90 lines
3.8 KiB
PHP
90 lines
3.8 KiB
PHP
<?php
|
|
// ============================================================
|
|
// uploadImagePortrate.php
|
|
// رفع صورة الكابتن بأمان
|
|
// ============================================================
|
|
|
|
require_once __DIR__ . '/connect.php'; // يفترض أنه يستدعي core/bootstrap.php
|
|
|
|
uploadLog("🚀 [uploadImagePortrate.php] Profile image upload script execution started.");
|
|
|
|
try {
|
|
// Check if $_FILES has errors
|
|
if (isset($_FILES['image'])) {
|
|
uploadLog("$_FILES['image'] metadata", 'INFO', [
|
|
'name' => $_FILES['image']['name'] ?? 'unknown',
|
|
'type' => $_FILES['image']['type'] ?? 'unknown',
|
|
'size' => $_FILES['image']['size'] ?? 0,
|
|
'upload_error_code' => $_FILES['image']['error'] ?? UPLOAD_ERR_OK
|
|
]);
|
|
} else {
|
|
uploadLog("No 'image' file was sent in the request.", 'WARNING');
|
|
}
|
|
|
|
// 1. Rate Limiting للرفع
|
|
$limiter = new RateLimiter($redis);
|
|
$limiter->enforce(RateLimiter::identifier($user_id ?? null), 'upload');
|
|
|
|
// Force driverID from JWT — never trust user-supplied driverID
|
|
$driverID = $user_id;
|
|
uploadLog("📥 Using JWT driverID: $driverID");
|
|
|
|
if (empty($driverID)) {
|
|
uploadLog("❌ Driver ID from JWT is missing.", 'ERROR');
|
|
jsonError('Authentication required.', 400);
|
|
}
|
|
|
|
// 2. استخدام دالة الرفع الآمنة (MIME check, random name, 5MB limit)
|
|
$target_dir = __DIR__ . "/portrate_captain_image/";
|
|
$uploadResult = uploadImageSecure('image', $target_dir, $driverID);
|
|
|
|
if (!$uploadResult['success']) {
|
|
uploadLog("❌ Image upload failed", 'ERROR', ['driverID' => $driverID, 'error' => $uploadResult['error']]);
|
|
securityLog("❌ Image upload failed", ['driverID' => $driverID, 'error' => $uploadResult['error']]);
|
|
jsonError($uploadResult['error'], 400);
|
|
}
|
|
|
|
$new_filename = $uploadResult['filename'];
|
|
uploadLog("✅ File moved successfully to: " . $uploadResult['path']);
|
|
|
|
// 3. تحديث قاعدة البيانات ديناميكياً
|
|
// Use configured domain instead of Host header to prevent host header injection
|
|
$host = getenv('APP_DOMAIN') ?: 'api.siromove.com';
|
|
$protocol = 'https';
|
|
$linkImage = "$protocol://$host/siro/portrate_captain_image/" . $new_filename;
|
|
|
|
// تأكد من أن الاتصال قادم من connect.php أو اجلبه
|
|
$con = Database::get('main');
|
|
|
|
// التحقق من وجود السائق في جدول الصور الشخصية
|
|
$stmt = $con->prepare("SELECT COUNT(*) FROM imageProfileCaptain WHERE driverID = ?");
|
|
$stmt->execute([$driverID]);
|
|
$count = $stmt->fetchColumn();
|
|
|
|
if ($count > 0) {
|
|
// تحديث
|
|
$updateSQL = "UPDATE imageProfileCaptain SET image_name = ?, link = ? WHERE driverID = ?";
|
|
$updateStmt = $con->prepare($updateSQL);
|
|
$success = $updateStmt->execute([$new_filename, $linkImage, $driverID]);
|
|
} else {
|
|
// إدخال جديد
|
|
$insertSQL = "INSERT INTO imageProfileCaptain (driverID, image_name, link) VALUES (?, ?, ?)";
|
|
$insertStmt = $con->prepare($insertSQL);
|
|
$success = $insertStmt->execute([$driverID, $new_filename, $linkImage]);
|
|
}
|
|
|
|
if ($success) {
|
|
uploadLog("✅ Record updated for driverID: $driverID, Link: $linkImage");
|
|
jsonSuccess(['file_link' => $linkImage], 'Record updated successfully.');
|
|
} else {
|
|
uploadLog("❌ Failed to update DB record for driverID: $driverID", 'ERROR');
|
|
jsonError('Failed to update record.', 500);
|
|
}
|
|
|
|
} catch (PDOException $e) {
|
|
securityLog("💥 PDO ERROR in uploadImage", ['error' => $e->getMessage()]);
|
|
jsonError('Database error.', 500);
|
|
} catch (Exception $e) {
|
|
securityLog("💥 GENERAL ERROR in uploadImage", ['error' => $e->getMessage()]);
|
|
jsonError('Server error.', 500);
|
|
} |