PHP 8.4.1 Released!

    move_uploaded_file

    (PHP 4 >= 4.0.3, PHP 5, PHP 7, PHP 8)

    move_uploaded_fileVerschiebt eine hochgeladene Datei an einen neuen Ort

    Beschreibung

    move_uploaded_file(string $from, string $to): bool

    Diese Funktion prüft, dass die mit from bezeichnete Datei eine gültige Upload-Datei ist (d. h., dass sie mittels PHPs HTTP POST Upload-Mechanismus hochgeladen wurde). Ist die Datei gültig, wird sie zum in to bezeichneten Dateinamen verschoben.

    Diese Art der Prüfung ist besonders wichtig, wo irgendeine Aktion mit hochgeladenen Dateien deren Inhalt dem User zugänglich machen könnte, oder gar anderen Usern auf dem selben System.

    Parameter-Liste

    from

    Der Dateiname der hochgeladenen Datei.

    to

    Das Ziel der zu verschiebenden Datei.

    Rückgabewerte

    Gibt bei Erfolg true zurück.

    Ist from keine gültige Datei, wird keine Aktion ausgeführt, und move_uploaded_file() gibt false zurück.

    Ist from eine gültige Datei, jedoch aus irgendeinem Grund nicht verschoben werden kann, wird keine Aktion ausgeführt, und move_uploaded_file() gibt false zurück. Zusätzlich wird eine Warnung ausgegeben.

    Beispiele

    Beispiel #1 Hochladen mehrerer Dateien

    <?php
    $uploads_dir     = '/uploads';
    foreach (    $_FILES["pictures"]["error"] as $key => $error) {
    if (    $error == UPLOAD_ERR_OK) {
    $tmp_name = $_FILES["pictures"]["tmp_name"][$key];
    // basename() kann Directory-Traversal-Angriffe verhindern;
    // weitere Validierung/Bereinigung des Dateinamens kann angebracht sein
    $name = basename($_FILES["pictures"]["name"][$key]);
    move_uploaded_file($tmp_name, "$uploads_dir/$name");
    }
    }
    ?>

    Anmerkungen

    Hinweis:

    move_uploaded_file() berücksichtigt open_basedir. Allerdings werden die Beschränkungen nur auf den to Pfad angewandt, um das Verschieben von hochgeladenen Dateien zu erlauben, bei denen sich from mit den Beschränkungen im Konflikt befinden könnte. move_uploaded_file() gewährleistet die Sicherheit dieser Operation dadurch, dass nur diejenigen Dateien verschoben werden dürfen, die mit PHP hochgeladen wurden.

    Warnung

    Existiert die Zieldatei bereits, wird sie überschrieben.

    Siehe auch

    Improve This Page

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 13 notes

    up
    213
    Yousef Ismaeil Cliprz
    11 years ago
    Security tips you must know before use this function :

    First : make sure that the file is not empty.

    Second : make sure the file name in English characters, numbers and (_-.) symbols, For more protection.

    You can use below function as in example

    <?php

    /**
    * Check $_FILES[][name]
    *
    * @param (string) $filename - Uploaded file name.
    * @author Yousef Ismaeil Cliprz
    */
    function check_file_uploaded_name ($filename)
    {
    (bool) ((    preg_match("`^[-0-9A-Z_\.]+$`i",$filename)) ? true : false);
    }

    ?>

    Third : make sure that the file name not bigger than 250 characters.

    as in example :

    <?php

    /**
    * Check $_FILES[][name] length.
    *
    * @param (string) $filename - Uploaded file name.
    * @author Yousef Ismaeil Cliprz.
    */
    function check_file_uploaded_length ($filename)
    {
    return (bool) ((    mb_strlen($filename,"UTF-8") > 225) ? true : false);
    }

    ?>

    Fourth: Check File extensions and Mime Types that you want to allow in your project. You can use : pathinfo() http://php.net/pathinfo

    or you can use regular expression for check File extensions as in example

    #^(gif|jpg|jpeg|jpe|png)$#i

    or use in_array checking as

    <?php

    $ext_type     = array('gif','jpg','jpe','jpeg','png');

    ?>

    You have multi choices to checking extensions and Mime types.

    Fifth: Check file size and make sure the limit of php.ini to upload files is what you want, You can start from http://www.php.net/manual/en/ini.core.php#ini.file-uploads

    And last but not least : Check the file content if have a bad codes or something like this function http://php.net/manual/en/function.file-get-contents.php.

