/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details) { global $log; $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); global $adb, $current_user; global $upload_badext; $date_var = date("Y-m-d H:i:s"); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } if (isset($file_details['original_name']) && $file_details['original_name'] != null) { $file_name = $file_details['original_name']; } else { $file_name = $file_details['name']; } $save_file = 'true'; //only images are allowed for Image Attachmenttype $mimeType = mime_content_type($file_details['tmp_name']); $mimeTypeContents = explode('/', $mimeType); // For contacts and products we are sending attachmentType as value if ($attachmentType == 'Image' || $file_details['size'] && $mimeTypeContents[0] == 'image') { $save_file = validateImageFile($file_details); } if ($save_file == 'false') { return false; } $binFile = sanitizeUploadFileName($file_name, $upload_badext); $current_id = $adb->getUniqueID("vtiger_crmentity"); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $binFile); $save_file = 'true'; //only images are allowed for these modules //SalesPlatform.ru begin //if ($module == 'Contacts' || $module == 'Products') { // $save_file = validateImageFile($file_details); //} //SalesPlatform.ru end if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the vtiger_notes vtiger_table for the Notes module if ($module == 'Contacts' || $module == 'Products') { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Image", $this->column_fields['description'], $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); } else { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Attachment", $this->column_fields['description'], $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); } $adb->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?, ?, ?, ?, ?)"; $params2 = array($current_id, $filename, $this->column_fields['description'], $filetype, $upload_file_path); $result = $adb->pquery($sql2, $params2); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && vtlib_purify($_REQUEST['fileid']) != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid = ? and attachmentsid = ?'; $delparams = array($id, vtlib_purify($_REQUEST['fileid'])); $adb->pquery($delquery, $delparams); } } if ($module == 'Documents') { $query = "delete from vtiger_seattachmentsrel where crmid = ?"; $qparams = array($id); $adb->pquery($query, $qparams); } if ($module == 'Contacts') { $att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid where vtiger_crmentity.setype='Contacts Image' and vtiger_seattachmentsrel.crmid=?"; $res = $adb->pquery($att_sql, array($id)); $attachmentsid = $adb->query_result($res, 0, 'attachmentsid'); if ($attachmentsid != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid=? and attachmentsid=?'; $adb->pquery($delquery, array($id, $attachmentsid)); $crm_delquery = "delete from vtiger_crmentity where crmid=?"; $adb->pquery($crm_delquery, array($attachmentsid)); $sql5 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql5, array($id, $current_id)); } else { $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); } } else { $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); } return true; } else { $log->debug("Skip the save attachment process."); return false; } }
/** Function to upload the file to the server and add the file details in the attachments table * @param $id -- user id:: Type varchar * @param $module -- module name:: Type varchar * @param $file_details -- file details array:: Type array */ function uploadAndSaveFile($id, $module, $file_details) { $log = vglobal('log'); $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); $current_user = vglobal('current_user'); global $upload_badext; $date_var = date('Y-m-d H:i:s'); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } $saveFile = 'true'; //only images are allowed for these modules if ($module == 'Users') { $saveFile = validateImageFile($file_details); } if ($saveFile == 'false') { return; } $file = $file_details['name']; $binFile = sanitizeUploadFileName($file, $upload_badext); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; $current_id = $this->db->getUniqueID("vtiger_crmentity"); //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath($module); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $binFile); if ($saveFile == 'true') { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?,?,?,?,?,?,?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Attachment", $this->column_fields['description'], $this->db->formatDate($date_var, true), $this->db->formatDate($date_var, true)); $this->db->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?,?,?,?,?)"; $params2 = array($current_id, $filename, $this->column_fields['description'], $filetype, $upload_file_path); $result = $this->db->pquery($sql2, $params2); if ($id != '') { $delquery = 'delete from vtiger_salesmanattachmentsrel where smid = ?'; $this->db->pquery($delquery, array($id)); } $sql3 = 'insert into vtiger_salesmanattachmentsrel values(?,?)'; $this->db->pquery($sql3, array($id, $current_id)); //we should update the imagename in the users table $this->db->pquery("update vtiger_users set imagename=? where id=?", array($filename, $id)); } else { $log->debug("Skip the save attachment process."); } $log->debug("Exiting from uploadAndSaveFile({$id},{$module},{$file_details}) method."); return; }
