PHP 8.3.4 Released!

move_uploaded_file

(PHP 4 >= 4.0.3, PHP 5, PHP 7, PHP 8)

move_uploaded_file将上传的文件移动到新位置

说明

move_uploaded_file(string $from, string $to): bool

本函数检查并确保由 from 指定的文件是合法的上传文件(即通过 PHP 的 HTTP POST 上传机制所上传的)。如果文件合法,则将其移动为由 to 指定的文件。

这种检查显得格外重要,如果上传的文件有可能会造成对用户或本系统的其他用户显示其内容的话。

参数

from

上传的文件的文件名。

to

移动文件到这个位置。

返回值

成功时返回 true

如果 from 不是合法的上传文件,不会出现任何操作,move_uploaded_file() 将返回 false

如果 from 是合法的上传文件,但出于某些原因无法移动,不会出现任何操作,move_uploaded_file() 将返回 false。此外还会发出一条警告。

示例

示例 #1 Uploading multiple files

<?php
$uploads_dir
= '/uploads';
foreach (
$_FILES["pictures"]["error"] as $key => $error) {
if (
$error == UPLOAD_ERR_OK) {
$tmp_name = $_FILES["pictures"]["tmp_name"][$key];
// basename() 可以防止遍历攻击文件系统;
// 进一步验证/清理文件名可能是合适的
$name = basename($_FILES["pictures"]["name"][$key]);
move_uploaded_file($tmp_name, "$uploads_dir/$name");
}
}
?>

注释

注意:

move_uploaded_file()open_basedir 是敏感的。不过,限制只针对 to 路径,因为允许移动上传的文件名 from 可能会与这些限制产生冲突。move_uploaded_file() 仅作用于通过 PHP 上传的文件以确保这个操作的安全性。

警告

如果目标文件已经存在,将会被覆盖。

参见

add a note

User Contributed Notes 20 notes

up
212
Yousef Ismaeil Cliprz
11 years ago
Security tips you must know before use this function :

First : make sure that the file is not empty.

Second : make sure the file name in English characters, numbers and (_-.) symbols, For more protection.

You can use below function as in example

<?php

/**
* Check $_FILES[][name]
*
* @param (string) $filename - Uploaded file name.
* @author Yousef Ismaeil Cliprz
*/
function check_file_uploaded_name ($filename)
{
(bool) ((
preg_match("`^[-0-9A-Z_\.]+$`i",$filename)) ? true : false);
}

?>

Third : make sure that the file name not bigger than 250 characters.

as in example :

<?php

/**
* Check $_FILES[][name] length.
*
* @param (string) $filename - Uploaded file name.
* @author Yousef Ismaeil Cliprz.
*/
function check_file_uploaded_length ($filename)
{
return (bool) ((
mb_strlen($filename,"UTF-8") > 225) ? true : false);
}

?>

Fourth: Check File extensions and Mime Types that you want to allow in your project. You can use : pathinfo() http://php.net/pathinfo

or you can use regular expression for check File extensions as in example

#^(gif|jpg|jpeg|jpe|png)$#i

or use in_array checking as

<?php

$ext_type
= array('gif','jpg','jpe','jpeg','png');

?>

You have multi choices to checking extensions and Mime types.

Fifth: Check file size and make sure the limit of php.ini to upload files is what you want, You can start from http://www.php.net/manual/en/ini.core.php#ini.file-uploads

And last but not least : Check the file content if have a bad codes or something like this function http://php.net/manual/en/function.file-get-contents.php.

You can use .htaccess to stop working some scripts as in example php file in your upload path.

use :

AddHandler cgi-script .php .pl .jsp .asp .sh .cgi
Options -ExecCGI

Do not forget this steps for your project protection.
up
102
matthias dot dailey at gmail dot com
12 years ago
The destination directory must exist; move_uploaded_file() will not automatically create it for you.
up
3
chelidze dot givia at gmail dot com
8 months ago
When using move_uploaded_file(). If the user uploads an image with a name that already exists, move_uploaded_file() will overwrite it. It's a good practice to store images in directories that you generate upon creating ur card/user/product etc...

