How to Upload Files
Warning: You are browsing the documentation for Symfony 6.1, which is no longer maintained.
Read the updated version of this page for Symfony 7.2 (the current stable version).
How to Upload Files
Note
Instead of handling file uploading yourself, you may consider using the VichUploaderBundle community bundle. This bundle provides all the common operations (such as file renaming, saving and deleting) and it's tightly integrated with Doctrine ORM, MongoDB ODM, PHPCR ODM and Propel.
Imagine that you have a Product
entity in your application and you want to
add a PDF brochure for each product. To do so, add a new property called
brochureFilename
in the Product
entity:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
// src/Entity/Product.php
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
class Product
{
// ...
#[ORM\Column(type: 'string')]
private $brochureFilename;
public function getBrochureFilename()
{
return $this->brochureFilename;
}
public function setBrochureFilename($brochureFilename)
{
$this->brochureFilename = $brochureFilename;
return $this;
}
}
Note that the type of the brochureFilename
column is string
instead of
binary
or blob
because it only stores the PDF file name instead of the
file contents.
The next step is to add a new field to the form that manages the Product
entity. This must be a FileType
field so the browsers can display the file
upload widget. The trick to make it work is to add the form field as "unmapped",
so Symfony doesn't try to get/set its value from the related entity:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
// src/Form/ProductType.php
namespace App\Form;
use App\Entity\Product;
use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\Extension\Core\Type\FileType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\Validator\Constraints\File;
class ProductType extends AbstractType
{
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder
// ...
->add('brochure', FileType::class, [
'label' => 'Brochure (PDF file)',
// unmapped means that this field is not associated to any entity property
'mapped' => false,
// make it optional so you don't have to re-upload the PDF file
// every time you edit the Product details
'required' => false,
// unmapped fields can't define their validation using annotations
// in the associated entity, so you can use the PHP constraint classes
'constraints' => [
new File([
'maxSize' => '1024k',
'mimeTypes' => [
'application/pdf',
'application/x-pdf',
],
'mimeTypesMessage' => 'Please upload a valid PDF document',
])
],
])
// ...
;
}
public function configureOptions(OptionsResolver $resolver)
{
$resolver->setDefaults([
'data_class' => Product::class,
]);
}
}
Now, update the template that renders the form to display the new brochure
field (the exact template code to add depends on the method used by your application
to customize form rendering):
1 2 3 4 5 6 7 8
{# templates/product/new.html.twig #}
<h1>Adding a new product</h1>
{{ form_start(form) }}
{# ... #}
{{ form_row(form.brochure) }}
{{ form_end(form) }}
Finally, you need to update the code of the controller that handles the form:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
// src/Controller/ProductController.php
namespace App\Controller;
use App\Entity\Product;
use App\Form\ProductType;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\File\Exception\FileException;
use Symfony\Component\HttpFoundation\File\UploadedFile;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\String\Slugger\SluggerInterface;
class ProductController extends AbstractController
{
#[Route('/product/new', name: 'app_product_new')]
public function new(Request $request, SluggerInterface $slugger)
{
$product = new Product();
$form = $this->createForm(ProductType::class, $product);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
/** @var UploadedFile $brochureFile */
$brochureFile = $form->get('brochure')->getData();
// this condition is needed because the 'brochure' field is not required
// so the PDF file must be processed only when a file is uploaded
if ($brochureFile) {
$originalFilename = pathinfo($brochureFile->getClientOriginalName(), PATHINFO_FILENAME);
// this is needed to safely include the file name as part of the URL
$safeFilename = $slugger->slug($originalFilename);
$newFilename = $safeFilename.'-'.uniqid().'.'.$brochureFile->guessExtension();
// Move the file to the directory where brochures are stored
try {
$brochureFile->move(
$this->getParameter('brochures_directory'),
$newFilename
);
} catch (FileException $e) {
// ... handle exception if something happens during file upload
}
// updates the 'brochureFilename' property to store the PDF file name
// instead of its contents
$product->setBrochureFilename($newFilename);
}
// ... persist the $product variable or any other work
return $this->redirectToRoute('app_product_list');
}
return $this->renderForm('product/new.html.twig', [
'form' => $form,
]);
}
}
Now, create the brochures_directory
parameter that was used in the
controller to specify the directory in which the brochures should be stored:
