Galleeandfarel, i don't think you understood Jim correctly. Though your script might work as you intended, it is byfar unsecure. read the link he posted you will see why.
you need to use this on all of your user inputs. to help prevent people from being able to hack your site with SQL injections.
Code:
mysql_real_escape_string($_POST[''])
though to answer your question.
Code:
$upload_path = './files/'; // The place the files will be uploaded to (currently a 'files' directory).
might be your problem? cant' say for sure as i didn't test anything, but by looking at it, your trying to upload the file to a folder called "files" but with the " ./" doesn't that tell the script up 1 directory?
root/
root/site (where your script is located)
root/site/files
root/site/other files
that would attempt to put your uploads into a folder called
root/files/
not the intended
root/site/files
though i may be misinterpreting the "./". i know double periods "../" does, but not sure about a single one.