<? define('__INCLUDE', true); require_once("config.php"); if (!@$_SESSION['login']) { die("<script>location='index.php'</script>"); } ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Attachments</title>
<link rel="stylesheet" href="../newsite/nav.css" type="text/css">
<style>
<!--
div.Section1
{page:Section1;}
div.Section2
{page:Section2;}
div.Section3
{page:Section3;}
-->
</style>
</head>
<body>
<h1><br>
<? include("header.php"); ?>
</h1>
<!-- behind masthead -->
<div id="masthead">
<? include("nav.php"); ?>
</div>
<!-- end masthead -->
<!-- begin content -->
<div id="content"><div class="story">
<?php
if (!isset($GET['cmd']))
{
$sql = "SELECT * FROM properties";
if (!mysql_num_rows(mysql_query($sql)))
$msg = "Sorry, there are no properties currently. Would you like to <a href='add.php'>add</a> one?";
else
$result = mysql_query($sql);
?>
<br><br>
<table width="85%" border="1" cellpadding="0" cellspacing="0" bordercolor="#000000">
<tr bordercolor="#000000">
<td width="213"><div align="center"><strong>Property Name</strong></div></td>
<td width="210"><div align="center"><strong>Address</strong></div></td>
<td width="184"><div align="center"><strong>Command</strong></div></td>
</tr>
<?php
$i = 0;
while ($row = mysql_fetch_array($result))
{
(is_int($i / 2)) ? $color = "#eeeeee" : $color = "#FFFFFF";
echo "<tr bordercolor='#000000' bgcolor='$color'>\n<td><center>{$row['name']}</center></td>\n<td><center>{$row['address1']}; {$row['address2']}<br>{$row['city']}, {$row['state']} {$row['zip']}</center></td>\n<td><div align='center'><a href='attachments.php?cmd=add&id={$row['id']}'>Add</a> - <a href='attachments.php?cmd=manage&id={$row['id']}'>Manage</a></div></td>\n</tr>\n";
$i++;
}
echo "</table><Br><Br>";
}
elseif ($GET['cmd'] == "add")
{
if (!isset($POST['submit']))
{
if (!isset($GET['id']))
alert("You need to specify an ID to use with this script!");
$sql = "SELECT name,status FROM properties WHERE id={$_GET['id']}";
$result = mysql_query($sql) or die(mysql_error());
if (!mysql_num_rows($result))
alert("You have entered an inavlid ID.");
$row = mysql_fetch_array($result);
switch ($row['status'])
{
case "o":
$status = "Owned";
break;
case "m":
$status = "Managed";
break;
case "i":
$status = "Inactive";
break;
default:
$status = "Owned";
break;
}
echo "Adding an attachment for <B>{$row['name']}</b> ($status)...<br><br>";
echo "<br><form action=\"attachments.php?cmd=add&id={$_GET['id']}\" method=\"post\" enctype=\"multipart/form-data\" name=\"form1\">";
echo "Attachment: <input type='file' name='file'><br>";
echo " Description: <input type='text' name='description'>";
echo "<br><br><input type='submit' name='submit' value='Add Attachment'></form>";
}
else
{
$pID = $_GET['id'];
define('MOVE_TO_PATH', "C:\Inetpub\wwwroot\uploads");
$types['jpg'] = 1;
$types['jpeg'] = 1;
$types['pjpeg'] = 1;
$types['bmp'] = 1;
$types['gif'] = 1;
$types['doc'] = 1;
$types['html'] = 1;
$types['htm'] = 1;
if (!is_uploaded_file($_FILES['file']['tmp_name']))
{
file_fail('Possible upload attack');
}
if ($_FILES['file']['size'] <= 0 || $_FILES['file']['size'] > 4000000)
{
file_fail('Size is either 0 or larger then allowed size (4 megabytes)');
}
if (!check_file_type($_FILES['file']['name'], $types))
{
file_fail('Wrong file type');
}
if (@!move_uploaded_file($_FILES['file']['tmp_name'], MOVE_TO_PATH . "\\" . $_FILES['file']['name']))
{
file_fail('Could not move file to upload directory');
}
$sql = "INSERT INTO uploads (pID,name,description,type,size) VALUES ('$pID','{$_FILES['file']['name']}','{$_POST['description']}','{$_FILES['file']['type']}','{$_FILES['file']['size']}')";
mysql_query($sql) or failout('Could not update upload information in database!<br>' . mysql_error());
echo "Your file was successfully uploaded. Please return back <a href='attachments.php'>home</a>.";
}
}
elseif ($GET['cmd'] == "manage")
{
if (!@$GET['id'])
alert("You need to specify an ID to add to this script.");
$sql = "SELECT * FROM uploads WHERE pID={$_GET['id']}";
$result = mysql_query($sql) or die(mysql_error());
if (!mysql_num_rows($result))
alert("You have specified an invalid ID, or the property has no attachments associated with it.");
echo "<table border=1 cellpadding='3' cellspacing='' bordercolor='black'>";
echo "<tr><td><b><center>Filename</center></b></td><td><b><center>Description</center></b></td><td><b><center>Type</center></b></td><td><b><center>Size</center></b></td><td><b><center>Command</center></b></td></tr>\n";
$i = 0;
while ($row = mysql_fetch_array($result))
{
(is_int($i / 2)) ? $color = "#eeeeee" : $color = "#FFFFFF";
if (eregi('image', $row['type']) || eregi('html', $row['type']))
$commands = "<a href='../uploads/{$row['name']}'>View</a> - <a href='download.php?id={$row['id']}'>Download</a> - <a href='attachments.php?cmd=edit&pid={$_GET['id']}&id={$row['id']}'>Edit</a> - <a href='attachments.php?cmd=remove&pid={$_GET['id']}&id={$row['id']}'>Remove</a>";
else
$commands = "<a href='download.php?id={$row['id']}'>Download</a> - <a href='attachments.php?cmd=edit&pid={$_GET['id']}&id={$row['id']}'>Edit</a> - <a href='attachments.php?cmd=remove&pid={$_GET['id']}&id={$row['id']}'>Remove</a>";
echo "<tr bgcolor='$color'><td>{$row['name']}</td><td>{$row['description']}</td><td>{$row['type']}</td><td>{$row['size']}</td><td><center>$commands</center></td></tr>\n";
$i++;
}
echo "</table><Br><br>";
}
