Problem using file uploading php script to store filename in database and store file with random name in folder

Question

I am having a problem with using this php script to store an uploaded image file name in a database and store the file with a random generated name in a folder.

I get error show up on my sceen as a result of my script producing an echo however no real errors show up. The file is being stored in my directory folder however it doesn't have a random name given to it and it is not being stored in the database. I have spent an hour trying to figure what could be wrong. I would seriously appreciate help.

<!DOCTYPE html>
<html>
<head>
    <title>File Upload</title>
</head>
<body>
 
<form method="post" enctype="multipart/form-data">
    <label>Title</label>
    <input type="text" name="title">
    <label>File Upload</label>
    <input type="File" name="file">
    <input type="submit" name="submit">
 
 
</form>
 
</body>
</html>
 
<?php 
$localhost = "localhost"; #localhost
$dbusername = "root"; #username of phpmyadmin
$dbpassword = " ";  #password of phpmyadmin
$dbname = "fun";  #database name
 
#connection string
$conn = mysqli_connect($localhost,$dbusername,$dbpassword,$dbname);
 
if (isset($_POST["submit"]))
 {
     #retrieve file title
        $title = $_POST["title"];
     
    #file name with a random number so that similar dont get replaced
     $pname = rand(1000,10000)."-".$_FILES["file"]["name"];
 
    #temporary file name to store file
    $tname = $_FILES["file"]["tmp_name"];
   
     #upload directory path
$uploads_dir = "images/";
    #TO move the uploaded file to specific location
    move_uploaded_file($tname, $uploads_dir.'/'.$pname);
 
    #sql query to insert into database
    $sql = "INSERT into fun(image) VALUES('$pname')";
 
    if(mysqli_query($conn,$sql)){
 
    echo "File Sucessfully uploaded";
    }
    else{
        echo "Error";
    }
}
 
 
?>

Regarding the database query, you should add [error handling](https://www.php.net/manual/en/mysqli.error.php) to see why it fails. — M. Eriksson, Jul 03 '20 at 08:04
**Warning!** You are open for [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) attacks. You should use parameterized [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of using completely unescaped user data directly in your queries like that. _Never ever ever never_ trust user input. — M. Eriksson, Jul 03 '20 at 08:04
Does this answer your question? [mysqli or die, does it have to die?](https://stackoverflow.com/questions/15318368/mysqli-or-die-does-it-have-to-die) — CBroe, Jul 03 '20 at 08:05
Should I add $conn->close(); ? I am really new to using php. Also how dangerous would an SQL injection be if the information is not sensitive — Simon, Jul 03 '20 at 08:15

score 0 · Answer 1 · answered Jul 03 '20 at 21:25

I had the same problem in uploading a file using php with you. I think you should add $_SERVER['DOCUMENT_ROOT'] to the part of your code where you’re specifying the destination directory in so that the move_uploaded_file() function will look like this :

move_uploaded_file($tname, $_SERVER['DOCUMENT_ROOT'].$uploads_dir.'/'.$pname);

score -1 · Answer 2 · answered Jul 03 '20 at 08:27

I have had exactly this problem some years ago. What I surmised was that the PHP function move_uploaded_file() does not actually result in a file than is moved as far as the operating system is concerned, until the PHP script exits and closes its file handles.

I forget which workaround I used - Possibly I used php to COPY the file instead of move it.

It is a real limitation when putting user supplied data in a database. Ah. I found the code I used.

   $filename=basename($filename);
    $newname=$tmpname.$id;
    copy($tmpname,$newname);
    $query=sprintf("update product set picture=LOAD_FILE('%s'),picture_filename='%s', picture_size='%d' where id='%d'",
            $newname, $filename,$filesize,$id);
    mysql_query($query); //there!
    unlink ($newname);

This should be enough of a fragment to get the general idea. In later versions of doing similar I read the file into memory, and if it's binary, turn it into a hex string and insert that.

**Warning:** `mysql_*` extension is deprecated as of PHP 5.5.0, and has been removed as of PHP 7.0.0. Instead, either the [mysqli](https://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](https://www.php.net/manual/en/book.pdo.php) extension should be used. See also the [MySQL API Overview](https://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API. — Dharman, Jul 03 '20 at 13:15
Very good point - that code is over ten years old...anyway the same principle applies — Leo smith, Jul 10 '20 at 11:15

Problem using file uploading php script to store filename in database and store file with random name in folder

2 Answers2