Upload multiple files via ajax from an HTML file input

It’s because you’re logged out and the code does not handle that

There is also a major security hole in the code, scroll down to see the details

HTTP 400 and a 0 is what admin-ajax.php returns when it cannot find a handler for your AJAX request.

Note that if you had used the modern REST API instead of the legacy admin-ajax.php API it would have told you this in plaintext human readable language and a 404 like this:

{"code":"rest_no_route","message":"No route was found matching the URL and request method.","data":{"status":404}}

It would also have responded with a 403 forbidden if you’d made the same mistake, which is much harder to make when using AJAX with a REST API endpoint

If we look at the tutorial we can see where it adds the AJAX handler action:

add_action('wp_ajax_cvf_upload_files', 'cvf_upload_files');
add_action('wp_ajax_nopriv_cvf_upload_files', 'cvf_upload_files'); // Allow front-end submission

But, if we look at the code in your question:

add_action('wp_ajax_file_upload','file_upload');

Your code has 1 action, the tutorial has 2. You’re missing the wp_ajax_nopriv_ version.

Overrall, keep in mind this is an 8 year old tutorial from 2015, and you shouldn’t follow just a single tutorial when researching things. The official WordPress developer docs explain this much better, and since that tutorial was written a new modern API for AJAX called the REST API was written.

Further Notes

  • you never checked that move_uploaded_file worked or not, it returns a false value if it failed, you need to check for this or it will fail silently and you’ll be scratching your head trying to figure out why files are missing
  • it needs to create the folder!
  • you should not assume the location of the upload folder, the tutorial you shared uses wp_upload_dir() instead of assuming /wp-content/uploads to do this
  • What if $_POST['application_id'] contained something malicious? e.g. ../? or myapplicationID/and/this/is/a/subfolder?
  • the AJAX happens every time the file input changes, which means if I accidentally pick the wrong file, it’s instantly uploaded and I can’t get it back! What if I picked something confidential by accident that was next to it and now we’re both in trouble? Or if I select the same file 5 times, now there are 5 copies on your server. What if I accidentally select a 24GB blueray backup file?
    • the tutorial also has a check for this, but your code does not

🚨 A Major Security Problem In The Code 🚨

  • There is no validation on the files, I could use this to upload and run PHP files!!!!
    • the tutorial you’re following uses the wp_check_filetype function to do this
    • I could use your form to submit PHP files that give me total control over your website then just visit example.com/wp-content/supporting-evidence/myapplicationID/hacksite.php, this is very dangerous!
    • at a minimum check the file extensions, WordPress has functions for checking valid filetypes

Related Posts:

