Can someone help me make this script a bit more practical and secure? Right now you can type in random letters and it will upload as a file.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>Upload a File</title>
</head>
<body>
<?php // Script 11.4 - upload_file.php
// This script displays and handles an HTML form.
// This script takes a file upload and stores it on the server.
// Address error handing.
ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);
if (isset ($_POST['submit'])) { // Handle form.
// Try to move the uploaded file.
if (move_uploaded_file ($_FILES['thefile']['tmp_name'], "../uploads/{$_FILES['thefile']['name']}")) {
print '<p>Your file has been uploaded.</p>';
} else { // Problem!
print '<p>Your file could not be uploaded because: <b>';
// Print a message based upon the error.
switch ($_FILES['thefile']['error']) {
case 1:
print 'The file exceeds the upload_max_filesize setting in php.ini';
break;
case 2:
print 'The file exceeds the MAX_FILE_SIZE setting in the HTML form';
break;
case 3:
print 'The file was only partially uploaded';
break;
case 4:
print 'No file was uploaded';
break;
}
print '</b>.</p>';
}
} // End of SUBMIT IF.
// Leave PHP and display the form.
?>
<form action="upload_file.php" enctype="multipart/form-data" method="post">
<p>Upload a file using this form: <br /><br />
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<input type="file" name="thefile" /><br /><br />
<input type="submit" name="submit" value="Upload This File" />
</p>
</form>
</body>
</html>
