BREAKING CHANGE New file upload method for contacts to not specify full path in database to reduce the db load and size as well as give better error control

client_contacts.php

@@ -136,7 +136,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
               <a class="text-dark" href="#" data-toggle="modal" data-target="#editContactModal<?php echo $contact_id; ?>">
                 <?php if(!empty($contact_photo)){ ?>
               
-                <img height="48" width="48" class="img-fluid rounded-circle" src="<?php echo $contact_photo; ?>">
+                <img height="48" width="48" class="img-fluid rounded-circle" src="<?php echo "uploads/clients/$session_company_id/$client_id/$contact_photo"; ?>">
                 
                 <?php }else{ ?>
     

edit_contact_modal.php

@@ -10,7 +10,7 @@
       <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
         <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
         <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
-        <input type="hidden" name="current_avatar_path" value="<?php echo $contact_photo; ?>">
+        <input type="hidden" name="existing_file_name" value="<?php echo $contact_photo; ?>">
         <div class="modal-body bg-white">
 
           <ul class="nav nav-pills nav-justified mb-3">
@@ -99,7 +99,7 @@
 
               <center>
                 <?php if(!empty($contact_photo)){ ?>
-                <img class="img-fluid rounded-circle" src="<?php echo $contact_photo; ?>" height="256" width="256">
+                <img class="img-fluid rounded-circle" src="<?php echo "uploads/clients/$session_company_id/$client_id/$contact_photo"; ?>" height="256" width="256">
                 <?php }else{ ?>
                 <span class="fa-stack fa-4x">
                   <i class="fa fa-circle fa-stack-2x text-secondary"></i>

header.php

@@ -70,8 +70,8 @@ scratch. This page gets rid of all links and provides the needed markup only.
         </div>
       <?php
       
-      $_SESSION['alert_type'] = '';
-      $_SESSION['alert_message'] = '';
+      unset($_SESSION['alert_type']);
+      unset($_SESSION['alert_message']);
 
     }
 

post.php

@@ -3156,14 +3156,7 @@ if(isset($_POST['add_contact'])){
         mkdir("uploads/clients/$session_company_id/$client_id");
     }
 
-    if($_FILES['file']['tmp_name']!='') {
-        $path = "uploads/clients/$session_company_id/$client_id/";
-        $path = $path . time() . basename( $_FILES['file']['name']);
-        $file_name = basename($path);
-        move_uploaded_file($_FILES['file']['tmp_name'], $path);
-    }
-
-    mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_photo = '$path', contact_notes = '$notes', contact_created_at = NOW(), contact_client_id = $client_id, company_id = $session_company_id");
+    mysqli_query($mysqli,"INSERT INTO contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_created_at = NOW(), contact_client_id = $client_id, company_id = $session_company_id");
 
 
     //Update Primay contact in clients if primary contact is checked
@@ -3172,10 +3165,45 @@ if(isset($_POST['add_contact'])){
         mysqli_query($mysqli,"UPDATE clients SET primary_contact = $contact_id WHERE client_id = $client_id");
     }
 
+    //Check to see if a file is attached
+    if($_FILES['file']['tmp_name'] != ''){
+        
+        // get details of the uploaded file
+        $file_tmp_path = $_FILES['file']['tmp_name'];
+        $file_name = $_FILES['file']['name'];
+        $file_size = $_FILES['file']['size'];
+        $file_type = $_FILES['file']['type'];
+        $file_name_cmps = explode(".", $file_name);
+        $file_extension = strtolower(end($file_name_cmps));
+
+        // sanitize file-name
+        $new_file_name = md5(time() . $file_name) . '.' . $file_extension;
+
+        // check if file has one of the following extensions
+        $allowed_file_extensions = array('jpg', 'gif', 'png');
+     
+        if(in_array($file_extension, $allowed_file_extensions)){
+            // directory in which the uploaded file will be moved
+            $upload_file_dir = "uploads/clients/$session_company_id/$client_id/";
+            $dest_path = $upload_file_dir . $new_file_name;
+
+            if(move_uploaded_file($file_tmp_path, $dest_path)){
+                mysqli_query($mysqli,"UPDATE contacts SET contact_photo = '$new_file_name' WHERE contact_id = $contact_id");
+
+                $_SESSION['alert_message'] = 'File successfully uploaded.';
+            }else{
+                $_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
+            }
+        }else{
+            $_SESSION['alert_message'] = 'Upload failed. Allowed file types: ' . implode(',', $allowed_file_extensions);
+            $_SESSION['alert_type'] = 'danger';
+        }
+    }
+
     //Logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Create', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, log_user_id = $session_user_id");
 
