PHP Script is not Properly Uploading Images

Question

I'm working on a small, user-maintained online store, and am trying to allow my end user (the store administrator) to upload graphics for products. When I run this script, however, it doesn't actually store the image. I built this script from various tips here and a tutorial, and have gotten everything but the image upload portion to work.

// Set the image target directory here
$target = "itemImages/";
$target = $target . basename($_FILES["image"]["name"]);

// Variables get POSTed here - just tack new ones on at the end.
// Various POSTs omitted for brevity

$pic=($_FILES["image"]["name"]);

// Places the picture in the folder
if(move_uploaded_file($_FILES["image"]['tmp_name'], "itemImages/")) 
{
echo "The file " . basename($_FILES['uploadedfile']["name"]) . " has been         uploaded.<br />";
}else {
    echo "There was an issue adding this item. Please try again.<br />";
}

// Writes variables to the database
mysql_query("INSERT INTO tbl_item   (itemNAME,itemDESC,itemCOST,itemHCOL,itemHSIZ,itemIMG)
VALUES ('$itemName','$itemDesc','$itemCost','$hasColor','$hasSize','$pic')");

mysql_close($con);
?>

Any help, tips, advice, insight, etc. would be very much appreciated.

Answer 1

move_uploaded_files requires a filename as its target. It does not blindly move to a directory, so

move_uploaded_files($_FILES..., 'somedir/somefile.txt');

works, but

move_uploaded_file($_FILES..., 'somedir/');

will not.

Plus, note that your database operation is vulnerable to SQL injection attacks . You're blindly inserting the uploaded file's remote name ( ['name'] via $pic), and that name is fully under the remote user's control.

Answer 2

确保itemImages文件夹具有您的Web服务器（例如Apache ）正在运行的用户的写入权限（例如www-data ）

Answer 3

make sure the .php file and the folder you are writing to have the same "owner". Or try setting permissions on the itemImages folder to 777 (This is not recommended, just a debug tactic)