Problems uploading image to MySQL database, it won't make an entry but uploads the image to server

Question

so I've been working on this for a while now and I can't figure out how to get it to insert into the database. The image uploads and is stored in the servers imgs directory however no trace is found in the database. There are no errors at all. I'm well aware of the SQL injection weaknesses but this is for a private project that is for a prototype, so I'm just aiming for functionality at this point. Why on earth isn't this working? I feel like it could be skipping the sql query but I don't see why.

    <?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
    $conn = new PDO ("mysql:host=localhost;dbname=project", "root", "0612733771Aa");

try {
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}
   if(!isset($_FILES['upload']) || $_FILES['upload']['error'] == UPLOAD_ERR_NO_FILE) {
    echo "Error no file selected"; 
}
else {
    $filename = $_FILES['upload']['name']; //yes
    $filetype = $_FILES['upload']["type"]; //yes
    $title = $_POST['title'];
    $description = $_POST['description'];
    $category = $_POST['category'];
    $dir = "imgs/";
    $filetarget = $dir . basename($_FILES['upload']['name']);
    $allowed = array("jpg" => "image/jpg", "jpeg" => "image/jpeg", "gif" => "image/gif", "png" => "image/png");
    $ext = pathinfo($filetarget, PATHINFO_EXTENSION);  
    if(!array_key_exists($ext, $allowed)) {
        echo "Please select a valid file.";
        exit;
    }

    $conn->query = ("INSERT INTO images (title, image, description, category) VALUES ('$title', '$filename', '$description', '$category')");  

    if (move_uploaded_file($_FILES['upload']['tmp_name'], $filetarget)) {
    echo "The file ". basename( $_FILES['upload']['name']). " has been uploaded.";

    }
else {
    print "File was not uploaded.";
    exit;
}  
}
?>

Thanks in advance

Answer 1

I figured out the solution thanks to the help of @Fred-ii- the problem was I was not using prepared statements, the updated code. I had to switch my entire code to a prepared statement, and make use of the PDO::PARAM_LOB in order to submit a large blob into the database.

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
$fp = fopen($_FILES['upload']['tmp_name'], 'rb');
$filetype = $_FILES['upload']["type"]; //yes
$title = $_POST['title'];
$description = $_POST['description'];
$category = $_POST['category'];
$dir = "imgs/";
$filetarget = $dir . basename($_FILES['upload']['name']);
$allowed = array("jpg" => "image/jpg", "jpeg" => "image/jpeg", "gif" => "image/gif", "png" => "image/png");
$ext = pathinfo($filetarget, PATHINFO_EXTENSION);  
$conn = new PDO ("mysql:host=localhost;dbname=project", "root", "0612733771Aa");
$stmt = $conn->prepare("INSERT INTO images (title, image, description, category) VALUES ('$title', '$fp', '$description', '$category')");
try {
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
    }
if(!isset($_FILES['upload']) || $_FILES['upload']['error'] == UPLOAD_ERR_NO_FILE) {
    echo "Error no file selected"; 
    }
else {
    if(!array_key_exists($ext, $allowed)) {
    echo "Please select a valid file.";
    exit;
    }
$stmt->bindParam(1, $title);
$stmt->bindParam(2, $fp, PDO::PARAM_LOB);
$stmt->bindParam(3, $description);
$stmt->bindParam(4, $category);
$conn->beginTransaction();
$stmt->execute();
$conn->commit();
if (move_uploaded_file($_FILES['upload']['tmp_name'], $filetarget)) {
echo "The file ". basename( $_FILES['upload']['name']). " has been uploaded.";
}
else {
    print "File was not uploaded.";
    exit;
    }  
}
?>