/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details) { global $log; $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); global $current_user; global $upload_badext; $date_var = date('Y-m-d H:i:s'); //to get the owner id $ownerid = isset($this->column_fields['assigned_user_id']) ? $this->column_fields['assigned_user_id'] : ''; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } // Arbitrary File Upload Vulnerability fix - Philip $binFile = $file_details['name']; $ext_pos = strrpos($binFile, "."); $ext = substr($binFile, $ext_pos + 1); if (in_array($ext, $upload_badext)) { $binFile .= ".txt"; } // Vulnerability fix ends $current_id = $this->db->getUniqueID("ec_crmentity"); $filename = explode_basename($binFile); $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); //upload the file in server if (is_uploaded_file($filetmp_name)) { $encode_file = base64_encode_filename($binFile); $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $encode_file); } $save_file = 'true'; //only images are allowed for these modules if ($module == 'Contacts' || $module == 'Products') { echo "222"; $save_file = validateImageFile($file_details); } if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the ec_notes ec_table for the Notes module if ($module == 'Notes') { $sql = "update ec_notes set filename='" . $filename . "' where notesid = " . $id; $this->db->query($sql); } else { if ($module == 'Documents') { $sql = "update ec_documents set filename='" . $filename . "' where documentsid = " . $id; $this->db->query($sql); } } $description = ""; if (isset($this->column_fields['description'])) { $description = $this->column_fields['description']; } $sql1 = "insert into ec_crmentity (crmid,setype) values(" . $current_id . ",'" . $module . " Attachment')"; $this->db->query($sql1); $sql = "insert into ec_attachments(attachmentsid,name,description,type,setype,path,smcreatorid,createdtime) values("; $sql .= $current_id . ",'" . $filename . "','" . $description . "','" . $filetype . "','" . $module . "','" . $upload_file_path . "','" . $ownerid . "','" . $date_var . "')"; $result = $this->db->query($sql); if (isset($_REQUEST['mode']) && $_REQUEST['mode'] == 'edit') { if ($id != '' && isset($_REQUEST['fileid']) && $_REQUEST['fileid'] != '') { $delquery = 'delete from ec_seattachmentsrel where crmid = ' . $id . ' and attachmentsid = ' . $_REQUEST['fileid']; $this->db->query($delquery); } } if ($module == 'Notes' || $module == 'Documents') { $query = "delete from ec_seattachmentsrel where crmid = " . $id; $this->db->query($query); } $sql3 = 'insert into ec_seattachmentsrel values(' . $id . ',' . $current_id . ')'; $this->db->query($sql3); return true; } else { $log->debug("Skip the save attachment process."); return false; } }
// Allow certain file formats $imageFileType = $check["mime"]; if ($imageFileType != "image/jpg" && $imageFileType != "image/png" && $imageFileType != "image/jpeg" && $imageFileType != "image/gif") { sendResponse('UNSUPPORTED_IMAGE_FORMAT', 'error'); $isValid = false; return $isValid; } return $isValid; } if ($_SERVER["REQUEST_METHOD"] == "GET") { include "RIPTattoos.html"; } else { if ($_SERVER["REQUEST_METHOD"] == "POST") { $uploadStatus = false; if (validateFormFields()) { $uploadStatus = validateImageFile(); } if ($uploadStatus) { //Generate unique timestamp based image name $t = time(); $target_file = $target_dir . join("_", array($t, basename($_FILES["picToUpload"]["name"]))); // Check if file already exists if (file_exists($target_file)) { $uploadStatus = false; sendResponse('EXISTING_FILE_OVERRIDE_ALERT', 'error'); } else { // if everything is ok, try to upload file if (move_uploaded_file($_FILES["picToUpload"]["tmp_name"], $target_file)) { $number = formatFormData($_POST["number"]); $email = formatFormData($_POST["email"]); $mailStatus = sendMail($number, $email, $target_file);
/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details, $attachmentType = 'Attachment') { $log = LoggerManager::getInstance(); $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); $adb = PearDatabase::getInstance(); $current_user = vglobal('current_user'); $date_var = date("Y-m-d H:i:s"); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } if (isset($file_details['original_name']) && $file_details['original_name'] != null) { $file_name = $file_details['original_name']; } else { $file_name = $file_details['name']; } $saveFile = 'true'; //only images are allowed for Image Attachmenttype $mimeType = Vtiger_Functions::getMimeContentType($file_details['tmp_name']); $mimeTypeContents = explode('/', $mimeType); // For contacts and products we are sending attachmentType as value if ($attachmentType == 'Image' || $file_details['size'] && $mimeTypeContents[0] == 'image') { $saveFile = validateImageFile($file_details); } if ($saveFile == 'false') { return false; } $binFile = sanitizeUploadFileName($file_name, AppConfig::main('upload_badext')); $current_id = $adb->getUniqueID('vtiger_crmentity'); $filename = ltrim(basename(' ' . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath($module); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . '_' . $binFile); $save_file = 'true'; //only images are allowed for these modules if ($module == 'Contacts' || $module == 'Products') { $save_file = validateImageFile($file_details); } if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the vtiger_notes vtiger_table for the Notes module $params = ['crmid' => $current_id, 'smcreatorid' => $current_user->id, 'smownerid' => $ownerid, 'setype' => $module . " Image", 'description' => $this->column_fields['description'], 'createdtime' => $adb->formatDate($date_var, true), 'modifiedtime' => $adb->formatDate($date_var, true)]; if ($module == 'Contacts' || $module == 'Products') { $params['setype'] = $module . " Image"; } else { $params['setype'] = $module . " Attachment"; } $adb->insert('vtiger_crmentity', $params); $params = ['attachmentsid' => $current_id, 'name' => $filename, 'description' => $this->column_fields['description'], 'type' => $filetype, 'path' => $upload_file_path]; $adb->insert('vtiger_attachments', $params); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && vtlib_purify($_REQUEST['fileid']) != '') { $delparams = [$id, vtlib_purify($_REQUEST['fileid'])]; $adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', $delparams); } } if ($module == 'Documents') { $adb->delete('vtiger_seattachmentsrel', 'crmid = ?', [$id]); } if ($module == 'Contacts') { $att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid where vtiger_crmentity.setype='Contacts Image' and vtiger_seattachmentsrel.crmid=?"; $res = $adb->pquery($att_sql, array($id)); $attachmentsid = $adb->query_result($res, 0, 'attachmentsid'); if ($attachmentsid != '') { $adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', [$id, $attachmentsid]); $adb->delete('vtiger_crmentity', 'crmid = ?', [$attachmentsid]); $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } else { $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } } else { $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } return true; } else { $log->debug("Skip the save attachment process."); return false; } }