Home Explore Help
Register Sign In
benjamin.harris
/
soil-report-ai
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
soil-report-ai
/
dashboard
/
client-settings
/
updateproduct.php

updateproduct.php 2.7 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * dashboard/client-settings/updateproduct.php
    4. 

  4.  *
    5. 

  5.  * AJAX handler — updates a single cell in fertiliser_specifications.
    6. 

  6.  * Requires authentication + CSRF token.
    7. 

  7.  * Column name is validated against a strict whitelist to prevent injection.
    8. 

  8.  */
    9. 

  9. 

  10. require_once __DIR__ . '/../../config/database.php';
    11. 

  11. require_once __DIR__ . '/../../lib/auth.php';
    12. 

  12. require_once __DIR__ . '/../../lib/csrf.php';
    13. 

  13. 

  14. if (session_status() === PHP_SESSION_NONE) {
    15. 

  15.     session_start();
    16. 

  16. }
    17. 

  17. 

  18. header('Content-Type: application/json');
    19. 

  19. 

  20. if (!isLoggedIn()) {
    21. 

  21.     http_response_code(401);
    22. 

  22.     echo json_encode(['error' => 'Unauthorised']);
    23. 

  23.     exit;
    24. 

  24. }
    25. 

  25. 

  26. if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    27. 

  27.     http_response_code(405);
    28. 

  28.     echo json_encode(['error' => 'Method not allowed']);
    29. 

  29.     exit;
    30. 

  30. }
    31. 

  31. 

  32. // CSRF check
    33. 

  33. if (!verifyCsrfToken($_POST['csrf_token'] ?? '')) {
    34. 

  34.     http_response_code(403);
    35. 

  35.     echo json_encode(['error' => 'Invalid CSRF token']);
    36. 

  36.     exit;
    37. 

  37. }
    38. 

  38. 

  39. // Whitelist of updatable columns — never allow id or modx_user_id
    40. 

  40. $allowedColumns = ['n', 'p', 'k', 'Na', 'Ca', 'Mg', 'B', 'Zn', 'Cu', 'Mn', 'Fe', 'Co', 'Mo', 'name', 'chemical'];
    41. 

  41. 

  42. $column  = $_POST['column']  ?? '';
    43. 

  43. $id      = (int) ($_POST['id'] ?? 0);
    44. 

  44. $editval = $_POST['editval'] ?? '';
    45. 

  45. 

  46. if (!in_array($column, $allowedColumns, true)) {
    47. 

  47.     http_response_code(400);
    48. 

  48.     echo json_encode(['error' => 'Invalid column']);
    49. 

  49.     exit;
    50. 

  50. }
    51. 

  51. 

  52. if ($id <= 0) {
    53. 

  53.     http_response_code(400);
    54. 

  54.     echo json_encode(['error' => 'Invalid record ID']);
    55. 

  55.     exit;
    56. 

  56. }
    57. 

  57. 

  58. // Validate the value is numeric for nutrient columns
    59. 

  59. $numericColumns = ['n', 'p', 'k', 'Na', 'Ca', 'Mg', 'B', 'Zn', 'Cu', 'Mn', 'Fe', 'Co', 'Mo'];
    60. 

  60. if (in_array($column, $numericColumns, true) && $editval !== '' && !is_numeric($editval)) {
    61. 

  61.     http_response_code(400);
    62. 

  62.     echo json_encode(['error' => 'Value must be numeric']);
    63. 

  63.     exit;
    64. 

  64. }
    65. 

  65. 

  66. // Verify the record belongs to the current user
    67. 

  67. try {
    68. 

  68.     $pdo    = getDBConnection();
    69. 

  69.     $userId = getCurrentUserId();
    70. 

  70. 

  71.     $check = $pdo->prepare(
    72. 

  72.         'SELECT id FROM fertiliser_specifications WHERE id = ? AND modx_user_id = ? LIMIT 1'
    73. 

  73.     );
    74. 

  74.     $check->execute([$id, $userId]);
    75. 

  75. 

  76.     if (!$check->fetch()) {
    77. 

  77.         http_response_code(403);
    78. 

  78.         echo json_encode(['error' => 'Record not found or access denied']);
    79. 

  79.         exit;
    80. 

  80.     }
    81. 

  81. 

  82.     // Column name is from whitelist — safe to interpolate as identifier
    83. 

  83.     $stmt = $pdo->prepare("UPDATE fertiliser_specifications SET `{$column}` = ? WHERE id = ?");
    84. 

  84.     $stmt->execute([$editval === '' ? null : $editval, $id]);
    85. 

  85. 

  86.     echo json_encode(['success' => true]);
    87. 

  87. } catch (PDOException $e) {
    88. 

  88.     error_log('updateproduct.php DB error: ' . $e->getMessage());
    89. 

  89.     http_response_code(500);
    90. 

  90.     echo json_encode(['error' => 'Database error']);
    91. 

  91. }
    92.