Input.getUploadedFile
Input.getUploadedFile($fieldName, $uploadDir, $allowedExtensions, $maxFileSizeKb = 0) -> string
Description
Returns the uploaded file path for the given $fieldName
.
Returns an empty string ''
if it does not pass validation (see below).
If validated, the file will be written to $uploadDir
with a random filename.
$uploadDir
is relative to app/data/files
. If the directory does not exist, it will be created.
Validation Checks
A file is not valid in the following cases:
- Illegal file name patterns (e.g. '..')
- Common evasion tactics (e.g. double extensions)
- File extension is not within list of
$allowedExtensions
- File MIME type (as detected by the file content) does not match file extension.
Example
// HTML tag: // <input type="file" name="config"> $path = Input.getUploadedFile('config', 'configs', ['json', 'xml']) //= e.g. 'configs/fjwgSj73Fjs4q434q.json'
Complete example:
fn main { Output.sendPage({ main: formHtml(), }) } // Will automatically get called instead of 'main' when // form is submitted. fn mainPost { $path = Input.getUploadedFile('config', 'configs', ['json']) if $path { $content = File.read($path, true) $data = Json.decode($data) print($data) } else { print(Input.getUploadError()) } } // Note: Upload forms need enctype="multipart/form-data". tm formHtml { <h1> Upload Config File <form action="/upload" method="post" enctype="multipart/form-data"> {{ Web.csrfToken(true) }} <input type="file" name="config"> <small> Supported files: .json, .xml <button type="submit">Upload</button> </> }