move_uploaded_file()

(PHP 4 >= 4.0.3, PHP 5, PHP 7)

将上传的文件移动到新位置

说明

本函数检查并确保由$filename指定的文件是合法的上传文件（即通过 PHP 的 HTTP POST 上传机制所上传的）。如果文件合法，则将其移动为由$destination指定的文件。

这种检查显得格外重要，如果上传的文件有可能会造成对用户或本系统的其他用户显示其内容的话。

参数

上传的文件的文件名。

移动文件到这个位置。

返回值

成功时返回TRUE。

如果$filename不是合法的上传文件，不会出现任何操作，move_uploaded_file()将返回FALSE。

如果$filename是合法的上传文件，但出于某些原因无法移动，不会出现任何操作，move_uploaded_file()将返回FALSE。此外还会发出一条警告。

范例

Uploading multiple files

注释

move_uploaded_file()对安全模式和open_basedir都是敏感的。不过，限制只针对$destination路径，因为允许移动上传的文件名$filename可能会与这些限制产生冲突。move_uploaded_file()仅作用于通过 PHP 上传的文件以确保这个操作的安全性。Warning

如果目标文件已经存在，将会被覆盖。

参见

• is_uploaded_file() 判断文件是否是通过 HTTP POST 上传的
• rename() 重命名一个文件或目录
• 参见文件上传处理一章中的简单使用例子。

Security tips you must know before use this function :
First : make sure that the file is not empty.
Second : make sure the file name in English characters, numbers and (_-.) symbols, For more protection.
You can use below function as in example

Third : make sure that the file name not bigger than 250 characters.
as in example :

Fourth: Check File extensions and Mime Types that you want to allow in your project. You can use : pathinfo() http://php.net/pathinfo
or you can use regular expression for check File extensions as in example
#^(gif|jpg|jpeg|jpe|png)$#i
or use in_array checking as

You have multi choices to checking extensions and Mime types.
Fifth: Check file size and make sure the limit of php.ini to upload files is what you want, You can start from http://www.php.net/manual/en/ini.core.php#ini.file-uploads
And last but not least : Check the file content if have a bad codes or something like this function http://php.net/manual/en/function.file-get-contents.php.
You can use .htaccess to stop working some scripts as in example php file in your upload path.
use :
AddHandler cgi-script .php .pl .jsp .asp .sh .cgi
Options -ExecCGI 
Do not forget this steps for your project protection.

The destination directory must exist; move_uploaded_file() will not automatically create it for you.

For those which will use inotify-tools to start an event when move_uploaded_file put the file in a specific directory, be aware that move_uploaded_file will trigger the create event, and not the move event of inotify-tools.

For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.

鹏仔微信 15129739599 鹏仔QQ344225443 鹏仔前端 pjxi.com 共享博客 sharedbk.com