- //$content = addslashes(file_get_contents($_FILES['filename']['tmp_name']));
- $filename = $_FILES['filename']['name'];
+ $dir = company_path()."/attachments";
+ if (!file_exists($dir))
+ {
+ mkdir ($dir,0777);
+ $index_file = "<?php\nheader(\"Location: ../index.php\");\n?>";
+ $fp = fopen($dir."/index.php", "w");
+ fwrite($fp, $index_file);
+ fclose($fp);
+ }
+ // file name compatible with POSIX
+ // protect against directory traversal
+ $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']);
+ if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$unique_name))
+ unlink($dir."/".$unique_name);
+
+ $unique_name = uniqid('');
+ move_uploaded_file($tmpname, $dir."/".$unique_name);
+ //save the file
+ $filename = basename($_FILES['filename']['name']);