-    $_SESSION['alert_message'] = "Contact added";
+    $_SESSION['alert_message'] .= "Contact added";
     
     header("Location: " . $_SERVER["HTTP_REFERER"]);
 
@@ -3194,30 +3222,61 @@ if(isset($_POST['edit_contact'])){
     $primary_contact = intval($_POST['primary_contact']);
     $notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['notes'])));
 
-    $path = strip_tags(mysqli_real_escape_string($mysqli,$_POST['current_avatar_path']));
+    $existing_file_name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name']));
 
     if(!file_exists("uploads/clients/$session_company_id/$client_id")) {
         mkdir("uploads/clients/$session_company_id/$client_id");
     }
 
-    if($_FILES['file']['tmp_name']!='') {
-        $path = "uploads/clients/$session_company_id/$client_id/";
-        $path = $path . time() . basename( $_FILES['file']['name']);
-        $file_name = basename($path);
-        move_uploaded_file($_FILES['file']['tmp_name'], $path);
-    }
-
-    mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_photo = '$path', contact_notes = '$notes', contact_updated_at = NOW() WHERE contact_id = $contact_id AND company_id = $session_company_id");
+    mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_extension = '$extension', contact_mobile = '$mobile', contact_email = '$email', contact_notes = '$notes', contact_updated_at = NOW() WHERE contact_id = $contact_id AND company_id = $session_company_id");
 
     //Update Primay contact in clients if primary contact is checked
     if($primary_contact > 0){
         mysqli_query($mysqli,"UPDATE clients SET primary_contact = $contact_id WHERE client_id = $client_id");
     }
 
+    //Check to see if a file is attached
+    if($_FILES['file']['tmp_name'] != ''){
+        
+        // get details of the uploaded file
+        $file_tmp_path = $_FILES['file']['tmp_name'];
+        $file_name = $_FILES['file']['name'];
+        $file_size = $_FILES['file']['size'];
+        $file_type = $_FILES['file']['type'];
+        $file_name_cmps = explode(".", $file_name);
+        $file_extension = strtolower(end($file_name_cmps));
+
+        // sanitize file-name
+        $new_file_name = md5(time() . $file_name) . '.' . $file_extension;
+
+        // check if file has one of the following extensions
+        $allowed_file_extensions = array('jpg', 'gif', 'png');
+     
+        if(in_array($file_extension, $allowed_file_extensions)){
+            // directory in which the uploaded file will be moved
+            $upload_file_dir = "uploads/clients/$session_company_id/$client_id/";
+            $dest_path = $upload_file_dir . $new_file_name;
+
+            if(move_uploaded_file($file_tmp_path, $dest_path)){
+                mysqli_query($mysqli,"UPDATE contacts SET contact_photo = '$new_file_name' WHERE contact_id = $contact_id");
+
+                //Delete old file
+                unlink("uploads/clients/$session_company_id/$client_id/$existing_file_name");
+
+                $_SESSION['alert_message'] = 'File successfully uploaded.';
+            }else{
+                $_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
+            }
+        }else{
+            $_SESSION['alert_message'] = 'Upload failed. Allowed file types: ' . implode(',', $allowed_file_extensions);
+            $_SESSION['alert_type'] = 'danger';
+        }
+    }
+
     //Logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Contact', log_action = 'Modified', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, log_user_id = $session_user_id");
 
-    $_SESSION['alert_message'] = "Contact updated";
+    $_SESSION['alert_message'] .= "Contact updated";
     
     header("Location: " . $_SERVER["HTTP_REFERER"]);