Invalid submission: missing eft_id or file.";
exit;
}
// Validate file using hardened validation function
$validationResult = validateFileUpload($_FILES['pop_file'], 'proof_of_payment');
if ($validationResult === false) {
echo "Invalid file. Only PDF files under 10MB are allowed.
";
exit;
}
$target_dir = "uploads/pop/";
$randomFilename = $validationResult['filename'];
$target_file = $target_dir . $randomFilename;
// Make sure target directory exists and writable
if (!is_dir($target_dir)) {
mkdir($target_dir, 0755, true);
}
if (!is_writable($target_dir)) {
echo "Upload directory is not writable: $target_dir
";
exit;
}
if (move_uploaded_file($_FILES['pop_file']['tmp_name'], $target_file)) {
chmod($target_file, 0644);
// Update EFT and booking status
$payment_type = $_POST['payment_type'] ?? 'booking';
if ($payment_type === 'membership') {
// Update EFT and booking status
$stmt1 = $conn->prepare("UPDATE efts SET status = 'PROCESSING' WHERE eft_id = ?");
$stmt1->bind_param("s", $eft_id);
$stmt1->execute();
$stmt1->close();
// Update membership fee status
$stmt = $conn->prepare("UPDATE membership_fees SET payment_status = 'PROCESSING' WHERE payment_id = ?");
$stmt->bind_param("s", $eft_id);
$stmt->execute();
$stmt->close();
} else {
// Update EFT and booking status
$stmt1 = $conn->prepare("UPDATE efts SET status = 'PROCESSING' WHERE eft_id = ?");
$stmt1->bind_param("s", $eft_id);
$stmt1->execute();
$stmt1->close();
$stmt2 = $conn->prepare("UPDATE bookings SET status = 'PROCESSING' WHERE eft_id = ?");
$stmt2->bind_param("s", $eft_id);
$stmt2->execute();
$stmt2->close();
}
// Send notification email using sendPOP()
$fullname = getFullName($user_id);
$eftDetails = getEFTDetails($eft_id);
if ($eftDetails) {
$amount = "R" . number_format($eftDetails['amount'], 2);
$description = $eftDetails['description'];
} else {
$amount = "R0.00";
$description = "Payment";
}
if (sendPOP($fullname, $randomFilename, $amount, $description)) {
$_SESSION['message'] = "Thank you! Your payment proof has been uploaded and notification sent.";
} else {
$_SESSION['message'] = "Payment uploaded, but notification email could not be sent.";
}
// Log the action
auditLog($user_id, 'POP_UPLOAD', 'efts', $eft_id, ['filename' => $randomFilename, 'payment_type' => $payment_type]);
header("Location: bookings.php");
exit;
} else {
echo "Unable to move uploaded file.
";
exit;
}
}
// Fetch bookings for dropdown
$stmt = $conn->prepare("
SELECT eft_id AS id, 'booking' AS type FROM bookings WHERE user_id = ? AND status = 'AWAITING PAYMENT'
UNION
SELECT payment_id AS id, 'membership' AS type FROM membership_fees WHERE user_id = ? AND payment_status = 'PENDING'
");
$stmt->bind_param("ii", $user_id, $user_id);
$stmt->execute();
$result = $stmt->get_result();
$items = $result->fetch_all(MYSQLI_ASSOC);
$bannerFolder = 'assets/images/banners/';
$bannerImages = glob($bannerFolder . '*.{jpg,jpeg,png,webp}', GLOB_BRACE);
$randomBanner = 'assets/images/base4/camping.jpg'; // default fallback
if (!empty($bannerImages)) {
$randomBanner = $bannerImages[array_rand($bannerImages)];
}
?>
Submit Proof of Payment
Submit Proof of Payment
To finalise your booking/membership, select the payment reference below, and then upload your PDF proof of payment.