Ajax (jQuery) PHP Script // move_uploaded_file-problem

I'm working on a gallery-upload-function with

  • jQuery Ajax
  • PHP

The whole gallery-function contains 3 parts:

Form as view_create-char.php

    <form id='gallery_upload' method='post' enctype='multipart/form-data'>
     <input type='file' name='file' id='file'>
     <input type='hidden' name='name' value='".$_GET['c']."' id='owner'>
     <input type='button' class='create_submit' value='Upload' 
     id='add_image_gallery'>
    </form>";

Ajax Script as main.js

$(document).ready(function(){
$("#add_image_gallery").click(function(){

    var fd = new FormData();
    var files = $('#file')[0].files[0];
    var name = $('#owner').attr("value");
    fd.append('file',files);
    fd.append('name',name);


    $.ajax({
        url: 'includes/gallery_upload.php',
        type: 'post',
        data: fd,
        contentType: false,
        processData: false,
        success: function(response){
            if(response != 0){
                alert('file  uploaded');


            }else{
                alert('file not uploaded');
            }
        },
    });
});

});

PHP-Script as gallery_upload.php

<?php
include ‘dbh.inc.php’;

    $owner = $_POST['name'];
    $file = $_FILES['file'];
    $fileName = $_FILES['file']['name'];
    $fileTmpName = $_FILES['file']['tmp_name'];
    $fileSize = $_FILES['file']['size'];
    $fileError = $_FILES['file']['error'];
    $fileType = $_FILES['file']['type'];

    $fileExt = explode('.', $fileName);
    $fileActualExt = strtolower(end($fileExt));
    $allowed = array('jpg', 'jpeg', 'png', 'gif');
    $fileNameNew = uniqid('', true).'.'.$fileActualExt;
    $fileDestination = 'uploads/'.$fileNameNew;
    move_uploaded_file($fileTmpName, $fileDestination);

    $sql = "INSERT INTO 
    characters_gallery (owner, image) VALUES ('$owner', 
    '$fileNameNew');";
    $result = mysqli_query($conn, $sql);

The goal is to upload the image with Ajax and insert two values inside the characters_gallery-table. First, the owner of the table, then the name of the actual image, generated by the PHP Script. This works.

But the actual file is not getting moved to the designated folder /uploads by move_uploaded_file(). It remains empty although the table in my database is filled with the two values $owner and $fileNamenew. What confuses me is that before I used this Ajax-Script this PHP-Script to move files to the uploads-folder worked fine. It doesn’t work with the script though.

I’m grateful for any help

Edit — Reaction to warning concerning SQL Injections:

I’m not sure if I’m using this edit like I’m supposed to do but it is an additional information. If I’m wrong, please delete my edit.

I tried to add prepared statements and wondered if I eliminated any greater risk of SQL Injection:

<?php
include_once ‘characterfunctions.inc.php’;
include ‘dbh.inc.php’;

    $owner = mysqli_real_escape_string($conn, $_POST['name']);
    $file = mysqli_real_escape_string($conn, $_FILES['file']);
    $fileName = $_FILES['file']['name'];
    $fileTmpName = $_FILES['file']['tmp_name'];
    $fileSize = $_FILES['file']['size'];
    $fileError = $_FILES['file']['error'];
    $fileType = $_FILES['file']['type'];

    $fileExt = explode('.', $fileName);
    $fileActualExt = strtolower(end($fileExt));
    $allowed = array('jpg', 'jpeg', 'png', 'gif');
    $fileNameNew = uniqid('', true).'.'.$fileActualExt;
    $fileDestination = '../uploads/'.$fileNameNew;
    move_uploaded_file($fileTmpName, $fileDestination);

    $sql = "INSERT INTO characters_gallery (owner, image) VALUES (?, ?);";
    $stmt = mysqli_stmt_init($conn);
    if (!mysqli_stmt_prepare($stmt, $sql)) {
        echo "SQL Error";
    } else {
        mysqli_stmt_bind_param($stmt, "ss", $owner, $fileNameNew);
        mysqli_stmt_execute($stmt);
    }
    $result = mysqli_query($conn, $sql);


#javascript #php #jquery #ajax

5 Likes16.30 GEEK