== FAQ (Frequently Asked Questions) I thought these are the topics users would be interested in. - Notification Want to be notified after each file upload? Nothing easier. 1. You can use PHP's mail() function to send yourself an e-mail message. Add this single line into index.php file: @mail("your@email.com", 'file uploaded', 'Hi! Someone has just uploaded a file.'); Ok, but where to place the line? For example below this line: $oFile = File::UploadFile('_file', CFG_UPLOADFOLDER); 2. you can send an SMS message to your cell phone each time a file is uploaded. If you have smsbug.com account you can use this free script for sending SMS messages. Download the free code from here: http://w3net.eu/?p=48 Upload the files to your website. Include the necessary files into index.php. This code would send a short message to your mobile phone. // Notify me via SMS if ($oFile){ try{ $oSmsGateway = new SmsGateway(); $msg = "File upload :'". $oFile->getName() .'\'' ."\n"; $msg .= getenv("REMOTE_ADDR"); $oSmsGateway->SendSingleSms("YOUR-PHONE-NUMBER", $msg); }catch(TransportException $e){ }catch(Excption $e){ } unset($oSmsGateway); } Where to place the above code block? After line 63 (index.php). Ask someone experienced with PHP if you are not sure. - Security Uploaded files are stored in the upload folder on the disk. The upload folder's name MUST be hard to guess so that nobody can access the directory through http (web browser). A malicious user could upload a PHP file and request the uploaded file to execute it on the server with the privilege of the web server process. * Hints, recommendations for you: - You should never download uploaded files with your web browser if your upload folder is not password protected (with .htaccess you can password protect a folder). Instead, you should download the content of the upload folder via SFTP (secure FTP). - If your web hosting does not support SFTP, you should be downloading the files using https protocol. - also it is a good idea to password protect your upload folder (with .htaccess you can password protect a folder) - another great idea is to disallow execution of PHP scripts in upload folder (ask your web hosting provider for more info) - if you use Total Commander, never let it remember FTP passwords. Viruses, trojans can steal passwords easily from Total Commander's configuration file. - Content-type verification Letting users upload arbitrary files is usually not a good idea. You can tell the upload script to check the MIME (http://www.ltsw.se/knbase/internet/mime.htp) type of the uploaded file. The following code will allow only GIF,PNG,JPEG file types. Edit index.php: $aAllowedContenTypes = array('image/jpeg', 'image/png', 'image/gif'); $oFile = File::UploadFile('_file', CFG_UPLOADFOLDER, $maxAllowedSize, $aAllowedContenTypes); Note: this protection can be easily bypassed by an experienced user who knows a bit about HTTP headers. Do not rely much on this. - Maximum file size The script by default does not check the file size. However, this does not mean that files of any size can be uploaded. The upper upload limit depends on the following php.ini directives: * file_uploads * upload_max_filesize * max_input_time * memory_limit * max_execution_time * post_max_size - How can I limit the allowed maximum size of the uploaded files? Edit the following line in index.php file: $maxAllowedSize = null; Assign $maxAllowedSize variable the maximum allowed size (size is in bytes). Examples: - if you want to allow users to upload maximum 1MB files: $maxAllowedSize = 1048576; // 1 MB = 1024000 bytes - if you want to allow users to upload maximum 0.5MB files: $maxAllowedSize = 524288; // 0.5 MB = 512000 bytes - Why not Strict DTD (answer for web standardistas)? The HTML code of the upload page conforms to HTML 4.01 Transitional DTD. First I created the iframe element dynamically but MS IE6 did not like it. The form was submitted into a new browser window instead into the hidden iframe. I do not know if there is a work around for this. Anyway, I do not see much sense to rewrite the HTML code to conform to Strict DTD as it is only an upload page. - What happens if a file is uploaded but there is already a file with such name in the upload folder? The file is silently rewritten, the user is not warned.