+
+ // file name compatible with POSIX
+ // protect against directory traversal
+ if ($Mode == 'UPDATE_ITEM')
+ {
+ $row = get_attachment($selected_id);
+ if ($row['filename'] == "")
+ exit();
+ $unique_name = $row['unique_name'];
+ if ($filename && file_exists($dir."/".$unique_name))
+ unlink($dir."/".$unique_name);
+ }
+ else
+ $unique_name = uniqid('');
+
+ //save the file
+ move_uploaded_file($tmpname, $dir."/".$unique_name);
+
+ if ($Mode == 'ADD_ITEM')
+ {
+ add_attachment($_POST['filterType'], $_POST['trans_no'], $_POST['description'],
+ $filename, $unique_name, $filesize, $filetype);
+ display_notification(_("Attachment has been inserted."));
+ }
+ else
+ {
+ update_attachment($selected_id, $_POST['filterType'], $_POST['trans_no'], $_POST['description'],
+ $filename, $unique_name, $filesize, $filetype);
+ display_notification(_("Attachment has been updated."));
+ }