In PHP file uploads, how do you move an uploaded file from its temporary location to the final destination on the server?

Introduction / Context:
Handling file uploads securely and correctly is a common requirement in PHP applications. When a user uploads a file through an HTML form, PHP stores the file temporarily on the server and provides information about it in the $_FILES superglobal array. Developers must then decide where to store the file permanently. The move_uploaded_file() function is specifically designed for this purpose, and interview questions often focus on its use and security implications.

Given Data / Assumptions:

• The HTML form uses method POST and enctype multipart/form-data to upload a file.
• PHP receives the file and stores it in a temporary directory, making its details available in $_FILES.
• We need to move the file from the temporary location to a chosen destination directory on the server.
• We want to do this in a safe way that checks that the file was indeed uploaded via HTTP POST.

Concept / Approach:
When PHP handles a file upload, it creates a temporary file on the server and populates $_FILES with an entry that includes the original filename, file size, MIME type, any error code, and the temporary filename. move_uploaded_file() is a built in function that takes the temporary filename and the desired destination path and moves the file while ensuring it originated from a file upload. Using move_uploaded_file() is safer than a normal rename because it performs checks to confirm that the source is a valid uploaded file.

Step-by-Step Solution:
Step 1: In your PHP script, access the uploaded file information via $_FILES["input_name"], where input_name is the name attribute of the form file field. Step 2: Check for upload errors by examining $_FILES["input_name"]["error"] and proceed only if it indicates a successful upload. Step 3: Retrieve the temporary filename from $_FILES["input_name"]["tmp_name"] and build a secure destination path, for example in an uploads directory, possibly sanitising the original filename from $_FILES["input_name"]["name"]. Step 4: Call move_uploaded_file($_FILES["input_name"]["tmp_name"], $destinationPath). If the function returns true, the file has been moved successfully to its final location. Step 5: Ensure proper permissions on the destination directory and consider generating unique filenames to avoid overwriting existing files. Step 6: This confirms that move_uploaded_file() is the standard and recommended way to move uploaded files from temporary storage to their permanent home on the server.

Verification / Alternative check:
You can verify correct behaviour by uploading a small test file and printing debug information about $_FILES and the result of move_uploaded_file(). After the function returns true, checking the destination directory should show the new file present. Attempting to use move_uploaded_file() on a non uploaded file should fail, demonstrating that the function performs safety checks beyond a simple rename.

Why Other Options Are Wrong:
Option b is wrong because rename() on its own does not verify that the file came from an upload and should not be used on the client file system, which PHP cannot access directly. Option c is incorrect because JavaScript running in the browser cannot copy files into arbitrary server directories; all uploads must go through HTTP requests handled by server side code. Option d is wrong because php.ini does not specify a single destination directory for all application uploads; applications are expected to move files themselves using code.

Common Pitfalls:
Common pitfalls include trusting the original filename without validation, which can lead to directory traversal or overwrite vulnerabilities, and failing to verify upload success before moving files. Another issue is not validating file types or sizes, which can open security holes. Developers should always check the error code, validate type and size, generate safe filenames, and use move_uploaded_file() rather than arbitrary file operations to process uploads correctly.

Final Answer:
You move an uploaded file to its final location in PHP by calling move_uploaded_file() with the temporary filename from $_FILES and the target path where you want to store the file permanently.