file thats passed a valid extension check.

Matthew1980, uploading a virus is one thing, but offering the end user an easy way to execute harmful PHP code is another. You need to tighten up and make this kind of thing as secure as possible. Don`t make it easy for hackers.

dc