/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details) { global $log; $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); global $current_user; global $upload_badext; $date_var = date('Y-m-d H:i:s'); //to get the owner id $ownerid = isset($this->column_fields['assigned_user_id']) ? $this->column_fields['assigned_user_id'] : ''; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } // Arbitrary File Upload Vulnerability fix - Philip $binFile = $file_details['name']; $ext_pos = strrpos($binFile, "."); $ext = substr($binFile, $ext_pos + 1); if (in_array($ext, $upload_badext)) { $binFile .= ".txt"; } // Vulnerability fix ends $current_id = $this->db->getUniqueID("ec_crmentity"); $filename = explode_basename($binFile); $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); //upload the file in server if (is_uploaded_file($filetmp_name)) { $encode_file = base64_encode_filename($binFile); $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $encode_file); } $save_file = 'true'; //only images are allowed for these modules if ($module == 'Contacts' || $module == 'Products') { echo "222"; $save_file = validateImageFile($file_details); } if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the ec_notes ec_table for the Notes module if ($module == 'Notes') { $sql = "update ec_notes set filename='" . $filename . "' where notesid = " . $id; $this->db->query($sql); } else { if ($module == 'Documents') { $sql = "update ec_documents set filename='" . $filename . "' where documentsid = " . $id; $this->db->query($sql); } } $description = ""; if (isset($this->column_fields['description'])) { $description = $this->column_fields['description']; } $sql1 = "insert into ec_crmentity (crmid,setype) values(" . $current_id . ",'" . $module . " Attachment')"; $this->db->query($sql1); $sql = "insert into ec_attachments(attachmentsid,name,description,type,setype,path,smcreatorid,createdtime) values("; $sql .= $current_id . ",'" . $filename . "','" . $description . "','" . $filetype . "','" . $module . "','" . $upload_file_path . "','" . $ownerid . "','" . $date_var . "')"; $result = $this->db->query($sql); if (isset($_REQUEST['mode']) && $_REQUEST['mode'] == 'edit') { if ($id != '' && isset($_REQUEST['fileid']) && $_REQUEST['fileid'] != '') { $delquery = 'delete from ec_seattachmentsrel where crmid = ' . $id . ' and attachmentsid = ' . $_REQUEST['fileid']; $this->db->query($delquery); } } if ($module == 'Notes' || $module == 'Documents') { $query = "delete from ec_seattachmentsrel where crmid = " . $id; $this->db->query($query); } $sql3 = 'insert into ec_seattachmentsrel values(' . $id . ',' . $current_id . ')'; $this->db->query($sql3); return true; } else { $log->debug("Skip the save attachment process."); return false; } }
foreach ($_FILES as $fileindex => $file_details) { if ($file_details['name'] != '' && $file_details['size'] > 0) { global $current_user; global $upload_badext; $date_var = $adb->formatDate(date('YmdHis')); $ownerid = $current_user->id; // Arbitrary File Upload Vulnerability fix - Philip $binFile = $file_details['name']; $ext_pos = strrpos($binFile, "."); $ext = substr($binFile, $ext_pos + 1); if (in_array($ext, $upload_badext)) { $binFile .= ".txt"; } // Vulnerability fix ends $current_id = $adb->getUniqueID("ec_crmentity"); $filename = explode_basename($binFile); $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); //upload the file in server $upload_status = false; if (is_uploaded_file($filetmp_name)) { $encode_file = base64_encode_filename($binFile); $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $encode_file); } if ($upload_status) { $description = ""; $adb->query("insert into ec_crmentity (crmid,setype) values('" . $current_id . "','Maillists Attachment')"); $sql = "insert into ec_attachments(attachmentsid,name,description,type,setype,path,smcreatorid,createdtime) values(";
/** * This function is used to save the Images . * It acceps the File lists,modulename,id and the mode as arguments * It returns the array details of the upload */ function SaveImage($_FILES, $module, $id, $mode) { global $log; $log->debug("Entering SaveImage() method ..."); global $adb; $uploaddir = $root_directory . "test/" . $module . "/"; //set this to which location you need to give the contact image $file_path_name = $_FILES['imagename']['name']; $image_error = "false"; $saveimage = "true"; $file_name = explode_basename($file_path_name); if ($file_name != "") { $image_name_val = file_exist_fn($file_name, 0); $encode_field_values = ""; $errormessage = ""; $move_upload_status = move_uploaded_file($_FILES["imagename"]["tmp_name"], $uploaddir . $image_name_val); $image_error = "false"; //if there is an error in the uploading of image $filetype = $_FILES['imagename']['type']; $filesize = $_FILES['imagename']['size']; $filetype_array = explode("/", $filetype); $file_type_val_image = strtolower($filetype_array[0]); $file_type_val = strtolower($filetype_array[1]); $log->info("The File type of the Contact Image is :: " . $file_type_val); //checking the uploaded image is if an image type or not if (!$move_upload_status) { $log->debug("Error is present in uploading Contact Image."); $errorCode = $_FILES['imagename']['error']; if ($errorCode == 4) { $errorcode = "no-image"; $saveimage = "false"; $image_error = "true"; } else { if ($errorCode == 2) { $errormessage = 2; $saveimage = "false"; $image_error = "true"; } else { if ($errorCode == 3) { $errormessage = 3; $saveimage = "false"; $image_error = "true"; } } } } else { $log->debug("Successfully uploaded the Contact Image."); if ($filesize != 0) { if ($file_type_val == "jpeg" || $file_type_val == "png" || $file_type_val == "jpg" || $file_type_val == "pjpeg" || $file_type_val == "x-png" || $file_type_val == "gif") { $saveimage = "true"; $image_error = "false"; } else { $savelogo = "false"; $image_error = "true"; $errormessage = "image"; } } else { $savelogo = "false"; $image_error = "true"; $errormessage = "invalid"; } } } else { $log->debug("Contact Image is not given for uploading."); if ($mode == "edit" && $image_error == "false") { if ($module = 'contact') { $image_name_val = getContactImageName($id); } elseif ($module = 'user') { $image_name_val = getUserImageName($id); } $saveimage = "true"; } else { $image_name_val = ""; } } $return_value = array('imagename' => $image_name_val, 'imageerror' => $image_error, 'errormessage' => $errormessage, 'saveimage' => $saveimage, 'mode' => $mode); $log->debug("Exiting SaveImage method ..."); return $return_value; }