Files not storing in the correct folder

Question

I created a page that can add new records to my database, everything is working fine but when I'm trying to upload a pdf file, it doesn't store to the correct folder. It should be stored in my "uploads". When I check my database, it doesnt link properly it should be ../uploads/example.pdf instead of example.pdf only

<?php

require('db.php');
include("auth.php");

$status = "";
if(isset($_POST['new']) && $_POST['new']==1)
{
$trn_date = date("Y-m-d H:i:s");
$fname =$_REQUEST['fname'];
$lname = $_REQUEST['lname'];
$memo = $_REQUEST['memo'];
$file = $_REQUEST['file'];
$submittedby = $_SESSION["username"];
$ins_query="insert into user (`trn_date`,`fname`,`lname`,`memo`,`submittedby`,`file`) values ('$trn_date','$fname','$lname','$memo','$submittedby','$file')";
mysqli_query($con,$ins_query) or die(mysql_error());
$status = "New Record Inserted Successfully.</br></br><a href='view.php'>View Inserted Record</a>";
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Insert New Record</title>
<link rel="stylesheet" href="css/style.css" />
</head>
<body>
<div class="form">
<p><a href="dashboard.php">Dashboard</a> | <a href="view.php">View Records</a> | <a href="logout.php">Logout</a></p>

<div>
<h1>Insert New Record</h1>
<form name="form" method="post" action=""> 
<input type="hidden" name="new" value="1" />
<p><input type="text" name="fname" placeholder="Enter Date" required /></p>
<p><input type="text" name="memo" placeholder="Enter Memorandum" required /></p>
<p><input type="text" name="lname" placeholder="Enter Title" required /></p>
<form action="" method="POST" enctype="multipart/form-data">
         <input type="file" name="file" />
         <input type="submit"/>
      </form>
<?php
   if(isset($_FILES['file'])){
      $errors= array();
      $file_name = $_FILES['file']['name'];
      $file_size =$_FILES['file']['size'];
      $file_tmp =$_FILES['file']['tmp_name'];
      $file_type=$_FILES['file']['type'];
      $file_ext=strtolower(end(explode('.',$_FILES['file']['name'])));

      $expensions= array("pdf");

      if(in_array($file_ext,$expensions)=== false){
         $errors[]="extension not allowed, please choose a pdf file.";
      }

      if($file_size > 2097152){
         $errors[]='File size must not exceed 2 MB';
      }

      if(empty($errors)==true){
         move_uploaded_file($file_tmp,"../uploads/".$file_name);
         echo "Success";
      }else{
         print_r($errors);
      }
   }
?>

<p><input name="submit" type="submit" value="Submit" /></p>
</form>

<p style="color:#FF0000;"><?php echo $status; ?></p>
</div>
</div>
</body>
</html>

Answer 1

That's because you set only to save file name

$file = $_REQUEST['file'];

Instead it should be

$file = "../uploads/".$_REQUEST['file'];

Answer 2

There are quite a few logical errors in your code.

1. You are inserting a record into the MySQL database before you do your check on the file extension and file size.

2. You just insert the file name into MySQL ($file = $_REQUEST['file'];), hence only the file name appears there. The correct code would be:

   $file = "../uploads/".$_FILES['file']['name'];
   

A bit more down you need to adjust the file move part:

    move_uploaded_file($file_tmp, $file);

3. In the error checking after the sql insert you use mysql_error(), not mysqli_error($con)

4. You do not check if the move_uploaded_file($file_tmp,"../uploads/".$file_name); call was successful and the file was moved to its final location.

5. Also pls consider using prepared statements to prevent sql injection attacks.