<?php
function generateDir(int $n): string {
$characters="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$dir = "";
for(
$i = 0; $i<$n; $i++){
$index = rand(0, strlen($characters)-1);
$dir .= $characters[$index];
}
return
$dir;
}

$image = $_FILES["image"];
$imagePath = 'images/'. generateDir(10) .'/'. $image["name"];

// Make the directory first or else it will not proceed with the upload.
mkdir($imagePath);

// some error handling etc...

move_uploaded_file($image["tmp_name"], $imagePath);
?>
up
34
Dan Delaney
15 years ago
For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.
up
4
shacker at birdhouse dot org
17 years ago
If you're dealing with files uploaded through some external FTP source and need to move them to a final destination, searching php.net for "mv" or "move" won't get you what you want. You want the rename() function.

http://www.php.net/manual/en/function.rename.php

(move_uploaded_file() won't work, since the POST vars won't be present.)
up
6
Zarel
17 years ago
nouncad at mayetlite dot com posted a function that uploaded a file, and would rename it if it already existed, to filename[n].ext

It only worked for files with extensions exactly three letters long, so I fixed that (and made a few other improvements while I was at it).

<?php
// Usage: uploadfile($_FILE['file']['name'],'temp/',$_FILE['file']['tmp_name'])
function uploadfile($origin, $dest, $tmp_name)
{
$origin = strtolower(basename($origin));
$fulldest = $dest.$origin;
$filename = $origin;
for (
$i=1; file_exists($fulldest); $i++)
{
$fileext = (strpos($origin,'.')===false?'':'.'.substr(strrchr($origin, "."), 1));
$filename = substr($origin, 0, strlen($origin)-strlen($fileext)).'['.$i.']'.$fileext;
$fulldest = $dest.$newfilename;
}

if (
move_uploaded_file($tmp_name, $fulldest))
return
$filename;
return
false;
}
?>
up
4
Florian S. in H. an der E. [.de]
15 years ago
move_uploaded_file (on my setup) always makes files 0600 ("rw- --- ---") and owned by the user running the webserver (owner AND group).
Even though the directory has a sticky bit set to the group permissions!
I couldn't find any settings to change this via php.ini or even using "umask()".

I want my regular user on the server to be able to "tar cjf" the directory .. which would fail on files totally owned by the webserver-process-user;
the "copy(from, to)" function obeys the sticky-bit though!
up
1
Juliano P. Santos
4 years ago
For those which will use inotify-tools to start an event when move_uploaded_file put the file in a specific directory, be aware that move_uploaded_file will trigger the create event, and not the move event of inotify-tools.
up
1
adeel dot cs at gmail dot com
21 days ago
Permissions issue.

If you have set a setgid I.e g+s on the folder and wondering why the created files are owned by www-data:www-data, note that uploaded files are first saved in /tmp folder with the web user.

The move_uploaded_file() command moves the files from /tmp to the given TO directory, including the current permissions the /temp file has.

Hence the setgid gets ignored and doesn't inherit the parent permissions.
up
0
benbrown3882 at gmail dot com
9 months ago
Ensure the upload temporary directory and the destination directory have "write" permissions for Other.
up
1
nlgordon at iastate dot edu
16 years ago
Just a helpful comment. If you have open_basedir set then you must set upload_tmp_dir to somewhere within the open_basedir. Otherwise the file upload will be denied. move_uploaded_file might be open_basedir aware, but the rest of the upload process isn't.
up
-2
jest3r at mtonic dot net
18 years ago
It seems that move_uploaded_file use the GROUP permissions of the parent directory of the tmp file location, whereas a simple "copy" uses the group of the apache process. This could create a security nighmare if your tmp file location is owned by root:wheel
up
-5
Rob Szarka
17 years ago
Apparently the warning above might better be written "If the destination file already exists, it will be overwritten ... regardless of the destination file's permissions."

