Can I let people upload files via a script on my Web site?

The most reliable way to upload files to your Web site is using FTP. If you don't want to let someone know your main FTP password, you can create additional FTP accounts and restrict them to a certain directory (folder).

However, there are times when you might want to use a Web page to upload files. For instance, you may want to make it as easy as possible for an important client to upload a file, so you probably wouldn't want to make them install an FTP program.

The following sections cover creating and using upload scripts and the security issues involved:

Risks of using an upload script and how you can protect your Web site

Using an upload script creates a security risk, so you need to protect your Web site. If your upload page is visible to the public, a "hacker" could easily use it to upload their own malicious scripts and take over your site. You must always password protect the folder that the script is in.

You should make sure that your script doesn't allow people to upload new scripts (such as filenames ending in ".php"). It's wise to either disable scripts in the upload directory, or make sure the script uploads to a directory inside your home directory so people can't run any scripts they upload.

Writing your own upload script

A Google search will show a number of good tutorials that explain how to write your own script. For example:

  • This PHP tutorial explains how to create an upload script and add basic features such as file size and file extension limits.
  • This Perl tutorial explains how to upload a photo, but could easily be modified.

Using scripts written by other people

However, you might prefer to use a script that someone has already created. There are many of these available on the Web. For example, here's a script we've tested and found to work. That script allows you to upload multiple files, and uses AJAX to display a progress bar if the user has JavaScript enabled.