X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=admin%2Fattachments.php;h=0e1b4e28a61bfacdbf9e26505eb00f2a08f3f05b;hb=54d84ff9a67620ab38c676cdbcf87853632724f0;hp=8f517e8aafc46b0a6f6a272e17b90dd9804cd586;hpb=cf67cec296e611c30be010686a5ea96d730418b0;p=fa-stable.git diff --git a/admin/attachments.php b/admin/attachments.php index 8f517e8a..0e1b4e28 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -18,36 +18,50 @@ include_once($path_to_root . "/includes/date_functions.inc"); include_once($path_to_root . "/includes/ui.inc"); include_once($path_to_root . "/includes/data_checks.inc"); +if (isset($_GET['vw'])) + $view_id = $_GET['vw']; +else $view_id = find_submit('view'); if ($view_id != -1) { $row = get_attachment($view_id); if ($row['filename'] != "") { - $type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream'; - header("Content-type: ".$type); - header('Content-Length: '.$row['filesize']); - if ($type == 'application/octet-stream') - header('Content-Disposition: attachment; filename='.$row['filename']); - else - header("Content-Disposition: inline"); - echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']); - exit(); + if(in_ajax()) { + $Ajax->popup($_SERVER['PHP_SELF'].'?vw='.$view_id); + } else { + $type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream'; + header("Content-type: ".$type); + header('Content-Length: '.$row['filesize']); + if ($type == 'application/octet-stream') + header('Content-Disposition: attachment; filename='.$row['filename']); + else + header("Content-Disposition: inline"); + echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']); + exit(); + } } } +if (isset($_GET['dl'])) + $download_id = $_GET['dl']; +else + $download_id = find_submit('download'); -$download_id = find_submit('download'); if ($download_id != -1) { $row = get_attachment($download_id); if ($row['filename'] != "") { - $type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream'; - header("Content-type: ".$type); - header('Content-Length: '.$row['filesize']); - header('Content-Disposition: attachment; filename='.$row['filename']); - echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']); - exit(); + if(in_ajax()) { + $Ajax->redirect($_SERVER['PHP_SELF'].'?dl='.$download_id); + } else { + $type = ($row['filetype']) ? $row['filetype'] : 'application/octet-stream'; + header("Content-type: ".$type); + header('Content-Length: '.$row['filesize']); + header('Content-Disposition: attachment; filename='.$row['filename']); + echo file_get_contents($comp_path."/".user_company(). "/attachments/".$row['unique_name']); + exit(); + } } } @@ -98,25 +112,27 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') if ($Mode == 'ADD_ITEM') { $sql = "INSERT INTO ".TB_PREF."attachments (type_no, trans_no, description, filename, unique_name, - filesize, filetype, tran_date) VALUES (".$_POST['filterType'].",".$_POST['trans_no'].",". - db_escape($_POST['description']).", '$filename', '$unique_name', '$filesize', '$filetype', '$date')"; + filesize, filetype, tran_date) VALUES (".db_escape($_POST['filterType'])."," + .db_escape($_POST['trans_no']).",".db_escape($_POST['description']).", " + .db_escape($filename).", ".db_escape($unique_name).", ".db_escape($filesize) + .", ".db_escape($filetype).", '$date')"; db_query($sql, "Attachment could not be inserted"); display_notification(_("Attachment has been inserted.")); } else { $sql = "UPDATE ".TB_PREF."attachments SET - type_no=".$_POST['filterType'].", - trans_no=".$_POST['trans_no'].", + type_no=".db_escape($_POST['filterType']).", + trans_no=".db_escape($_POST['trans_no']).", description=".db_escape($_POST['description']).", "; if ($filename != "") { - $sql .= "filename='$filename', - unique_name='$unique_name', - filesize='$filesize', - filetype='$filetype', "; + $sql .= "filename=".db_escape($filename).", + unique_name=".db_escape($unique_name).", + filesize=".db_escape($filesize).", + filetype=".db_escape($filetype); } - $sql .= "tran_date='$date' WHERE id=$selected_id"; + $sql .= "tran_date='$date' WHERE id=".db_escape($selected_id); db_query($sql, "Attachment could not be updated"); display_notification(_("Attachment has been updated.")); } @@ -129,7 +145,7 @@ if ($Mode == 'Delete') $dir = $comp_path."/".user_company(). "/attachments"; if (file_exists($dir."/".$row['unique_name'])) unlink($dir."/".$row['unique_name']); - $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = $selected_id"; + $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = ".db_escape($selected_id); db_query($sql, "Could not delete attachment"); display_notification(_("Attachment has been deleted.")); $Mode = 'RESET'; @@ -159,13 +175,14 @@ function viewing_controls() function get_attached_documents($type) { - $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=$type ORDER BY trans_no"; + $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=".db_escape($type) + ." ORDER BY trans_no"; return db_query($sql, "Could not retrieve attachments"); } function get_attachment($id) { - $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=".db_escape($id); $result = db_query($sql, "Could not retrieve attachments"); return db_fetch($result); }