How to get full filepath when uploading files in PHP?
I really want to know how am I gonna get the full filepath when I upload a file in PHP?
Here's my my problem...
I am importing a csv file in PHP. Uploading a file isn't a problem but the function used to import csv files which is fgetcsv() requires fopen. fopen is the one giving me a headache because it requires an exact filepath which means that the file should be in the same directory with the php file. What if the user gets a file from a different directory.
Here's my codes:
index.php:
<form action="csv_to_database.php" method="POST" enctype="multipart/form-data">
<input type="file" name="csv_file" />
<input type="submit" name="upload" value="Upload" />
</form>
csv_import.php:
<?php
if ($_FILES['csv_file']['error'] > 0) {
echo "Error: " . $_FILES['csv_file']['error'] . "<br />";
}else{
if (($handle = fopen($_FILES['csv_file']['name'], "r")) !== FALSE) {
while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
for ($c=0; $c < count($data) ; $c++) {
echo $data[$c] . " ";
}
echo "<br />";
}
fclose($handle);
}
}
?>
fopen here can only get the filename which is passed by the variable $_FILES['csv_file']['name']. I was trying to get any functions to get the full filepath for $_FILES in the internet but can't find any.
I am very new to web development so pls be patient. Pls answer as simple as possible... Pls help...
Answer
The ['name'] refers to the original filename on the users computer. That's no use to you, in particular because it might be empty. (Or it can contain fake values, causing a directory traversal exploit. So, just avoid it.)
You need to use the ['tmp_name'] which is a server-absolute path like /tmp/upload85728 that can be used for fopen() or move_uploaded_file().