In PHP file uploads, how do we safely move an uploaded file from the temporary directory to its final destination on the server?

Introduction / Context:
Handling file uploads is a common requirement in PHP applications. When a user uploads a file with an HTML form, PHP first stores it in a temporary location on the server. The script is then responsible for validating the upload and moving it to a final directory if it is acceptable. Using the correct function is important for both security and reliability. This question asks how to safely move the temporary uploaded file to its destination in PHP.

Given Data / Assumptions:

• A file upload form has been submitted to a PHP script using the POST method and enctype multipart or form data.
• PHP populates the $_FILES superglobal array with metadata about the uploaded file.
• The script has already checked for upload errors and validated file type and size.
• The goal is to store the file in a permanent directory on the server.

Concept / Approach:
PHP provides a dedicated function, move_uploaded_file, to move uploaded files from their temporary location to a destination path. This function performs additional security checks to ensure that the source is a valid upload file created by PHP, not an arbitrary path supplied by an attacker. It takes two arguments, the temporary file name from $_FILES["field"]["tmp_name"] and the target path. If it returns true, the file has been moved and the temporary file is no longer available. This is the safest and recommended way to store uploaded files on the server.

Step-by-Step Solution:
Step 1: Read the upload information from the $_FILES array, including name, type, size, error, and tmp_name.Step 2: Check that the error code is zero and validate the file according to your application rules for type and size.Step 3: Construct a secure destination path, often by generating a unique file name and placing it inside a designated upload directory that is not executable.Step 4: Call move_uploaded_file with the tmp_name as the first argument and the destination path as the second argument.Step 5: On success, record the new file path in your database if needed and handle any failures by logging errors and informing the user.

Verification / Alternative check:
You can verify correct behaviour by uploading a small file and then checking the target directory to confirm that the file appears with the expected name. Testing with invalid paths or tampered values should cause move_uploaded_file to return false rather than moving arbitrary files, which demonstrates its safety checks. Logging any failures will help diagnose permission or path problems, and trying copy or rename with the same source path will show that these generic functions lack the special validation provided by move_uploaded_file.

Why Other Options Are Wrong:
Option B uses unlink, which deletes a file rather than moving it, so it cannot be used to store an upload. Option C suggests using copy from any path without verifying that the file is an upload, which opens the door to attackers tricking the script into copying sensitive files from the server file system. Option D talks about writing into the browser cache, which is a client side concept and not controlled by PHP. These methods do not implement safe, server side movement of uploaded files.

Common Pitfalls:
A common pitfall is forgetting to create and secure the upload directory before attempting to move files, which can cause permission errors or expose uploaded files to direct execution. Another mistake is trusting the original filename from the user and using it directly, which can lead to directory traversal attacks or name collisions. Developers should normalise file names, generate unique identifiers, and serve uploaded content through controlled scripts when possible. Combined with move_uploaded_file, these practices produce a secure and robust upload system.

Final Answer:
Correct answer: By calling move_uploaded_file on the tmp_name from the $_FILES array and a validated destination path