upload.php at Simple Document Management System

<?php
  require('lib/config.inc.php');
  require('lib/auth.inc.php');
  require('lib/classes.inc.php');
  require('lib/functions.inc.php');

  /*
   * Basic input validation.
   */
  $doc_id = intval($_REQUEST['doc_id']);
  $info   = mysql_real_escape_string($_REQUEST['info']);

  $user = new user($_SESSION['login']);

  function upload_failed($message) {
    global $userfile;

    // Trash it.
    @unlink($userfile);

    echo "<h2 align=\"center\">Error: $message</h2>\n";
    print_footer();
    exit;
  }

  function add_standard_access($document_id,$level = "R") {
    global $user;
    // Owner access.
    @mysql_query("INSERT INTO ACL(user_id,document_id,level) VALUES($user->id,$document_id,'W')");

    // Others - set what was specified.
    switch($level) {
      case "X":
        break;
      default:
        $res = @mysql_query("SELECT id FROM users");
        while($row = @mysql_fetch_array($res))
          @mysql_query("INSERT INTO ACL(user_id,document_id,level) VALUES($row[id],$document_id,'$level')");
       break;
    }
    return;
  }

  print_header("Uploading Document");

  if(!isset($_FILES['userfile']))
    upload_failed("Document was not found");

  if(!file_exists($_FILES['userfile']['tmp_name']))
    upload_failed("Document was not uploaded");

  $fp = fopen($_FILES['userfile']['tmp_name'], "r");
  if(!$fp)
    upload_failed("Cannot open uploaded documentile");
  $content = fread($fp, $_FILES['userfile']['size']);
  fclose($fp);
  unlink($_FILES['userfile']['tmp_name']);

  $res = @mysql_query("INSERT INTO documents(name,type,size,author,maintainer,revision,created) VALUES('".mysql_real_escape_string($_FILES['userfile']['name'])."','".mysql_real_escape_string($_FILES['userfile']['type'])."',".intval($_FILES['userfile']['size']).",$user->id,$user->id,1,NOW())");

  switch( mysql_errno() ) {

    case 0:
        $doc_id = mysql_insert_id();
        @mysql_query("INSERT INTO documents_content(id,content) VALUES($doc_id,'". base64_encode($content) ."')");
        if(mysql_errno() ) {
            $error = mysql_error();
            @mysql_query("DELETE FROM documents WHERE id=$doc_id");
            upload_failed( "Index ($doc_id) succeeded, but content failed<br>Error: $error" );
        } else {
            if($info) {
                @mysql_query("INSERT INTO documents_info(id,info) VALUES($doc_id,'". $info ."')");
                if(mysql_errno() ) {
                    $error = mysql_error();
                    @mysql_query("DELETE FROM documents WHERE id=$doc_id");
                    @mysql_query("DELETE FROM documents_content WHERE id=$doc_id");
                    upload_failed( "Index ($doc_id) and content succeeded, but info failed<br>Error: $error" );
                }
            }
        }
        add_standard_access($doc_id,$level);
        $keywords = ereg_replace(",", " ", $keywords);
        $keywords = ereg_replace("  ", " ", $keywords);
        $keywords = explode(" ", $keywords);
        $keyword = current($keywords);
        echo "<h2 align=\"center\">Uploaded ". htmlspecialchars(stripslashes($_FILES['userfile']['name'])) ." ({$_FILES['userfile']['size']} bytes) as Document ID $doc_id</h2>\n";
        echo "<h3 align=\"center\">Using keywords: \n";
        do {
            @mysql_query("INSERT INTO documents_keywords(id,keyword) VALUES($doc_id,'". mysql_real_escape_string($keyword) ."')");
            if(mysql_errno())
                echo "<br>Error, $keyword not saved\n";
            else
                echo "<br>$keyword\n";
        } while ($keyword = next($keywords));
        echo "</h3>\n";
        break;

    default:
        upload_failed( mysql_error() );
        break;
  }

  print_footer()

?>