January 27, 2021
Hot Topics:

Uploading Files within a PHP Script

  • By Elizabeth Fulghum
  • Send Email »
  • More Articles »

When File Uploads Don't Work

 Parse errors aside, there are a few problems that can occur when working with file uploads. If you are just learning PHP, being confronted with one of these can quickly become extremely frustrating. Fortunately, most of the potential problems are not exotic and have fairly straight forward solutions:

File does not get uploaded at all, no error returned.
Assuming that the scripting is correct, this problem most frequently pops up when uploading larger files. In addition to the size limitations that you impose on the file during server-side validation, there are also several settings in the PHP.ini file that control the maximum uploaded file size. These settings will over-ride any options you have specified in the script.

If a smaller upload of a few KB succeeds while a larger one of several MB fails, it’s a good bet that this is the reason why. If you are running your own server and have access to the PHP.ini file, the maximum file size can be adjusted by changing the upload_max_filesize attribute. Additionally, if set, the memory_limit directive may be too small as well.

File does not get copied to the final destination, permission denied error.
This happens on *nix based servers when the script does not have access to write to the specified directory. Permissions on *nix servers affect who can read and write to directories and files and are divided into three groups: owner, group, other. Permissions can be set from most FTP programs or from a command line connection to the server. For directories where files are being written, permissions should be set to 666 or 777.

File does not get uploaded, or cannot be copied; errors including: "open_basedir restriction in effect", "Safe Mode Restriction in effect.", or "function has been disabled for security reasons"
This type of error is common in scripts running on shared web hosting providers and indicates that PHP is running in Safe Mode. Safe Mode allows the administrator to control which users are allowed to run which functions and also entirely disable functions for security purposes. Without access to the PHP.ini, safe mode can only be disabled by the server adminstrator. From the PHP.ini, it can be disabled via the safe_mode directive.

Other Notes on File Uploads

Because of changes in PHP over the last several major releases and differences in configuration settings, some aspects of working with file uploads are changeable. Here are a few things to keep in mind:

In PHP 4.2.0 a new element was introduced as part of the $HTTP_POST_FILES array which includes the specific error message returned should a file upload fail. Accessible as $HTTP_POST_FILES['file']['error'] it returns the following:

0: No error, the file was uploaded successfully 1: The upload is larger than the amount allowable by the upload_max_filesize directive in the php.ini
2: The upload is larger than the MAX_FILE_SIZE directive that was specified via html
3: The file was only partially uploaded
4: no file was uploaded

These messages can be particularly useful for error checking and to determine the success or failure of an upload, but because only the newest versions of PHP support them, it is not advisable to rely on their existence if you are programming scripts for distribution.

The exact variable names that are used to reference uploaded files depend on the version and configuration of PHP running. The $HTTP_POST_FILES array has been available since version 4.0, but are being favored in latest versions of PHP by the new, shorter $_FILES array. In configurations where register_globals is on, the $HTTP_POST_FILES array may not available - file uploads can still be accessed as:


the temporary name assigned to the file when its uploaded.
$file_name the original name of the file from the user's computer.
$file_type the mime type of the file, as provided by the user's browser
$file_size the size of the file, in bytes.

is_uploaded_file() is not available in all versions of PHP. If you are unfortunate enough to be using one of the particular versions of PHP that does not support this function, you can still perform the check to see if a file has been uploaded or not by see if the temp name of the file is equal to "none" or empty:

if ($HTTP_POST_FILES['file']['tmp_name']=="none" OR $HTTP_POST_FILES['file']['tmp_name']="") {
  //no file uploaded

In addition to handling file size validation from the server side, you may also specify maximum file size using a hidden field within the form:

<input type="hidden" name="MAX_FILE_SIZE" value="1000">

This should appear before the file upload field that it affects. Keep in mind that this attribute is only a suggestion to the browser and not 100% reliable. Though useful as a first line of defense against large uploads, this should not replace server side validation.


In this article, you have gotten a taste of how to work with file uploads. In future articles, we will be returning to the topic through real-world examples. Next time, though, we'll focus on how PHP handles error reporting, and take a look at some functions and methods that can help you debug your own scripts.

Stay Tuned!

Things to Remember:

  • When creating forms that include a file upload field, you must include enctype="multipart/form-data" in the form tag to tell the browser to expect an upload and set the form's method to POST.
  • In most configurations, the uploaded file will be available in a $HTTP_POST_VARS array with the same name as the file upload field.
  • When you accept file uploads, you generally want to check 3 things on any potential incoming files:
    1. whether or not a file was uploaded
    2. the size of the uploaded file
    3. the file type of the uploaded file
  • The temporary file should be discarded using the unlink() function after the file has been copied to its final location or if the file fails one of the checks.

Liz Fulghum currently lives in Annapolis, MD where she works as a web designer for a custom shirt retailer. Liz was convinced to try PHP as an alternative to Perl; she has been a fan ever since and frequently works as a freelance developer.

# # #

Page 2 of 2

This article was originally published on September 3, 2002

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date