include_once($path_to_root . "/includes/ui.inc");
include_once($path_to_root . "/includes/data_checks.inc");
include_once($path_to_root . "/admin/db/attachments_db.inc");
include_once($path_to_root . "/includes/ui.inc");
include_once($path_to_root . "/includes/data_checks.inc");
include_once($path_to_root . "/admin/db/attachments_db.inc");
$js .= get_js_open_window(800, 500);
page(_($help_context = "Attach Documents"), false, false, "", $js);
$js .= get_js_open_window(800, 500);
page(_($help_context = "Attach Documents"), false, false, "", $js);
- if (!$_POST['trans_no'])
- display_error(_("No transaction has been selected."));
+ if (!transaction_exists($_POST['filterType'], $_POST['trans_no']))
+ display_error(_("Selected transaction does not exists."));
elseif ($Mode == 'ADD_ITEM' && (!isset($_FILES['filename']) || $_FILES['filename']['size'] == 0))
display_error(_("Select attachment file."));
else {
elseif ($Mode == 'ADD_ITEM' && (!isset($_FILES['filename']) || $_FILES['filename']['size'] == 0))
display_error(_("Select attachment file."));
else {
$fp = fopen($dir."/index.php", "w");
fwrite($fp, $index_file);
fclose($fp);
}
$fp = fopen($dir."/index.php", "w");
fwrite($fp, $index_file);
fclose($fp);
}
// file name compatible with POSIX
// protect against directory traversal
if ($Mode == 'UPDATE_ITEM')
{
// file name compatible with POSIX
// protect against directory traversal
if ($Mode == 'UPDATE_ITEM')
{
- $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']);
- if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$unique_name))
+ $row = get_attachment($selected_id);
+ if ($row['filename'] == "")
+ exit();
+ $unique_name = $row['unique_name'];
+ if ($filename && file_exists($dir."/".$unique_name))
- $filename = basename($_FILES['filename']['name']);
- $filesize = $_FILES['filename']['size'];
- $filetype = $_FILES['filename']['type'];
+ move_uploaded_file($tmpname, $dir."/".$unique_name);