Can I let people upload files via a script on my website?

The most reliable way to upload files to your website is using FTP. If you don't want to let someone know your main FTP password, you can create additional FTP accounts and restrict them to a certain directory (folder).

However, there are times when you might want to use a Web page to upload files. For instance, you may want to make it as easy as possible for an important client to upload a file, so you probably wouldn't want to make them install an FTP program.

The following sections cover creating and using upload scripts and the security issues involved:

Risks of using an upload script and how you can protect your website

Using an upload script creates a security risk, so you need to protect your website. If your upload page is visible to the public, a "hacker" could easily use it to upload their own malicious scripts and take over your site. You must always password protect the folder that the script is in.

You should make sure that your script doesn't allow people to upload new scripts (such as filenames ending in ".php"). It's wise to either disable scripts in the upload directory, or make sure the script uploads to a directory inside your home directory so people can't run any scripts they upload.

File size limits

PHP has a setting called upload_max_filesize that limits the size of a file upload. You can see the exact value for your version of PHP in phpinfo(), but it’s usually something like 100 MB.

We’re sometimes asked how to increase that limit. It’s possible to do that by adding two lines to your site’s php.ini, like this:

upload_max_filesize = 200M
post_max_size = 200M

However, we don’t recommend or support this. PHP uses substantial memory to process uploaded files, which is why the limit exists in the first place: the limit ensures your script won’t simply crash when it runs out of memory. If you increase it and your script fails to work properly, all you can do is decrease it again. If you really need to support PHP file uploads larger than 100 MB, you’d probably need to switch to a different company that offers a virtual or dedicated server where you can assign more memory to PHP. (We don’t offer those, unfortunately.)

We should also mention that in general, file uploads larger than 100 MB don’t work well in web browsers, which is why you rarely see this functionality. Methods like FTP are usually better for transferring files of that size.

If you use WordPress and you’re uploading large video files using FTP, you can add them to your pages or posts by clicking the Add Media button in WordPress, then choosing Insert from URL and using the URL of the uploaded file.

Writing your own upload script

A Google search will show a number of good tutorials that explain how to write your own script. For example:

  • This PHP tutorial explains how to create an upload script and add basic features such as file size and file extension limits.
  • This Perl tutorial explains how to upload a photo, but could easily be modified.