move_uploaded_file - PHP code example

The php Function MoveUploadedFile

The php function move_uploaded_file moves an uploaded file to a new destination. It also checks to make sure that the file designated by filename is a valid upload file (meaning it has been uploaded via PHP's HTTP POST upload mechanism). If the file is not a valid upload file, then it will not be moved and move_uploaded_file() will return false. This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

This function works only on a file submitted via HTTP POST, and does not work on any other file in your system. You must have the container folder where you want to move the uploaded file already created.

If the target folder does not exist, or if you pass an invalid path to move_uploaded_file() then an error will be thrown. This is because the PHP script that created the container folder may not have owned the file, or it may have been uploaded by another user.

This is why it's always a good idea to encode files that are uploaded by users, so they are not easily read by other people who might access the same file in your system. For example, use enctype='multipart/form-data' when accepting file submissions from your web forms. This will prevent php from reading the uploaded file in plain text, and potentially revealing sensitive information.

move_uploaded_file example

  public function __construct(StreamWrapperManagerInterface $stream_wrapper_manager, Settings $settings, LoggerInterface $logger) {
    $this->streamWrapperManager = $stream_wrapper_manager;
    $this->settings = $settings;
    $this->logger = $logger;
  }

  /** * {@inheritdoc} */
  public function moveUploadedFile($filename, $uri) {
    $result = @move_uploaded_file($filename, $uri);
    // PHP's move_uploaded_file() does not properly support streams if     // open_basedir is enabled so if the move failed, try finding a real path     // and retry the move operation.     if (!$result) {
      if ($realpath = $this->realpath($uri)) {
        $result = move_uploaded_file($filename, $realpath);
      }
      else {
        $result = move_uploaded_file($filename, $uri);
      }
    }

throw HTTPException::forAlreadyMoved();
        }

        if (! $this->isValid()) {
            throw HTTPException::forInvalidFile();
        }

        $name ??= $this->getName();
        $destination = $overwrite ? $targetPath . $name : $this->getDestination($targetPath . $name);

        try {
            $this->hasMoved = move_uploaded_file($this->path, $destination);
        } catch (Exception $e) {
            $error   = error_get_last();
            $message = strip_tags($error['message'] ?? '');

            throw HTTPException::forMoveFailed(basename($this->path), $targetPath, $message);
        }

        if ($this->hasMoved === false) {
            $message = 'move_uploaded_file() returned false';

            throw HTTPException::forMoveFailed(basename($this->path), $targetPath, $message);
        }

$filePath = tempnam($destPath, 'snippets_');
        if ($filePath === false) {
            echo json_encode([
                'success' => false,
                'message' => sprintf('Could not create a tmp file for %s', $filePath),
            ]);

            return;
        }

        if (move_uploaded_file($_FILES['file']['tmp_name'], $filePath) === false) {
            echo json_encode([
                'success' => false,
                'message' => sprintf('Could not move %s to %s.', $_FILES['file']['tmp_name'], $filePath),
            ]);

            return;
        }

        $this->uploadedFilePath = $filePath;
        chmod($filePath, 0644);

$this->validateActive();

        if (false === $this->isStringNotEmpty($targetPath)) {
            throw new InvalidArgumentException(
                'Invalid path provided for move operation; must be a non-empty string'
            );
        }

        if ($this->file) {
            $this->moved = PHP_SAPI === 'cli'
                ? rename($this->file, $targetPath)
                : move_uploaded_file($this->file, $targetPath);
        } else {
            Utils::copyToStream(
                $this->getStream(),
                new LazyOpenStream($targetPath, 'w')
            );

            $this->moved = true;
        }

        if (false === $this->moved) {
            throw new RuntimeException(

public function move(string $directory, string $name = null): File
    {
        if ($this->isValid()) {
            if ($this->test) {
                return parent::move($directory, $name);
            }

            $target = $this->getTargetFile($directory, $name);

            set_error_handler(function D$type, $msg) use (&$error) { $error = $msg; });
            try {
                $moved = move_uploaded_file($this->getPathname(), $target);
            } finally {
                restore_error_handler();
            }
            if (!$moved) {
                throw new FileException(sprintf('Could not move the file "%s" to "%s" (%s).', $this->getPathname(), $target, strip_tags($error)));
            }

            @chmod($target, 0666 & ~umask());

            return $target;
        }

    $move_new_file = apply_filters( 'pre_move_uploaded_file', null, $file, $new_file, $type );

    if ( null === $move_new_file ) {
        if ( 'wp_handle_upload' === $action ) {
            $move_new_file = @move_uploaded_file( $file['tmp_name'], $new_file );
        } else {
            // Use copy and unlink because rename breaks streams.             // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged             $move_new_file = @copy( $file['tmp_name'], $new_file );
            unlink( $file['tmp_name'] );
        }

        if ( false === $move_new_file ) {
            if ( str_starts_with( $uploads['basedir'], ABSPATH ) ) {
                $error_path = str_replace( ABSPATH, '', $uploads['basedir'] ) . $uploads['subdir'];
            } else {