views:

36

answers:

1

Here's the php script I'm using on a linux environment:

<?php

include("../_inc/odbcw.php");  //connect string

$cat = $_GET["cat"];

if($_GET["st"]){$crs_query = "select crs_no, title, credits, abstr, prereq, coreq, lab_fee from xxx where active = 'Y' and cat = '".$cat."' and spec_top = 'Y' and prog='UNDG' order by crs_no";}
else {$crs_query = "select crs_no, title, credits, abstr, prereq, coreq, lab_fee from xxx where active = 'Y' and cat = '".$cat."' and prog='UNDG' order by crs_no";}
$crs_result = @mysql_query($crs_query);

header("Content-type: application/vnd.ms-word");
header("Content-Disposition: attachment;Filename=cat.doc");

echo "<html>";
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=Windows-1252\">";
echo "<body>";

echo '<table border=0 width = 700>';
if($_GET["st"]){echo '<tr><td><font face=arial size=2><center>CATALOGUE<br>COURSE DESCRIPTIONS - '.$cat.'<br>SPECIAL TOPICS</center></font></td></tr>';}
else {echo '<tr><td><font face=arial size=2><center>CATALOGUE<br>COURSE DESCRIPTIONS - '.$cat.'</center></font></td></tr>';}
echo '</table>';

echo '<hr width=700>';

while($row = mysql_fetch_array($crs_result))
{

 $crs_no  = $row['crs_no'];
 $title  = $row['title'];
 $credits = $row['credits'];
 $abstr  = $row['abstr'];
 $prereq  = $row['prereq'];
 $coreq  = $row['coreq'];
 $lab_fee = $row['lab_fee'];
 $rowspan = 2;

 if($prereq)   {$rowspan++;}
 if($coreq)   {$rowspan++;}
 if($lab_fee=="Y") {$rowspan++;}

 echo "<table border=0 width = 700>";
 echo "<tr>";
 echo "<td rowspan=".$rowspan." valign=top width=100><font face=arial size=2>".$crs_no."</font></td>";
 echo "<td valign=top><font face=arial size=2><u>".$title."</u></font></td> <td valign=top align=right><font face=arial size=2>".$credits."</font></td>";
 echo "</tr>";
 echo "<tr>";
 echo "<td colspan=2 valign=top align=justify><font face=arial size=2>".$abstr."</font></td>";
 echo "</tr>";
 if($prereq)
 {
  echo "<tr>";
  echo "<td colspan=2 valign=top><font face=arial size=2>Prerequisite: ".$prereq."</font></td>";
  echo "</tr>";
 }
 if($coreq)
 {
  echo "<tr>";
  echo "<td colspan=2 valign=top><font face=arial size=2>Coerequisite: ".$coreq."</font></td>";
  echo "</tr>";
 }
 if($lab_fee=="Y")
 {
  echo "<tr>";
  echo "<td colspan=2 valign=top><font face=arial size=2>Lab Fee Required</font></td>";
  echo "</tr>";
 }
 echo "</table>";
 echo "<br>";

}

echo "</body>";
echo "</html>";

?>

Everything works fine before the inclusion of:

header("Content-type: application/vnd.ms-word");
header("Content-Disposition: attachment;Filename=cat.doc");

echo "<html>";
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=Windows-1252\">";
echo "<body>";

These lines successfully bring up the dialogue box to open or save cat.doc, but after I open it, the only lines printed are:

CATALOGUE
COURSE DESCRIPTIONS - 

and the <HR> beneath this echoed text. It seems to go on lunch break for the while loop echoing section.

Any ideas?

+1  A: 

$cat has no value, unless it is defined in "../_inc/odbcw.php".

Dolph
hmm it is in there, but i guess i didn't copy it into here. ill edit the post
CheeseConQueso
this was part of the problem though, so im going to accept this answer. $cat wasnt coming through correctly after i tried to echo it out
CheeseConQueso
thanks... cant believe i missed that
CheeseConQueso
Whoa, you're updated code exposes some serious security vulnerabilities. Particularly, **SQL injection**! See example #2 for exactly what you're doing wrong: http://us3.php.net/mysql%20real%20escape%20string
Dolph
yeah im aware, were working on making stored procs... there's no sensitive data up on the db and this is behind a password protected directory so im no rush - its not my site anyway
CheeseConQueso