In other words, move_uploaded_file() executes as if it's root, not the user under which the web server is operating or the owner of the script that's executing.
up
-11
Tom
9 years ago
Nowhere does it say how to get the error/warning message when this fails.

The only way I know of doing it is something like this:

if (move_uploaded_file($_FILES["file1"]["tmp_name"], $target_file)) {
echo "<P>FILE UPLOADED TO: $target_file</P>";
} else {
echo "<P>MOVE UPLOADED FILE FAILED!</P>";
print_r(error_get_last());
}
up
-5
Mark Kazemier
15 years ago
I have the same problem as the person two comments below me. When I use the move_uploaded_file function the permissions for the file are set to 0600. No matter what configurations you set.

I searched the internet and I found more people with the same problems, but no solutions. I set the umask of apache to 013 and still the files were set to 0600.

The copy function solves the problem. Another way to solve this problem is using the chmod function after uploading.
up
-11
bogusred
16 years ago
If you have a directory in a *nix environment where you store all of your file uploads and your php script only seems to work when permissions for that directory are set to 777, here's how to fix it so that you can have the security benefits of 755 while still allowing your php scripts to work, including the move_uploaded_file().

through shell access, navigate to the directory that contains your uploads folder and run the following 2 commands:
chown -R nobody uploaddir
chmod -R 755 uploaddir

Replace 'uploaddir' with the name of your uploads directory. The first command changes the owner of the directory and files to 'nobody' which is what php operates under. The second changes the folder and files to only allow user access to writing. This is much more secure.

Hopefully this will help someone out there who had the same problem as me.
up
-5
Ray.Paseur sometimes uses Gmail
13 years ago
You can only move the uploaded file once. You can use copy() if you need the file in more than one place.
<?php // RAY_temp_upload_example.php
error_reporting(E_ALL);
echo
"<pre>" . PHP_EOL;

// IF A FILE HAS BEEN UPLOADED
if (!empty($_FILES))
{
// SHOW THE UPLOADED FILES
print_r($_FILES);

// TRY TO MOVE THE FILE TWICE - SECOND MOVE RETURNS FALSE
if (!move_uploaded_file($_FILES["userfile"]["tmp_name"], $_FILES["userfile"]["name"])) echo "CANNOT MOVE {$_FILES["userfile"]["name"]}" . PHP_EOL;
if (!
move_uploaded_file($_FILES["userfile"]["tmp_name"], $_FILES["userfile"]["name"])) echo "CANNOT MOVE {$_FILES["userfile"]["name"]}" . PHP_EOL;

// SHOW THE UPLOADED FILES AFTER THE MOVE - NO VISIBLE CHANGE
print_r($_FILES);
}

// END OF PHP, PUT UP THE HTML FORM TO GET THE FILE
?>
<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="300000" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
up
-9
labsy at seznam dot org
12 years ago
A note for PHP on Windows IIS platform:
PHP does obviously not like directory traversing among partitions, so if you set upload_tmp_dir to be on different partition as php-cgi.exe or php.exe is, upload_tmp_dir will NOT be accessible for file uploads! You will get ERROR 6 on any attempt to upload file, and file size will be 0.
Resolution is to have upload_tmp_dir set to a path under PHP install folder.
...and make sure this folder (and also session_save_path folder) has at least read/write permissions granted to AppPool owner (usually NETWORK SERVICE) and IIS web user (by default IUSR_).
up
-7
wilcobeekhuizen at gmail dot com
12 years ago
When uploading a file with a very long filename, for example 255 characters, move_uploaded_file fails. The longest file I've succesfully uploaded has a 247 character filename. So, although you can create a 250 character filename locally the server may not be able to move it.
up
-6
chatchaw at tot dot co dot th
14 years ago
When you use move_uploaded_file function to upload a file with utf-8 filename to linux system, you probably check your result by browsing to see the file in the target directory so please make sure that your terminal emulator or your samba configuration is set the character encoding to utf-8 otherwise your file will be shown as ?????? (unreadable character).
To Top