Index: modules/uploads/add2db.php =================================================================== --- modules/uploads/add2db.php (revision 1) +++ modules/uploads/add2db.php (working copy) @@ -11,12 +11,17 @@ require_once('include/database/PearDatabase.php'); require_once('include/utils/utils.php'); +require_once('include/logging.php'); +global $log; + global $current_user; $vtigerpath = $_SERVER['REQUEST_URI']; $vtigerpath = str_replace("/index.php?module=uploads&action=add2db", "", $vtigerpath); $crmid = $_REQUEST['return_id']; +$log->debug("DGDEBUG In add2db.php"); + // Arbitrary File Upload Vulnerability fix - Philip $binFile = $_FILES['filename']['name']; @@ -53,6 +58,47 @@ $query .= $current_id."','".$current_user->id."','".$current_user->id."','".$_REQUEST['return_module'].' Attachment'."','".$description."','".$date_var."')"; $result = $adb->query($query); + # Added by DG 26 Oct 2005 + # Attachments added to contacts are also added to their accounts + $log->debug("DGDEBUG Here's the test:"); + $log->debug("DGDEBUG return_module: ".$_REQUEST['return_module']); + if ($_REQUEST['return_module'] == 'Contacts') { + $log->debug("DGDEBUG Passed the test."); + $crmid = $_REQUEST['return_id']; + $query = 'select accountid from vtiger_contactdetails where contactid='.$crmid; + $log->debug("DGDEBUG Running query: ".$query); + $result = $adb->query($query); + if($adb->num_rows($result) != 0) { + + $log->debug("DGDEBUG Returned a row"); + + $associated_account = $adb->query_result($result,0,"accountid"); + # Now make sure that we haven't already got this attachment associated to this account + # Hmmm... if this works, should we NOT upload the attachment again, and just set the relation for the contact too? + $log->debug("DGDEBUG Associated Account: ".$associated_account); + $query = "select name,attachmentsize from vtiger_attachments where name= '".$filename."'"; + $result = $adb->query($query); + if($adb->num_rows($result) != 0) { + $log->debug("DGDEBUG Matched a row"); + # Whoops! We matched the name. Is it the same size? + $dg_size = $adb->query_result($result,0,"attachmentsize"); + + $log->debug("DGDEBUG: These should be the same size: ".$dg_size." ".$filesize); + if ($dg_size == $filesize) { + # Yup, it is probably the same file + $associated_account = ''; + } + } + } + else { + $associated_account = ''; + } + } + + # DG 19 June 2006 + # Strip out single quotes from filenames + $filename = preg_replace('/\'/', '', $filename); + $sql = "insert into vtiger_attachments values("; $sql .= $current_id.",'".$filename."','".$description."','".$filetype."','".$upload_filepath."')"; $result = $adb->query($sql); @@ -62,6 +108,16 @@ $sql1 .= $crmid."','".$current_id."')"; $result = $adb->query($sql1); + # Added by DG 26 Oct 2005 + # Attachments added to contacts are also added to their accounts + if ($associated_account) { + $log->debug("DGDEBUG: inserting into vtiger_seattachmentsrel from add2db 2"); + $sql1 = "insert into vtiger_seattachmentsrel values('"; + $sql1 .= $associated_account."','".$current_id."')"; + $log->debug("DGDEBUG: Here's the query: ".$sql1); + $result = $adb->query($sql1); + } + echo ''; } else