what's wrong with this one line of code?

[bad_gui]

At the top of my script I have

 

echo $_POST["pdfname"];

 

and it shows the correct result:  Br_J_Cancer91p1200-4.pdf

 

However later in the code I get the error

 

    $file = mysql_real_escape_string($_POST["pdfname"]);
if (!$file) { die("could not set file");}

 

I have tried single quotes as well as just $file = $_POST["pdfname"]

 

but nothing works.  I'm really confused about this.  The filename will be inserted

into a mysql table and the file written with the name "pdfname" to a directory.

[BillyBoB]

could i see your whole script to see if i can find the error?

[trq]

You'll want to escape the string just prior to placing it in your query but after validating that it is an actual file.

[bad_gui]

Here is the relevant section of code.  If I set $file = "bogus"  the file is uploaded with the name bogus

 

<?
ini_set('display_errors','1');
echo $_POST["pdfname"];

if  ((!empty($_FILES['filename']['tmp_name']) && $_FILES['filename']['type'] == 'application/pdf') && !empty($_POST["authors"]) &&
    !empty($_POST["title"]) && !empty($_POST["date1"]) && !empty($_POST["journal"])  &&
    (!empty($_POST["category"]) || !empty($_POST["category2"])) && !empty($_POST["abstract"]) ) {

    $category = implode("|", array_merge($_POST["category"], $_POST["category2"]));
    $category = trim ($category, "|");

    $abstract = str_replace("\r\n", " ", $_POST["abstract"]);
    $title = str_replace("\r\n", " ", $_POST["title"]);
    $journal = str_replace("\r\n", " ", $_POST["journal"]);
    $authors = str_replace("\r\n", " ", $_POST["authors"]);

   
    
if (strlen($category) < 255) {

    $link = @mysql_connect($database_host, $database_user, $database_password);
    @mysql_select_db ($database_name);

    $query = "SELECT title FROM library WHERE title='$title' LIMIT 1";
    $result = mysql_query ($query);
    $rows = mysql_num_rows ($result);

if ($rows == '0') {

    $query = "SELECT file FROM library ORDER BY file DESC LIMIT 1";
    $result = mysql_query ($query);
    $last_file = mysql_fetch_row($result);

//    $file = (int) $last_file[0] + 1;
//    $file = sprintf ("%05d.pdf",$file);
    $date2 = date('Y-m-d');
    $file = mysql_real_escape_string($_POST["pdfname"]);

if (move_uploaded_file ($_FILES['filename']['tmp_name'], "$library_path$file")) {

    $query = "INSERT INTO library (file,authors,title,journal,category,date1,date2,abstract)
    VALUES ('$file','".mysql_real_escape_string($authors)."','$title','$journal','$category','$_POST[date1]','$date2',
            '$abstract')";
    $result = mysql_query ($query) OR die(mysql_error());

    if (!$result) {
    die ("Could not upload into database: <br />" . mysql_error());
    }

[hitman6003]

I'm not sure, but it may be your array merge line:

 

$category = implode("|", array_merge($_POST["category"], $_POST["category2"]));

 

Try changing it to:

 

$category = $_POST["category"] . "|" . $_POST["category2"];

 

Unless both of those are arrays and not just array elements.

[Fadion]

Unless both of those are arrays and not just array elements.

 

I was just trying that, thinking as it may act strange, but it only causes a 'argument is not array' warning. Dont know, i cant see smth in the script that prevents $_POST['pdfname'] to display correctly.

 

U could try debugging the code by echoing $_POST['pdfname'] in different parts.

[bad_gui]

Only the top echo $_POST["pdfname"];  produces output.  Anywhere else after that but before the

move_uploaded_file doesn't  show the value of the variable.

 

I found this comment but I don't think this is happening because I can see the "." in Br_J_Cancer91p1200-4.pdf

from the first echo command

 

http://us.php.net/manual/en/reserved.variables.php

 

I think it is very important to note that PHP will automatically replace dots ('.') AND spaces (' ') with underscores ('_') in any incoming POST or GET (or REQUEST) variables.

