How to check if the input file is empty or not


Hello, I have a script for inserting multiple pictures in database and when I want to delete existing files and inserting new ones each time I make the update but I don't know how to make the delete only when the input is a file and if not just skip that part. Here is my code:

if($size > 1) {
   $query = "Delete from Imagini_Hotel where ID_Hotel='$id_hotel'";
    $result = mysql_query($query)
        or die("query failed: " . mysql_error());

$errors= array();
foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){
    $file_name = $key.$_FILES['files']['name'][$key];
    $file_size =$_FILES['files']['size'][$key];
    $file_tmp =$_FILES['files']['tmp_name'][$key];

    if($file_size > 9097152){
        $errors[]='File size must be less than 9 MB';
    if($file_size <= 0)
    $query="Insert into Imagini_Hotel (`ID_Hotel`,`Nume_Poza`,`Prioritate`) VALUES('$id_hotel','$file_name','$key'); ";
            mkdir("$desired_dir", 0777);        // Create directory if it does not exist
        }else{                                  // rename the file if another one exist
             rename($file_tmp,$new_dir) ;
    echo "Success";

There's an ['error'] parameter you can check (and should be checking anyways). Right now you're simply assuming the upload succeeded.

if ($_FILES['tmp_name']['error'][$key] === UPLOAD_ERR_OK) {
   ... file was uploaded ...
} else {
   die("Upload failed with error code " . $_FILES['tmp_name']['error'][$key]);

The error codes are defined here: You're interested in codes 0 (success) and 4 (no file).

As well, note that your upload handling code opens your server to a complete remote compromise. You're directly using a user-provided filename in your move..() operations, allowing a malicious user to scribble on ANY file on the system. Nothing says that the user-provided filename can't contain pathing information, e.g. ['name'] = '../../../../../../../etc/passwd, which your script happily and blindly uses without any filtering/checking.