PHP: move_uploaded_file

User Contributed Notes
move_uploaded_file

Darrell
18-May-2005 04:51


move_uploaded_file apparently uses the root of the Apache installation (e.g. "Apache Group\Apache2" under Windows) as the upload location if relative pathnames are used.



For example, 

$ftmp = $_FILES['userfile']['tmp_name'];

$fname = $_FILES['userfile']['name'];

move_uploaded_file($ftmp, $fname);

                           

moves the file to 

"Apache Group\Apache2\$fname";



In contrast, other file/directory related functions use the current directory of the php script as the offset for relative pathnames.  So, for example, if the command



mkdir('tmp');



is called from 'Apache Group\Apache2\htdocs\testpages\upload.php', the result is to create

'Apache Group\Apache2\htdocs\testpages\tmp'



On the other hand, if 'mkdir' is called just before 'move_uploaded_file', the behavior changes.  The commands, 



mkdir('tmp');

move_uploaded_file($ftmp, $fname);



used together result in 



"Apache Group\Apache2\htdocs\testpages\tmp\$fname"



being created.  Wonder if this is a bug or a feature.



Darrell

andrew@euperia,com
04-Apr-2005 04:29


Instead of using chdir or chmod 0777 a safer alternative to move_uploaded_files is to use PHP's ftp functions to move the file into a web dir.



1. Make ftp connection to 127.0.0.1 with the correct username and password.

2. ftp_chdir to the required directory.

3. ftp_put ($_FILES['myfile']['tmp_name'], $finalfilename);

4. ftp quit.

michael(at)webstaa(dot)com
14-Mar-2005 07:14


I was having trouble with the following error:



    Warning: move_uploaded_file():

    SAFE MODE Restriction in effect.



I had created the upload directory from PHP and tried various file modes to no avail but when I created the upload directory and set the file mode in my FTP app it works fine.



Just thought I'd post it here incase anyone else is getting frustrated :)



Regards



Mike

richardNO at SPAMbesite dot nl
11-Mar-2005 06:32


Creating the dir with mkdir from php is a security risk too. Everyone who can run a php script on the server can write a script to mess with the dir.

user at php dot net
01-Mar-2005 04:54


Giving the directory 777 permission is not a good idea for security reasons, it would be better to create the directory using "mkdir()".



That will make php user (usually "nobody") the owner of the directory, and permissions will not be a problem.

subway
17-Feb-2005 04:18


Don't forget to set chmod to 777 for the directory to which you want to move the file. 

Otherwise you will maybe get "failed to open stream: Permission denied in ..."!

Michel S
16-Feb-2005 11:41


I once had a problem with this function. File was uploaded correctly, but I still had to chmod the file afterwards. It could not be used otherwise.



Michel S

allan666 at NOSPAM dot gmail dot com
17-Dec-2004 12:35


On the Fedora Core 3 Linux distribution, you may get a "failed to open stream: Permission denied in ..." message. I fact changing the permission of the directory will not work (even if you set to 0777). It is because of the new SELinux kernel that allow apache user to write only in /tmp dir (I think). In order to solve the problem you must to disable the SELinux (at least for apache service) to allow the server to write in other directories. To do that, run the system-config-securitylevel app and disable the SE to apache service. Reboot your system and continue your work. Hope it helps!

php at f00n dot com
04-Jul-2004 03:17


If you are building an intranet framework and use NAT/Routing heed the following advice.



If you want to move uploaded files to an FTP server you cannot use the ftp wrapper (ie. 'ftp://user:pass@ftpserver/') as part of your move_uploaded_file() action.  This is due to the wrapper only using passive mode with ftp.



The only workaround is using the ftp functions (may not be compiled by default with *nix but is by default with windows).

froid_nordik at sympatico dot ca
04-Jun-2004 11:26


Make sure the directory you are moving the file to exists before using this command.

sauron at nospam on morannon dot org
08-Mar-2004 07:20


An extension only does not really tell you what type of file it really is. I can easily rename a .jpg file to a .zip file and make the server think it is a ZIP file with webmaster kobrasrealm's code.



A better way is to use the Linux utility "file" to determine the file type. Although I'm aware that some users might use Windows on their webservers, I thought it's worth  mentioning the utility here. Using the backtick operators and preg_matches on the output, you can easily determine the file type safely, and fix the extension when necessary.

mail at johan dot it
28-Feb-2004 04:14


Warning: If you save a md5_file hash in a database to keep record of uploaded files, which is usefull to prevent users from uploading the same file twice, be aware that after using move_uploaded_file the md5_file hash changes! And you are unable to find the corresponding hash and delete it in the database, when a file is deleted.

mina86 at tlen dot pl
07-Dec-2003 05:03


Hey! Why not using strrchr() to get file  extension:

<?php $ext = strrchr($_FILES['file']['name'], '.'); ?>

or to get it without '.' at the begining:

<?php $ext = substr(strrchr($_FILES['file']['name'], '.'), 1); ?>



If you want to update file without any strang characters you can use:

<?php

move_uploaded_file(

  $_FILES["file"]["tmp_name"], 

  $dir . preg_replace('/[^a-z0-9_\-\.]/i', '_', $_FILES["file"]["name"])

);

?>

wolke74 at web dot de
18-Nov-2003 11:02


French and English filenames --- as it is not forbidden -- often have an apostrophy, for instance "That's advertisement paper.doc" or "Les aventures d'Alice dans le pays du miracle.doc". However, uploading such files can run into trouble. 



So you can write, if the posted file had been marked by myfile .



if(!move_uploaded_file($_FILES["myfile"]["tmp_name"], 

rawurlencode($mydir.$_FILES["myfile"]["name"]))

{

     echo "Something is wrong with the file"; 

      exit; 

}

08-Nov-2003 09:54


The example to find file extension bellow is quite confusing and its using to much code for a much simpler solution. Which is in example:



$file_parts = pathinfo('dir/' . $_FILES['file']['name']);

$file_extension = strtolower($file_parts['extension']);



The 'dir/' part is only to get a valid path.

www at w8c dot com
09-Oct-2003 02:03


function upload($filedir,$source,$source_name,$up_flag,$lastname)

{

    if (!file_exists($filedir))

    {

        mkdir($filedir,0777);

    }

    @chmod($filedir,0777);

    if (!$lastname)

    {

        $lastname=$source_name;

    }

    if (file_exists("$filedir/$lastname"))

    {

        if ($up_flag=="y")

        {

            @unlink($filedir/$lastname);

            @move_uploaded_file($source,"$filedir/$lastname");

            echo "$source_name OK<br>";

        }

        else

        echo "$source_name ...<br>";

    }

    else

    {

        @move_uploaded_file($source,"$filedir/$lastname");

        echo "$source_name OK<br>"; 

    }

}

allen at brooker dot gb dot net
12-Feb-2003 04:48


The first comment totally threw me off. Under the 'new regime', the 'string filename' is $_FILES['userfile']['tmp_name']



Also note that the 'string destination' should be the full path and filename. As long as your server isnt using virtual hosting, you should be able to use $_SERVER['DOCUMENT_ROOT'] . "path/within/website". This'll save hours of hassle trying to get sometimes ignorant ISPs to give you your full and 'no symlinks' path.



Allen

move_uploaded_file

Description