PHP File Upload – Simple and Secure Guide with Code Example

Create an HTML Form

<form action="upload.php" method="POST" enctype="multipart/form-data">
    <label for="file">Choose a file:</label>
    <input type="file" name="file" id="file">
    <input type="submit" value="Upload File">
</form>
  • enctype="multipart/form-data" is required for file uploads.
  • The input element with type="file" allows users to select a file.

Handle File Upload in PHP (upload.php)

if ($_SERVER["REQUEST_METHOD"] === "POST") {
    $targetDir = "uploads/"; // Directory to store the uploaded file
    $fileName = basename($_FILES["file"]["name"]);
    $targetFilePath = $targetDir . $fileName;
    $fileType = strtolower(pathinfo($targetFilePath, PATHINFO_EXTENSION));

    // Allowed file types
    $allowedTypes = array("jpg", "png", "jpeg", "gif", "pdf");

    // Validate file type
    if (in_array($fileType, $allowedTypes)) {
        // Check for file upload errors
        if ($_FILES["file"]["error"] === UPLOAD_ERR_OK) {
            // Move the file to the target directory
            if (move_uploaded_file($_FILES["file"]["tmp_name"], $targetFilePath)) {
                echo "File uploaded successfully: $fileName";
            } else {
                echo "Error uploading file.";
            }
        } else {
            echo "Error during file upload.";
        }
    } else {
        echo "Invalid file type. Only JPG, PNG, JPEG, GIF, and PDF files are allowed.";
    }
}

Create the "uploads" Directory

  • In the root of your project, create a folder called uploads.
  • Set the write permissions so that PHP can save the uploaded files.

File Upload Validation

  •  Allow only specific file types (e.g., JPG, PNG, PDF)
  • Limit file size (e.g., max 2MB)
  • Protect against file overwriting

Add File Size Restriction (Optional)

$maxFileSize = 2 * 1024 * 1024; // 2 MB

if ($_FILES["file"]["size"] > $maxFileSize) {
    echo "File size exceeds the 2MB limit.";
}

Complete PHP File Upload Code

<?php
if ($_SERVER["REQUEST_METHOD"] === "POST") {
    $targetDir = "uploads/";
    $fileName = basename($_FILES["file"]["name"]);
    $targetFilePath = $targetDir . $fileName;
    $fileType = strtolower(pathinfo($targetFilePath, PATHINFO_EXTENSION));
    $allowedTypes = array("jpg", "png", "jpeg", "gif", "pdf");
    $maxFileSize = 2 * 1024 * 1024; // 2 MB

    if (in_array($fileType, $allowedTypes)) {
        if ($_FILES["file"]["size"] <= $maxFileSize) {
            if ($_FILES["file"]["error"] === UPLOAD_ERR_OK) {
                if (move_uploaded_file($_FILES["file"]["tmp_name"], $targetFilePath)) {
                    echo "File uploaded successfully: $fileName";
                } else {
                    echo "Error uploading file.";
                }
            } else {
                echo "Error during file upload.";
            }
        } else {
            echo "File size exceeds the 2MB limit.";
        }
    } else {
        echo "Invalid file type. Only JPG, PNG, JPEG, GIF, and PDF files are allowed.";
    }
}
?>

Output Example

File uploaded successfully: example.jpg
Invalid file type
File size exceeds the limit

Best Practices for PHP File Upload

  • Sanitize file names to prevent security vulnerabilities
  • Restrict file types and size
  • Use unique file names to avoid overwriting