  1. How do I Import / Upload Files with jQuery AJAX?
  2. Get uploaded image and attach it to the new post
  3. How can I fetch loop of post titles via AJAX?
  4. Retrieve POST data from AJAX call
  5. WordPress Ajax always returns a 404 error
  6. problem with ajax and the path to the php page
  7. How to use wp_localize_script in a WordPress page other than functions.php?
  8. Real time Duplicate title check
  9. Load custom field value into div with AJAX
  10. Accessing a random image via ajax
  11. Update WordPress Custom Field with AJAX on cached page
  12. Targeting single page with JS
  13. Click loads template via ajax
  14. How to retrieve the content (with a specific ID) via ajax by clicking a link tag
  15. How to speed up admin-ajax.php in wordpress
  16. Returning a value from a PHP page
  17. Stumped – Ajax Response Returns 0
  18. Sending jsPDF documents to the server
  19. wp_insert_post() is returning the correct post ID, no failure, but the post content does not get updated
  20. doing an ajax request always outputs 0
  21. How to test nonce with AJAX – Plugin development
  22. Woocommerce add to cart quantity buttons with AJAX
  23. class click counter save number
  24. Why is $_REQUEST an empty array in admin-ajax.php?
  25. Checking for new message using AJAX and PHP. Server overload?
  26. AJAX request status 200 but no actual “response”
  27. wordpress count link clicks by ip address
  28. Ajax load more posts with multiple tax query
  29. WordPress Sending data to Ajax with select option
  30. Ajax request not sending to server and returning – wp-admin/admin-ajax.php 400
  31. Why ajax doesn’t work on certain wordpress hooks and reload the page instead?
  32. AJAX pagination, update current page
  33. Save Search System
  34. adjust section according to country?
  35. populate form fields in a loop with ajax
  36. dynamic dependent select dropdown
  37. Change “add to cart” button color based on Woocommerce product category [closed]
  38. Ajax request returns ‘Array’. How to output the actual results?
  39. How to add a do_action on refreshing of WP customizer?
  40. Show success or error messages in Ajax response to WordPress custom registration form
  41. How to add a Custom Mailchimp AJAX Newsletter Subscribe Form
  42. Plugins not working on AJAX requests
  43. Fancybox type popup window that’s not an iframe
  44. How to disable controls in theme customizer?
  45. Can I use a jQuery Ajax request in Code Snippets Plugin for WordPress?
  46. Pull GetOption() variable into jQuery dynamically created html
  47. Function won’t run onclick using Ajax
  48. WordPress plugin admin page – using WordPress function in linked php file
  49. A $_POST should occur when submit form but is not?
  50. jQuery Ajax PHP function call returning [object Object]
  51. Shortcode to pull posts
  52. Ajax search shows all results when user empties input?
  53. Why i can’t get custom fields value or post ID via Ajax?
  54. Admin-ajax php not working on new wordpress version
  55. Proper way to use WordPress function with AJAX PHP file
  56. Convert canvas to image and upload image to server
  57. Live search from database table
  58. Add a counter for mouseovers (custom field)
  59. Accessing an API with jQuery and AJAX
  60. Execute Jquery when a specific page in my plugin is loading
  61. Change Query Arguments (filter) with jQuery/Ajax or PHP?
  62. How to load previous or next attachment with jquery ?
  63. How to set variables with AJAX request to use in another function in WordPress
  64. Search Ajax Call – Use Form Data in Response
  65. Validating an email input from form field before submit using JQuery, AJAX, and PHP
  66. Why does PHP called with Jquery AJAX not allow additional php code to be added?
  67. Tracking Visitor LatLng with WordPress using JS, PHP. How to put data which was extract using JS into DB
  68. Database entry removed on browser refresh, Ajax PHP jQuery
  69. Failed to load resource: the server responded with a status of 500 (Internal Server Error) through wp_admin_ajax.php
  70. Ajax result show in console if is called outside function and not showing in array
  71. Ajax filter with loadmore button
  72. Admin-ajax.php 404 error
  73. How to pass values from one function to the other using an array variable
  74. How to change PHP variables with AJAX request in WordPress
  75. Update $wpdb query with AJAX
  76. Can’t make lazy load for my site, help!
  77. wp_ajax_ 400 Bad Request
  78. AJAX to add to cart multiple products woocommerce
  79. update_post_meta Not Processing Array Data (Not Sure What I Am Missing)
  80. WordPress ajax filter returning all posts when it should be filtering by category
  81. Input field duplicates on form submit by jQuery
  82. How to echo a PHP code into WooCommerce variation product?
  83. How can i get the same ajax result using WP REST API instead of admin-ajax?
  84. How to call a function from functions.php with ajax?
  85. Custom theme admin-ajax.php 400 (Bad Request)
  86. Remove item from post_meta array via AJAX
  87. number of posts with “Load More”
  88. Find the method which AJAX GET calls
  89. AJAX Filter WHILE Loop not working WordPress
  90. WordPress AJAX load post metadata in modal
  91. Why I’m Not Having Access to “$_POST” Data Outside My AJAX Callback?
  92. ajax form with multiple submit buttons and values
  93. How to run ajax in WordPress Post?
  94. Adding instant search to wordpress page
  95. Add php function into .js file (for tinyMCE button)
  96. WordPress will suddenly stop saving files uploaded by my code (ran in nopriv ajax)
  97. Edit Image/Image Details – Replace button missing
  98. ajax form function error
  99. Load Meta box value into div AJAX [duplicate]
  100. notify users when changed database