&field=upload&num=&preSaveTempId='
height='100' width='600' frameborder='0' scrolling='no'>
*/
//
$table = @$_REQUEST['table'];
$field = @$_REQUEST['field'];
$recordNum = intval( @$_REQUEST['num'] );
$preSaveTempId = @$_REQUEST['preSaveTempId'];
$submittedForm = @$_REQUEST['REQUEST_METHOD'] == 'POST' || @$_REQUEST['submitForm'];
$errorsAndAlerts = '';
// SECURITY WARNING: BE SURE TO ADD SECURITY CHECKS BELOW TO ENSURE USERS CAN'T
// ADD OR MODIFY UPLOADS FROM ANY RECORDS THEY ARE NOT SUPPOSE TO.
$allowedTables = array('every_field_multi');
$allowedFields = array('upload');
if ($recordNum) { // if a $recordNum was supplied, ensure that the user owns it before doing anything!
if (!@$CURRENT_USER) { die("You must login to modify a record!"); }
$record = mysql_get_query("SELECT * FROM {$TABLE_PREFIX}$table WHERE num = '$recordNum'");
if (!$record || $record['createdByUserNum'] != $CURRENT_USER['num']) { die("Invalid recordNum"); }
}
// error checking
if (!$table) { die("No 'tablename' value specified in url!"); }
elseif (!in_array($table, $allowedTables)) { die("Tablename '" .htmlencode($table). "' isn't in list of allowed tablenames!"); }
if (!$field) { die("No 'fieldname' value specified in url!"); }
elseif (!in_array($field, $allowedFields)) { die("Fieldname '" .htmlencode($field). "' isn't in list of allowed fieldnames!"); }
if (!$recordNum && !$preSaveTempId) { die("No 'recordNum' or 'preSaveTempId' value was specified!"); }
if ($submittedForm && !preg_match("/multipart\/form-data/", @$_SERVER['CONTENT_TYPE'])) {
die("Upload Error: <form> tag must have enctype=\"multipart/form-data\"");
}
// save uploads
foreach (getUploadInfoArrays() as $uploadInfo) { // add uploads
$errorsAndAlerts .= saveUpload($table, $field, $recordNum, $preSaveTempId, $uploadInfo, $newUploadNums);
//die("$recordNum $field $table");
if($preSaveTempId || ($recordNum && $field && $table)) {
$infoQuerySet = "";
if(@$_REQUEST['info1']) {
$infoQuerySet .= " info1 = '" . $_REQUEST['info1'] . "' ";
}
if(@$_REQUEST['info2']) {
if($infoQuerySet) {
$infoQuerySet .= ",";
}
$infoQuerySet .= " info2 = '" . $_REQUEST['info2'] . "' ";
}
if($infoQuerySet) {
$infoQuery = " UPDATE " . $GLOBALS['TABLE_PREFIX'] . "uploads
SET $infoQuerySet
WHERE ";
if($recordNum && $field && $table) {
//We need to get the most recent record for the recordNum, fieldName and tableName
//MySQL can not select from same table as update in one query
$numQuery = "
SELECT num
FROM " . $GLOBALS['TABLE_PREFIX'] . "uploads
WHERE recordNum = '$recordNum'
AND fieldName = '$field'
AND tableName = '$table'
ORDER BY createdTime DESC
LIMIT 1";
$numResult = mysql_get_query($numQuery);
if(@$numResult['num']) {
$infoQuery .= " num=" . $numResult['num'];
}
else {
continue;
}
}
else {
$infoQuery .= " preSaveTempId = '$preSaveTempId'";
}
mysqli()->query($infoQuery);
}
}
}
// remove uploads
if (@$_REQUEST['removeUpload']) { // delete upload
$uploadNum = @$_REQUEST['removeUpload'];
removeUpload($uploadNum, $recordNum, $preSaveTempId);
}
// load uploads
$uploads = getUploadRecords($table, $field, $recordNum, $preSaveTempId);
?>