How to get full filepath when uploading files in PHP?

Question

I really want to know how am I gonna get the full filepath when I upload a file in PHP?

Here's my my problem...

I am importing a csv file in PHP. Uploading a file isn't a problem but the function used to import csv files which is fgetcsv() requires fopen. fopen is the one giving me a headache because it requires an exact filepath which means that the file should be in the same directory with the php file. What if the user gets a file from a different directory.

Here's my codes:

index.php:

<form action="csv_to_database.php" method="POST" enctype="multipart/form-data">
 <input type="file" name="csv_file" />
 <input type="submit" name="upload" value="Upload" />
</form>

csv_import.php:

<?php
 if ($_FILES['csv_file']['error'] > 0) {
  echo "Error: " . $_FILES['csv_file']['error'] . "<br />"; 
 }else{ 

  if (($handle = fopen($_FILES['csv_file']['name'], "r")) !== FALSE) {

   while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {

    for ($c=0; $c < count($data) ; $c++) {
     echo $data[$c] . " ";
    }
    echo "<br />";
   }
   fclose($handle);
  }
 }
?>

fopen here can only get the filename which is passed by the variable $_FILES['csv_file']['name']. I was trying to get any functions to get the full filepath for $_FILES in the internet but can't find any.

I am very new to web development so pls be patient. Pls answer as simple as possible... Pls help...

Answer 1

The ['name'] refers to the original filename on the users computer. That's no use to you, in particular because it might be empty. (Or it can contain fake values, causing a directory traversal exploit. So, just avoid it.)

You need to use the ['tmp_name'] which is a server-absolute path like /tmp/upload85728 that can be used for fopen() or move_uploaded_file().