    You can use .htaccess to stop working some scripts as in example php file in your upload path.

    use :

    AddHandler cgi-script .php .pl .jsp .asp .sh .cgi
    Options -ExecCGI

    Do not forget this steps for your project protection.
    up
    104
    matthias dot dailey at gmail dot com
    13 years ago
    The destination directory must exist; move_uploaded_file() will not automatically create it for you.
    up
    4
    adeel dot cs at gmail dot com
    8 months ago
    Permissions issue.

    If you have set a setgid I.e g+s on the folder and wondering why the created files are owned by www-data:www-data, note that uploaded files are first saved in /tmp folder with the web user.

    The move_uploaded_file() command moves the files from /tmp to the given TO directory, including the current permissions the /temp file has.

    Hence the setgid gets ignored and doesn't inherit the parent permissions.
    up
    31
    Dan Delaney
    16 years ago
    For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.
    up
    8
    shacker at birdhouse dot org
    18 years ago
    If you're dealing with files uploaded through some external FTP source and need to move them to a final destination, searching php.net for "mv" or "move" won't get you what you want. You want the rename() function.

    http://www.php.net/manual/en/function.rename.php

    (move_uploaded_file() won't work, since the POST vars won't be present.)
    up
    6
    Zarel
    18 years ago
    nouncad at mayetlite dot com posted a function that uploaded a file, and would rename it if it already existed, to filename[n].ext

    It only worked for files with extensions exactly three letters long, so I fixed that (and made a few other improvements while I was at it).

    <?php
    // Usage: uploadfile($_FILE['file']['name'],'temp/',$_FILE['file']['tmp_name'])
    function uploadfile($origin, $dest, $tmp_name)
    {
    $origin = strtolower(basename($origin));
    $fulldest = $dest.$origin;
    $filename = $origin;
    for (    $i=1; file_exists($fulldest); $i++)
    {
    $fileext = (strpos($origin,'.')===false?'':'.'.substr(strrchr($origin, "."), 1));
    $filename = substr($origin, 0, strlen($origin)-strlen($fileext)).'['.$i.']'.$fileext;
    $fulldest = $dest.$newfilename;
    }

    if (    move_uploaded_file($tmp_name, $fulldest))
    return     $filename;
    return     false;
    }
    ?>
    up
    1
    Juliano P. Santos
    5 years ago
    For those which will use inotify-tools to start an event when move_uploaded_file put the file in a specific directory, be aware that move_uploaded_file will trigger the create event, and not the move event of inotify-tools.
    up
    3
    Florian S. in H. an der E. [.de]
    16 years ago
    move_uploaded_file (on my setup) always makes files 0600 ("rw- --- ---") and owned by the user running the webserver (owner AND group).
    Even though the directory has a sticky bit set to the group permissions!
    I couldn't find any settings to change this via php.ini or even using "umask()".

    I want my regular user on the server to be able to "tar cjf" the directory .. which would fail on files totally owned by the webserver-process-user;
    the "copy(from, to)" function obeys the sticky-bit though!
    up
    0
    chelidze dot givia at gmail dot com
    1 year ago
    When using move_uploaded_file(). If the user uploads an image with a name that already exists, move_uploaded_file() will overwrite it. It's a good practice to store images in directories that you generate upon creating ur card/user/product etc...

    <?php
    function generateDir(int $n): string {
    $characters="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
    $dir = "";
    for(    $i = 0; $i<$n; $i++){
    $index = rand(0, strlen($characters)-1);
    $dir .= $characters[$index];
    }
    return     $dir;
    }

    $image = $_FILES["image"];
    $imagePath = 'images/'. generateDir(10) .'/'. $image["name"];

    // Make the directory first or else it will not proceed with the upload.
    mkdir($imagePath);

    // some error handling etc...

    move_uploaded_file($image["tmp_name"], $imagePath);
    ?>
    up
    0
    benbrown3882 at gmail dot com
    1 year ago
    Ensure the upload temporary directory and the destination directory have "write" permissions for Other.
    up
    0
    nlgordon at iastate dot edu
    17 years ago
    Just a helpful comment. If you have open_basedir set then you must set upload_tmp_dir to somewhere within the open_basedir. Otherwise the file upload will be denied. move_uploaded_file might be open_basedir aware, but the rest of the upload process isn't.
    up
    -1
    jest3r at mtonic dot net
    19 years ago
    It seems that move_uploaded_file use the GROUP permissions of the parent directory of the tmp file location, whereas a simple "copy" uses the group of the apache process. This could create a security nighmare if your tmp file location is owned by root:wheel
    up
    -4
    Rob Szarka
    18 years ago
    Apparently the warning above might better be written "If the destination file already exists, it will be overwritten ... regardless of the destination file's permissions."

    In other words, move_uploaded_file() executes as if it's root, not the user under which the web server is operating or the owner of the script that's executing.
    add a note
    To Top