<?php
$page_title = "Add File | CES Admin";
include_once($_SERVER['DOCUMENT_ROOT'] . "/php/common_functions.php"); //common functions in the course registartion system
include_once($_SERVER['DOCUMENT_ROOT'] . "/php/config.php"); //holds global config variables
check_if_authenticated('admin');//check if user is logged in
include_once($_SERVER['DOCUMENT_ROOT'] . "/admin/php/top-admin.php"); //get the HTML heading common to all pages in the CES admin module
?>
<article class="ces-admin">
<h2>CES Admin - Add File</h2>
<?php
//setup some variables used in the script
$max_filesize = 2097152; //2 MB max filesize
$types_array = array("application/pdf"); //filetypes that the form will accept, add more if you wish to accept other filetypes
$bad_characters = array("#", "!", "@", "$", "%", "^", "&", "*", "(", ")", "+", "=", "[", "]", "}", "{", "}", "|", "<", ">", "?", "'", "\\"); //characters that we don't want to be part of the filename (special characters that cause problems when deleting the file). At the time I did this only '#' was causing a delete problem, but figured I'd strip a bunch of special chars to prevent future problems
include_once($_SERVER['DOCUMENT_ROOT'] . "/admin/php/nav-admin.php");
//opens connection to database
$db = mysqli_connect($mysql_server, $user, $pass, $database);
?>
<?php
$session_id = 0;
if (isset($_POST['session_id'])){
$session_id = $_POST['session_id'];
}
elseif (isset($_GET['session_id'])){
$session_id = $_GET['session_id'];
}
if(isset($_GET['action']) && $_GET['action'] == 'remove_file'){ //delete one file from the session and from the filesystem
$file_sql = "DELETE FROM ces_files_to_sessions WHERE session_id = '$_GET[session_id]' AND filename = '$_GET[filename]'";
if(mysqli_query($db, $file_sql)){ //delete the file reference from the database, but if the update did not happen output an error
echo "<p class='alert alert-success'>The file was deleted successfully.</p>";
} else{
print_sql_error('<br>Error - file removal failed when trying to do:', $file_sql);
}
$file_name = $_GET['filename'];
//needed on windows as : is replaced by _ in filenames
if($_SERVER['SERVER_SOFTWARE'] == 'Apache/2.4.9 (Win64) PHP/5.5.12');
$file_name = str_replace(":", "_", $file_name);
//now delete the file from the filesystem
unlink(realpath($file_name));
}
if(isset($_POST['submit'])) { //form has been submitted, don't prompt for info; add file to database and show what has been added
//makes sure submitted file exists, is greater than 0 and less than $max_filesize
if(!$_FILES['file']['size'] || $_FILES['file']['size'] > $max_filesize){
echo "<p class='alert alert-error'>Error - The file you tried to submit is either too big or does not exist.<br>
Please add a file that is smaller than " . $max_filesize / 1024 . " Kilobytes.</p>";
}//if
else if(!validate_filetype($types_array, $_FILES['file']['type'])){ //makes sure file that was submitted is an allowable file type (defined in $files_array)
echo "\n<p class='alert alert-error'>Error - The file you tried to upload is of type " . $_FILES['file']['type'] . " and is not a allowed file type.</p>";
} //else if
else{ //file looks ok, so insert into database
//2015-08-07 - nwmosses - changed naming format closer to ISO standard
$date_stamp = date('Y-m-d-H-i-s');
//2010-11-25 - wsopko - strip off any special characters from the uploaded file name to prevent problem happening when files get deleted
$clean_filename = str_replace($bad_characters, "", $_FILES['file']['name']);
//2015-08-07 - nwmosses - replace spaces with '-' to have cleaner file names
$clean_filename = str_replace(" ", "-", $clean_filename);
//give the uploaded file a unique filename
$uploaded_file = "../../sessions/files/".$date_stamp . "-" . $clean_filename;
move_uploaded_file($_FILES['file']['tmp_name'], $uploaded_file);
