92 lines
3.1 KiB
PHP
92 lines
3.1 KiB
PHP
<?php
|
|
ob_start(); // Start output buffering
|
|
session_start();
|
|
|
|
// Set JSON response header BEFORE any other output
|
|
header('Content-Type: application/json');
|
|
|
|
$rootPath = dirname(dirname(__DIR__));
|
|
require_once($rootPath . "/src/config/env.php");
|
|
require_once($rootPath . "/src/config/session.php");
|
|
include_once($rootPath . '/src/config/connection.php');
|
|
require_once($rootPath . "/src/config/functions.php");
|
|
|
|
// Check database connection
|
|
if (!isset($conn) || $conn === null) {
|
|
die(json_encode(['status' => 'error', 'message' => 'Database connection failed']));
|
|
}
|
|
|
|
$response = array('status' => 'error', 'message' => 'Something went wrong');
|
|
|
|
// Check if the user is logged in
|
|
if (!isset($_SESSION['user_id'])) {
|
|
$response['message'] = 'You are not logged in.';
|
|
echo json_encode($response);
|
|
exit();
|
|
}
|
|
|
|
$user_id = $_SESSION['user_id'];
|
|
|
|
// Handle profile picture upload
|
|
if (isset($_FILES['profile_picture']) && $_FILES['profile_picture']['error'] != UPLOAD_ERR_NO_FILE) {
|
|
// Validate file using hardened validation function
|
|
$validationResult = validateFileUpload($_FILES['profile_picture'], 'profile_picture');
|
|
|
|
if ($validationResult === false) {
|
|
$response['message'] = 'Invalid file. Only JPG, JPEG, PNG, GIF, and WEBP images under 5MB are allowed.';
|
|
echo json_encode($response);
|
|
exit();
|
|
}
|
|
|
|
// Extract validated filename
|
|
$randomFilename = $validationResult['filename'];
|
|
$target_dir = $rootPath . "/assets/images/pp/";
|
|
$target_file = $target_dir . $randomFilename;
|
|
|
|
// Ensure upload directory exists
|
|
if (!file_exists($target_dir)) {
|
|
mkdir($target_dir, 0777, true);
|
|
}
|
|
|
|
// Move the uploaded file
|
|
if (move_uploaded_file($_FILES['profile_picture']['tmp_name'], $target_file)) {
|
|
// Set secure file permissions (readable but not executable)
|
|
chmod($target_file, 0644);
|
|
|
|
// Store relative path for HTML display
|
|
$display_path = "assets/images/pp/" . $randomFilename;
|
|
|
|
// Update the profile picture path in the database
|
|
$sql = "UPDATE users SET profile_pic = ? WHERE user_id = ?";
|
|
$stmt = $conn->prepare($sql);
|
|
if (!$stmt) {
|
|
$response['message'] = 'Database error.';
|
|
echo json_encode($response);
|
|
exit();
|
|
}
|
|
|
|
$stmt->bind_param("si", $display_path, $user_id);
|
|
if ($stmt->execute()) {
|
|
$_SESSION['profile_pic'] = $display_path;
|
|
$response['status'] = 'success';
|
|
$response['message'] = 'Profile picture updated successfully';
|
|
|
|
// Log the action
|
|
auditLog($user_id, 'PROFILE_PIC_UPLOAD', 'users', $user_id, ['filename' => $randomFilename]);
|
|
} else {
|
|
$response['message'] = 'Failed to update profile picture in the database: ' . $stmt->error;
|
|
}
|
|
$stmt->close();
|
|
} else {
|
|
$response['message'] = 'Failed to move uploaded file. Error code: ' . $_FILES['profile_picture']['error'];
|
|
}
|
|
} else {
|
|
$response['message'] = 'No file uploaded or file error.';
|
|
}
|
|
|
|
// Clean output buffer and send only JSON
|
|
ob_end_clean();
|
|
echo json_encode($response);
|
|
?>
|
|
|