File Uploads with Slim Framework and PHP

Overview

File uploads allow users to submit documents, images, and other files to your server via HTTP POST requests. Slim Framework provides clean access to uploaded files through PSR-7 Request objects.

---

HTML Upload Form

Required Form Attributes

1. method="POST" - File uploads must use POST
2. enctype="multipart/form-data" - Required for file transmission
3. <input type="file"> - Creates file selection interface
4. name attribute - Key to access file on server

Example

<form action="/upload" method="POST" enctype="multipart/form-data">
    <label for="userfile">Select a file:</label>
    <input type="file" name="userfile" id="userfile">
    <input type="submit" value="Upload">
</form>

---

Handling Uploads in Slim

Accessing Uploaded Files

$uploadedFiles = $request->getUploadedFiles();
$uploadedFile = $uploadedFiles['userfile'] ?? null;

UploadedFile Methods

Method	Description
getError()	Upload error code. UPLOAD_ERR_OK (0) = success
getSize()	File size in bytes
getClientFilename()	Original filename. Never trust!
getClientMediaType()	Media type from browser. Don’t fully trust!
moveTo($path)	Move file from temp to permanent location

---

Validation (Required!)

Never trust user input. Always validate:

1. Upload Errors: $uploadedFile->getError() === UPLOAD_ERR_OK
2. File Size: Compare against maximum allowed size
3. File Type: Check media type against whitelist

---

Moving Files

Uploaded files are stored temporarily and deleted after script execution. You must move them to permanent storage.

Key Points:

• Create uploads directory with write permissions
• Sanitize filenames (user’s filename could be malicious: ../../etc/passwd)
• Generate unique filenames to prevent collisions
• Use moveTo() method

$uploadedFile->moveTo($targetPath);

---

Security Best Practices

Critical: Accepting files without validation is a security hole. Malicious users can upload PHP shells.

Secure Process

1. Check Upload Errors - Verify getError() first
2. Safe Directory - Store outside web root (public folder)
   • ✅ Good: my-project/uploads/
   • ❌ Bad: my-project/public/uploads/
3. Validate File Type - Use whitelist of allowed types
4. Validate File Size - Set reasonable limits (e.g., 5MB)
5. Generate Secure Filenames - Never use client filenames

---

Upload Process Flow

User selects file → Browser POST request → Slim route
→ Get uploaded file object → Check errors
→ Validate size & type → Generate safe filename
→ Move to permanent location → Success response

---