Главная Обзор Помощь
Регистрация Вход
benjamin.harris
/
soil-report-ai
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: 6169f927ca
Ветки Метки
soil-report-ai
/
client-assets
/
table
/
gettable.php

gettable.php 2.6 KB
История Исходник

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * client-assets/table/gettable.php
    4. 

  4.  *
    5. 

  5.  * AJAX DataTable endpoint. Requires authentication and a whitelisted table name.
    6. 

  6.  */
    7. 

  7. 

  8. require_once __DIR__ . '/../../config/database.php';
    9. 

  9. require_once __DIR__ . '/../../lib/auth.php';
    10. 

  10. 

  11. if (session_status() === PHP_SESSION_NONE) {
    12. 

  12.     session_start();
    13. 

  13. }
    14. 

  14. 

  15. if (!isLoggedIn()) {
    16. 

  16.     http_response_code(401);
    17. 

  17.     echo json_encode(['error' => 'Unauthorised']);
    18. 

  18.     exit;
    19. 

  19. }
    20. 

  20. 

  21. // Only these tables may be queried through this endpoint
    22. 

  22. $allowedTables = [
    23. 

  23.     'soil_records',
    24. 

  24.     'client_records',
    25. 

  25.     'plant_records',
    26. 

  26.     'animal_records',
    27. 

  27.     'water_records',
    28. 

  28.     'weather_station',
    29. 

  29.     'calendar_events',
    30. 

  30.     'fertiliser_specifications',
    31. 

  31.     'block_info',
    32. 

  32.     'crop_info',
    33. 

  33. ];
    34. 

  34. 

  35. $table = $_REQUEST['table'] ?? '';
    36. 

  36. 

  37. if (!in_array($table, $allowedTables, true)) {
    38. 

  38.     http_response_code(400);
    39. 

  39.     echo json_encode(['error' => 'Invalid table']);
    40. 

  40.     exit;
    41. 

  41. }
    42. 

  42. 

  43. $num_rows = isset($_REQUEST['num_rows']) ? max(1, min((int) $_REQUEST['num_rows'], 200)) : 30;
    44. 

  44. $page     = isset($_REQUEST['page'])     ? max(0, (int) $_REQUEST['page']) : 0;
    45. 

  45. 

  46. // Allowed ORDER BY columns must also be whitelisted to prevent injection
    47. 

  47. $allowedOrders = [
    48. 

  48.     'id', 'date', 'client_name', 'email', 'created_at', 'date_sampled',
    49. 

  49.     'lab_no', 'site_id', 'crop_type', 'soil_type',
    50. 

  50. ];
    51. 

  51. $allowedDirs = ['ASC', 'DESC'];
    52. 

  52. 

  53. $order = isset($_REQUEST['order']) && in_array($_REQUEST['order'], $allowedOrders, true)
    54. 

  54.     ? $_REQUEST['order'] : null;
    55. 

  55. $dir = isset($_REQUEST['dir']) && in_array(strtoupper($_REQUEST['dir']), $allowedDirs, true)
    56. 

  56.     ? strtoupper($_REQUEST['dir']) : 'ASC';
    57. 

  57. 

  58. try {
    59. 

  59.     $pdo = getDBConnection();
    60. 

  60. 

  61.     // Column names
    62. 

  62.     $stmt   = $pdo->query("SHOW COLUMNS FROM `{$table}`");
    63. 

  63.     $fields = $stmt->fetchAll(PDO::FETCH_COLUMN);
    64. 

  64. 

  65.     // Main query — table name is from whitelist so safe to interpolate
    66. 

  66.     $sql = "SELECT * FROM `{$table}`";
    67. 

  67.     if ($order !== null) {
    68. 

  68.         $sql .= " ORDER BY `{$order}` {$dir}";
    69. 

  69.     }
    70. 

  70.     $sql .= ' LIMIT :limit OFFSET :offset';
    71. 

  71. 

  72.     $stmt = $pdo->prepare($sql);
    73. 

  73.     $stmt->bindValue(':limit',  $num_rows, PDO::PARAM_INT);
    74. 

  74.     $stmt->bindValue(':offset', $num_rows * $page, PDO::PARAM_INT);
    75. 

  75.     $stmt->execute();
    76. 

  76.     $rows = $stmt->fetchAll(PDO::FETCH_NUM);
    77. 

  77. 

  78.     // Count
    79. 

  79.     $countStmt = $pdo->query("SELECT COUNT(*) FROM `{$table}`");
    80. 

  80.     $total     = (int) $countStmt->fetchColumn();
    81. 

  81. 

  82.     header('Content-Type: application/json');
    83. 

  83.     echo json_encode([
    84. 

  84.         'rows'          => $rows,
    85. 

  85.         'fields'        => $fields,
    86. 

  86.         'total_entries' => $total,
    87. 

  87.     ]);
    88. 

  88. } catch (PDOException $e) {
    89. 

  89.     error_log('gettable.php DB error: ' . $e->getMessage());
    90. 

  90.     http_response_code(500);
    91. 

  91.     echo json_encode(['error' => 'Database error']);
    92. 

  92. }
    93.