4WDCSA.co.za/process_course_booking.php

<?php
require_once("env.php");
require_once("connection.php");
require_once("functions.php");
session_start();


// Get user ID from session (assuming user is logged in)
$user_id = isset($_SESSION['user_id']) ? $_SESSION['user_id'] : null;

// Validate user session
if (!$user_id) {
    echo "<script>alert('User is not logged in. Please log in to make a booking.'); window.location.href = 'login.php';</script>";
    exit();
}
$is_member = getUserMemberStatus($user_id);
$pending_member = getUserMemberStatusPending($user_id);

// Check if the form has been submitted
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // CSRF Token Validation
    if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
        auditLog($user_id, 'CSRF_VALIDATION_FAILED', 'bookings', null, ['endpoint' => 'process_course_booking.php']);
        http_response_code(403);
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Security token validation failed.']);
        exit();
    }
    
    // Input variables from the form (use default values if not provided)
    $additional_members = validateInteger($_POST['members'] ?? 0, 0, 20);
    if ($additional_members === false) $additional_members = 0;
    
    $num_adults = validateInteger($_POST['non-members'] ?? 0, 0, 20);
    if ($num_adults === false) $num_adults = 0;
    
    $course_id = validateInteger($_POST['course_id'] ?? 0, 1, 999999);
    if ($course_id === false) {
        http_response_code(400);
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Invalid course ID.']);
        exit();
    }
    
    checkAndRedirectCourseBooking($course_id);
    // Fetch trip costs from the database
    $query = "SELECT date, cost_members, cost_nonmembers, course_type FROM courses WHERE course_id = ?";
    $stmt = $conn->prepare($query);
    $stmt->bind_param('i', $course_id);
    $stmt->execute();
    $result = $stmt->get_result();

    // Check if trip exists
    if ($result->num_rows === 0) {
        $response = ['error' => 'Trip not found.'];
        header('Content-Type: application/json');
        echo json_encode($response);
        exit();
    }

    // Fetch trip details
    $course = $result->fetch_assoc();
    $type = $course['course_type'];
    $date = $course['date'];
    $cost_members = intval($course['cost_members']);
    $cost_nonmembers = intval($course['cost_nonmembers']);

    if ($type === "driver_training") {
        $description = "Basic 4X4 Driver Training Course " . $date;
    } elseif ($type === "bush_mechanics") {
        $description = "Bush Mechanics Course " . $date;
    } elseif ($type === "rescue_recovery") {
        $description = "Rescue & Recovery Training Course " . $date;
    } else {
        $description = "General Course " . $date; // Default fallback description
    }

    // Initialize total and discount amount
    $total = 0;

    // Calculate total based on membership
    if ($is_member || $pending_member) {
        $num_members = 1 +  $additional_members;
        $total = ($num_members * $cost_members) + ($num_adults * $cost_nonmembers);
        $payment_amount = $total;
    } else {
        $num_members = 0;
        $total = (($cost_nonmembers) + ($num_adults * $cost_nonmembers));
        $payment_amount = $total;
        $num_adults = $num_adults + 1;
    }

    $status = "AWAITING PAYMENT";
    $type = 'course';
    $payment_id = uniqid();
    $num_vehicles = 1;
    $discountAmount = 0;
    $eft_id =  strtoupper("COURSE ".date("m-d", strtotime($date))." ".getInitialSurname($user_id));
    $notes = "";
    if ($pending_member){
        $notes = "Membership Payment pending at time of booking. Please confirm payment has been received.";
    }
   

    // Insert booking into the database
    $sql = "INSERT INTO bookings (booking_type, user_id, from_date, to_date, num_vehicles, num_adults, total_amount, discount_amount, status, payment_id, course_id, course_non_members, eft_id, notes) 
            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
    $stmt = $conn->prepare($sql);

    if (!$stmt) {
        die("Preparation failed: " . $conn->error);
    }

    $stmt->bind_param('sissiiddssiiss', $type, $user_id, $date, $date, $num_vehicles, $num_members, $total, $discountAmount, $status, $payment_id, $course_id, $num_adults, $eft_id, $notes);

    if ($stmt->execute()) {
        $booking_id = $conn->insert_id;

        if ($payment_amount < 1) {
            if (processZeroPayment($payment_id, $payment_amount, $description)) {
                echo "<script>alert('Booking successfully created!'); window.location.href = 'bookings.php';</script>";
            } else {
                $error_message = $stmt->error;
                echo "Error processing booking: $error_message";
            }
        } else {
            addEFT($eft_id, $booking_id, $user_id, $status, $payment_amount, $description);
            sendInvoice(getEmail($user_id), getFullName($user_id), $eft_id, formatCurrency($payment_amount), $description);
            sendAdminNotification('New Course Booking - '.getFullName($user_id), getFullName($user_id).' has booked for '.$description);
            header("Location: payment_confirmation.php?token=".encryptData($booking_id, $salt));
            exit(); // Ensure no further code is executed after the redirect
        }
    } else {
        // Handle error if insert fails and echo the MySQL error
        $error_message = $stmt->error;
        echo "Error processing booking: $error_message";
    }

    $stmt->close();
    $conn->close();
} else {
    echo "Invalid request.";
}