Can I let people upload files via a script on my website?

The most reliable way to upload files to your website is using FTP. If you don't want to let someone know your main FTP password, you can create additional FTP accounts and restrict them to a certain directory (folder).

However, there are times when you might want to use a Web page to upload files. For instance, you may want to make it as easy as possible for an important client to upload a file, so you probably wouldn't want to make them install an FTP program.

The following sections cover creating and using upload scripts and the security issues involved:

Risks of using a file upload script and how you can protect your website

Using a file upload script creates a security risk, so you need to protect your website. If your upload page is visible to the public, a "hacker" could easily use it to upload their own malicious files and take over your site. You must always password protect the folder that the script is in.

No matter what, you should make sure your script doesn't allow people to upload new scripts (such as filenames ending in ".php"). It's wise to either disable scripts in the upload directory, or make sure the script uploads to a directory inside your home directory so people can't run any scripts they upload.

File size limits

PHP has a setting called upload_max_filesize that limits the size of a file upload. You can see the exact value for your version of PHP in phpinfo(), but it’s already at least 1000 MB if you’re using the most recent version of PHP.

We’re sometimes asked how to increase that limit. It’s possible to do that by adding two lines to your site’s php.ini, like this:

upload_max_filesize = 1200M
post_max_size = 1200M

Keep in mind that PHP uses substantial memory to process uploaded files, which is why the limit exists in the first place: the limit ensures your script won’t simply crash when it runs out of memory. If you increase it and your script fails to work properly or shows an “HTTP error”, all you can do is decrease it again.

We should also mention that in general, very large file uploads don’t work well in web browsers, which is why you rarely see this functionality. Methods like FTP are usually better for transferring large files. (If you use WordPress and you’re uploading large video files using FTP, you can add them to your pages or posts by clicking the Add Media button in WordPress, then choosing Insert from URL and using the URL of the uploaded file.)

Writing your own upload script

A Google search will show a number of good tutorials that explain how to write your own script. For example:

  • This PHP tutorial explains how to create an upload script and add basic features such as file size and file extension limits.
  • This Perl tutorial explains how to upload a photo, but could easily be modified.