$file_description = htmlentities($_POST['file_description'], ENT_QUOTES);
$sql = "INSERT INTO ces_files_to_sessions (filename, session_id, file_description, display_immediately) VALUES ('$uploaded_file', '$_POST[session_id]', '$file_description', $_POST[display_immediately])";
if(mysqli_query($db, $sql)){ //if the insert was successful
echo "\n<p class='alert alert-success'>The file: <a href='".$uploaded_file ."' target='_blank'>".$date_stamp . "-" . $clean_filename."</a> was added successfully.</p>";
} //end if
else {//else the update did not happen so output an error
print_sql_error('Error - could not add the file when trying to do:', $sql);
}//end else
}//else
}//if
?>
<form enctype="multipart/form-data" method='post' action='<?php echo $_SERVER['PHP_SELF'] ?>'>
<input type="hidden" name="session_id" value="<?php echo $session_id; ?>">
<div class="form-group">
<label for='file'>Select File:</label>
<input class="form-control" type="file" name="file" size="35" required>
<p class="alert alert-info">Note: File must be in PDF format and be less than <?php echo $max_filesize / 1024; ?> Kilobytes in size.</p>
</div>
<div class="form-group">
<label for="display_immediately">Display Immediately:</label>
<select class="form-control" style="width:20%;" name="display_immediately">
<option value="0">No</option>
<option value="1">Yes</option>
</select>
</div>
<div class="form-group">
<label for="file_description">File Title:</label>
<input class="form-control" type="text" name="file_description" size="30" maxlength="30" required>
</div>
<div class="form-group">
<input class="btn btn-lg btn-block ces-green-btn" type='submit' name='submit' value="Add File">
<a class='btn btn-lg btn-block ces-orange-btn' href='../sessions/edit.php?session_id=<?php echo $session_id ?>'>Back</a>
</div>
</form>
<h5>List of Attached Files</h5>
<ul>
<?php
//list the files that are attached to this session
$file_sql = mysqli_query($db, "SELECT filename, file_description, display_immediately FROM ces_files_to_sessions WHERE session_id = '$session_id' ORDER BY file_description");
if(mysqli_num_rows($file_sql) > 0 ){
echo "<table class='table table-striped'>\n";
echo " <thead>\n";
echo " <th>Name</th>\n";
echo " <th>Size</th>\n";
echo " <th>Display Immediately</th>\n";
echo " <th>Date Modified</th>\n";
echo " <th>Delete</th>\n";
echo " </thead>";
echo " <body>";
while ($file_query = mysqli_fetch_array($file_sql)) {
$file_name = $file_query['filename'];
//needed on windows as : is replaced by _ in filenames
//if($_SERVER['SERVER_SOFTWARE'] == 'Apache/2.4.9 (Win64) PHP/5.5.12');
// $file_name = str_replace(":", "_", $file_name);
echo " <tr>\n";
echo " <td><a href=\"" . addslashes($file_name) . "\" target=_new>" . $file_query['file_description'] . "</a></td>\n";
echo " <td>".human_filesize(filesize($file_name), 0) ."</td>\n";
echo " <td>".($file_query['display_immediately']?'Yes': 'No') ."</td>\n";
echo " <td>".date ("F d Y H:i:s",filemtime($file_name))."</td>\n";
echo " <td><a class='no-icon' href=\"" . $_SERVER['PHP_SELF'] . "?action=remove_file&session_id=" . $session_id . "&filename=" . $file_query['filename'] . "\"><span class='glyphicon glyphicon-trash'></span></a></td>";
echo " </tr>";
}//while
echo " </body>";
echo "</table>\n";
}else{
echo "<p>No Files attached</p>";
}
?>
</article>
</section><!-- #middle-->
</div><!-- #wrapper -->
<?php require_once $_SERVER['DOCUMENT_ROOT'].'/require/footer.php';?>
<!-- end admin_html_bottom.php -->
<?php
//determines if the submitted filetype matches one of the valid allowable filetypes
function validate_filetype($types_array, $file_type){
foreach($types_array as $valid_filetype){
if($file_type == $valid_filetype){
return true; //$file_type matches one of the allowable filetypes specified in $types_array
}//if
}//foreach
return false; //$file_type is not valid
}//validate_filetype
?>