 

This page notes the dot replacement, but not the space replacement:

http://us2.php.net/manual/en/language.variables.external.php

 

The reason is that '.' and ' ' are not valid characters to use in a variable name.  This is confusing to many people, because most people use the format $_POST['name'] to access these values.  In this case, the name is not used as a variable name but as an array index, in which those characters are valid.

 

However, if the register_globals directive is set, these names must be used as variable names.  As of now, PHP converts the names for these variables before inserting them into the external variable arrays, unfortunately - rather than leaving them as they are for the arrays and changing the names only for the variables set by register_globals.

 

If you want to use:

<input name="title for page3.php" type="text">

 

The value you will get in your POST array, for isntance would be:

$_POST['title_for_page3_php']

 

[bad_gui]

After more reading I saw a suggestion for this code to give information:

 

echo "The directory path uploading to is:".$library_path."<br>";
echo "The filename is:  ".$file."<br>";

if (move_uploaded_file ($_FILES['filename']['tmp_name'], "$library_path$file")) {

 

and the result it gives

 

The directory path uploading to is:/var/www/htdocs/librarian/library/

The filename is: 

 

So why does this not pass the content of $_POST['pdfname'] to $file ?

 

 
   $file = $_POST['pdfname'];

 

Alternately, what is the syntax for using $_POST['pdfname'] in the move_uploaded_file command?

[bad_gui]

This is REALLY weird.  All of the $_POST code I added in fetch.php (see commented section) doesn't pass the

variable to the upload.php script but the existing code I copied from does:

 

fetch.php

 

<?
if (isset($_GET["id"])) {

$fp= @fsockopen ("www.ncbi.nlm.nih.gov", 80, $errno, $errstr, 20);
if (!$fp) {
echo "<p>Sorry! Service temporarily unavailable.<p>$errstr $errno<p>\n";
} else {
fputs ($fp, "GET /entrez/eutils/efetch.fcgi?db=Pubmed&rettype=abstract&retmode=XML&id=$_GET[id] HTTP/1.0\r\n\r\n");
    while (!feof($fp)) {
        $result .= fgets ($fp,128);
    }
fclose ($fp);
}

$result = preg_replace("/(\w[^>])(\n)/i", "\\1 ", $result);
$result_array = split ("\n", $result);

for ($i=0; $i < count($result_array); $i++) {

if (strstr($result_array[$i], "<ArticleTitle>")) {
$title = utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<Volume>")) {
$volume = utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<PubDate>")) {
$date = utf8_decode(trim(strip_tags($result_array[$i+1])));
}

if (strstr($result_array[$i], "<MedlinePgn>")) {
$pages = utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<LastName>")) {
$name = utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<Initials>")) {
$name_array[] = $name." ".utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<AbstractText>")) {
$abstract = utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<Title>")) {
$journal = utf8_decode(trim(strip_tags($result_array[$i])));
}

if (strstr($result_array[$i], "<DescriptorName")) {
$mesh_array[] = utf8_decode(trim(strip_tags($result_array[$i])));
}

        if (strstr($result_array[$i], "<MedlineTA>")) {
$journal_abbr = utf8_decode(trim(strip_tags($result_array[$i])));
}

}

$names = join (", ", $name_array);
$mesh = join (" / ", $mesh_array);

print '<TABLE BORDER="0" CELLSPACING="5" CELLPADDING="5"><TR><TD>';
if (isset($names)) print "<P ALIGN=justify>$names. ($date)<BR>\n";
if (isset($title)) print "<B>$title</B><BR>\n";
if (isset($date)) print "$journal <B>$volume</B>: $pages.<BR>\n";
isset($abstract) ? print "$abstract<BR>\n" : print "No abstract available.<BR>\n";
if (isset($mesh)) print "<BR><B>MESH:</B> $mesh\n";
print '</TD></TR></TABLE>';

