using a form variable with a file upload script

Question

I am using this form as a file upload form(as part of a larger php script, $pk is sanitized in the actual thing):

<?php

if (isset($_GET["pk"]))
 { $pk = $_GET["pk"];}
echo '<form action="up.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<input type="hidden" name="pk" value="$pk">
<br />
<input type="submit" name="submit" value="Submit" />
</form>';
?>

I am using the following(extremely trimmed) code to handle the upload. Any syntax errors are a result of the tabifier I used.

<?php
 if (isset($_GET["pk"])) {
    $pk = $_GET["pk"];
}
$con = mysqli_connect("localhost","x","x", "x");
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
move_uploaded_file($_FILES["file"]["tmp_name"],
      "./" . $_FILES["file"]["name"]);
echo "Stored in: " . "./" . $_FILES["file"]["name"];
$fileQuery = "INSERT INTO FILES VALUES (?, ?)";
if ($fileInsert = $con->prepare($fileQuery)) {
    $fileInsert->bind_param("ss", $pk, $_FILES["file"]["name"]);
    $fileInsert->execute();
    $fileInsert->close();
} else {
    print_r($con->error);
}
?>

What I would like to know, is how do I access $pk. Is it already passed to the handling code with the form?

Answer 1

$_POST['pk']

but you'll see $pk I guess, because you're using single quotes to echo the string.

Answer 2

Suggestion: $pk is not set.

So try to use $_REQUEST['pk'] instead of _GET

Also, the single quotes in your echo won't evaluate $pk. Alter

input type="hidden" name="pk" value="$pk"

to

input type="hidden" name="pk" value="' . $pk . '"

Cheers, T.