1 2 3 4 5
# config/services.yaml
# ...
parameters:
brochures_directory: '%kernel.project_dir%/public/uploads/brochures'
There are some important things to consider in the code of the above controller:
- In Symfony applications, uploaded files are objects of the UploadedFile class. This class provides methods for the most common operations when dealing with uploaded files;
- A well-known security best practice is to never trust the input provided by
users. This also applies to the files uploaded by your visitors. The
UploadedFile
class provides methods to get the original file extension (getClientOriginalExtension()), the original file size (getSize()) and the original file name (getClientOriginalName()). However, they are considered not safe because a malicious user could tamper that information. That's why it's always better to generate a unique name and use the guessExtension() method to let Symfony guess the right extension according to the file MIME type;
You can use the following code to link to the PDF brochure of a product:
1
<a href="{{ asset('uploads/brochures/' ~ product.brochureFilename) }}">View brochure (PDF)</a>
Tip
When creating a form to edit an already persisted item, the file form type
still expects a File
instance. As the persisted entity now contains only the relative file path,
you first have to concatenate the configured upload path with the stored
filename and create a new File
class:
1 2 3 4 5 6
use Symfony\Component\HttpFoundation\File\File;
// ...
$product->setBrochureFilename(
new File($this->getParameter('brochures_directory').'/'.$product->getBrochureFilename())
);
Creating an Uploader Service
To avoid logic in controllers, making them big, you can extract the upload logic to a separate service:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
// src/Service/FileUploader.php
namespace App\Service;
use Symfony\Component\HttpFoundation\File\Exception\FileException;
use Symfony\Component\HttpFoundation\File\UploadedFile;
use Symfony\Component\String\Slugger\SluggerInterface;
class FileUploader
{
private $targetDirectory;
private $slugger;
public function __construct($targetDirectory, SluggerInterface $slugger)
{
$this->targetDirectory = $targetDirectory;
$this->slugger = $slugger;
}
public function upload(UploadedFile $file)
{
$originalFilename = pathinfo($file->getClientOriginalName(), PATHINFO_FILENAME);
$safeFilename = $this->slugger->slug($originalFilename);
$fileName = $safeFilename.'-'.uniqid().'.'.$file->guessExtension();
try {
$file->move($this->getTargetDirectory(), $fileName);
} catch (FileException $e) {
// ... handle exception if something happens during file upload
}
return $fileName;
}
public function getTargetDirectory()
{
return $this->targetDirectory;
}
}
Tip
In addition to the generic FileException class there are other exception classes to handle failed file uploads: CannotWriteFileException, ExtensionFileException, FormSizeFileException, IniSizeFileException, NoFileException, NoTmpDirFileException, and PartialFileException.
Then, define a service for this class:
1 2 3 4 5 6 7
# config/services.yaml
services:
# ...
App\Service\FileUploader:
arguments:
$targetDirectory: '%brochures_directory%'
Now you're ready to use this service in the controller:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
// src/Controller/ProductController.php
namespace App\Controller;
use App\Service\FileUploader;
use Symfony\Component\HttpFoundation\Request;
// ...
public function new(Request $request, FileUploader $fileUploader)
{
// ...
if ($form->isSubmitted() && $form->isValid()) {
/** @var UploadedFile $brochureFile */
$brochureFile = $form->get('brochure')->getData();
if ($brochureFile) {
$brochureFileName = $fileUploader->upload($brochureFile);
$product->setBrochureFilename($brochureFileName);
}
// ...
}
// ...
}
Using a Doctrine Listener
The previous versions of this article explained how to handle file uploads using Doctrine listeners. However, this is no longer recommended, because Doctrine events shouldn't be used for your domain logic.
Moreover, Doctrine listeners are often dependent on internal Doctrine behavior which may change in future versions. Also, they can introduce performance issues unwillingly (because your listener persists entities which cause other entities to be changed and persisted).
As an alternative, you can use Symfony events, listeners and subscribers.