?>

<FORM ENCTYPE="application/x-www-form-urlencoded" ACTION="index.php?action=upload" METHOD="POST">
<INPUT TYPE="hidden" NAME="authors" VALUE="<? print htmlentities($names); ?>">
<INPUT TYPE="hidden" NAME="title" VALUE="<? print htmlentities($title); ?>">
<INPUT TYPE="hidden" NAME="journal" VALUE="<? print htmlentities($journal); ?>">
<INPUT TYPE="hidden" NAME="date1" VALUE="<? print htmlentities($date); ?>">
<INPUT TYPE="hidden" NAME="mesh" VALUE="<? print htmlentities($mesh); ?>">
<INPUT TYPE="hidden" NAME="abstract" VALUE="<? print isset($abstract) ? htmlentities($abstract) : "No abstract available."; ?>">

//  HERE IS THE CODE I ADDED
<INPUT TYPE="hidden" NAME="journal_abbr" VALUE="<? print htmlentities($journal_abbr); ?>">
<INPUT TYPE="hidden" NAME="volume" VALUE="<? print htmlentities($volume); ?>">
<INPUT TYPE="hidden" NAME="pages" VALUE="<? print htmlentities($pages); ?>">
//  END OF CODE I ADDED


<INPUT TYPE="submit" VALUE="Upload">
<INPUT TYPE="button" VALUE="Back"
onMouseOver="window.status='Back'"
onMouseOut="window.status=''"
onClick="javascript:history.go(-1)">

<?

 

upload.php

 

<?
ini_set('display_errors','1');

//  I can echo all of the $_POST variables here
echo $_POST['journal_abbr']; 


if  ((!empty($_FILES['filename']['tmp_name']) && $_FILES['filename']['type'] == 'application/pdf') && !empty($_POST["authors"]) &&
    !empty($_POST["title"]) && !empty($_POST["date1"]) && !empty($_POST["journal"])  &&
    (!empty($_POST["category"]) || !empty($_POST["category2"])) && !empty($_POST["abstract"]) ) {

    $category = implode("|", array_merge($_POST["category"], $_POST["category2"]));
    $category = trim ($category, "|");

    $abstract = str_replace("\r\n", " ", $_POST["abstract"]);
    $title = str_replace("\r\n", " ", $_POST["title"]);
    $journal = str_replace("\r\n", " ", $_POST["journal"]);
    $authors = str_replace("\r\n", " ", $_POST["authors"]);
    $journal_abbr = str_replace(" ", "", $_POST["journal_abbr"]);
    $journal_abbr = str_replace ('.','',$journal_abbr);
    $volume = $_POST["volume"];
    $pages = $_POST["pages"];

//  Below only $journal works, the new ones I added $journal_abbr, $volume
//  and $pages are empty 
    echo $journal;
    echo $journal_abbr;
    echo $volume;
    echo $pages;
    $pdfname = $journal_abbr . $volume . "p" . $pages;
    echo $pdfname;
   
if (strlen($category) < 255) {

    $link = @mysql_connect($database_host, $database_user, $database_password);
    @mysql_select_db ($database_name);

    $query = "SELECT title FROM library WHERE title='$title' LIMIT 1";
    $result = mysql_query ($query);
    $rows = mysql_num_rows ($result);

if ($rows == '0') {

    $query = "SELECT file FROM library ORDER BY file DESC LIMIT 1";
    $result = mysql_query ($query);
    $last_file = mysql_fetch_row($result);

//    $file = (int) $last_file[0] + 1;
//    $file = sprintf ("%05d.pdf",$file);
    $date2 = date('Y-m-d');
echo "The directory path uploading to is:".$library_path."<br>";
echo "The filename is:". $pdfname . "<br>";

if (move_uploaded_file ($_FILES['filename']['tmp_name'], "$library_path$")) {

    $query = "INSERT INTO library (file,authors,title,journal,category,date1,date2,abstract)
    VALUES ('$file','".mysql_real_escape_string($authors)."','$title','$journal','$category','$_POST[date1]','$date2',
            '$abstract')";
    $result = mysql_query ($query) OR die(mysql_error());

    if (!$result) {
    die ("Could not upload into database: <br />" . mysql_error());
    }