90 lines
3.4 KiB
PHP
90 lines
3.4 KiB
PHP
<?php
|
|
session_start();
|
|
require_once __DIR__ . '/../db/config.php';
|
|
|
|
// If user is not logged in or not a super_admin, redirect to login page
|
|
if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'super_admin') {
|
|
header('Location: ../login.php');
|
|
exit;
|
|
}
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|
$name = trim($_POST['name'] ?? '');
|
|
$description = trim($_POST['description'] ?? '');
|
|
$price = filter_var($_POST['price'], FILTER_VALIDATE_FLOAT);
|
|
$stock_quantity = filter_var($_POST['stock_quantity'], FILTER_VALIDATE_INT);
|
|
$id = $_POST['id'] ?? null;
|
|
|
|
// Basic validation
|
|
if (empty($name) || $price === false || $stock_quantity === false) {
|
|
$_SESSION['error_message'] = 'Please fill in all required fields correctly.';
|
|
header('Location: ' . ($_SERVER['HTTP_REFERER'] ?? 'index.php'));
|
|
exit;
|
|
}
|
|
|
|
$pdo = db();
|
|
$image_url = '';
|
|
|
|
if ($id) {
|
|
// Fetch existing product's image url
|
|
$stmt = $pdo->prepare("SELECT image_url FROM products WHERE id = ?");
|
|
$stmt->execute([$id]);
|
|
$image_url = $stmt->fetchColumn();
|
|
}
|
|
|
|
// Handle file upload
|
|
if (isset($_FILES['image']) && $_FILES['image']['error'] === UPLOAD_ERR_OK) {
|
|
$uploadDir = __DIR__ . '/../uploads/';
|
|
|
|
// Sanitize the filename
|
|
$originalName = basename($_FILES['image']['name']);
|
|
$safeName = preg_replace("/[^a-zA-Z0-9-_.]+/", "", $originalName);
|
|
$fileName = uniqid('', true) . '_' . $safeName;
|
|
$uploadFile = $uploadDir . $fileName;
|
|
|
|
// Validate file type
|
|
$imageFileType = strtolower(pathinfo($uploadFile, PATHINFO_EXTENSION));
|
|
$allowedTypes = ['jpg', 'jpeg', 'png', 'gif'];
|
|
if (!in_array($imageFileType, $allowedTypes)) {
|
|
$_SESSION['error_message'] = 'Only JPG, JPEG, PNG & GIF files are allowed.';
|
|
header('Location: ' . ($_SERVER['HTTP_REFERER'] ?? 'index.php'));
|
|
exit;
|
|
}
|
|
|
|
if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadFile)) {
|
|
// Delete old image if a new one is uploaded
|
|
if ($image_url && file_exists($uploadDir . $image_url)) {
|
|
unlink($uploadDir . $image_url);
|
|
}
|
|
$image_url = $fileName;
|
|
} else {
|
|
$_SESSION['error_message'] = 'Failed to upload image.';
|
|
header('Location: ' . ($_SERVER['HTTP_REFERER'] ?? 'index.php'));
|
|
exit;
|
|
}
|
|
}
|
|
|
|
try {
|
|
if ($id) {
|
|
// Update existing product
|
|
$sql = "UPDATE products SET name = ?, description = ?, price = ?, stock_quantity = ?, image_url = ? WHERE id = ?";
|
|
$stmt = $pdo->prepare($sql);
|
|
$stmt->execute([$name, $description, $price, $stock_quantity, $image_url, $id]);
|
|
$_SESSION['success_message'] = 'Product updated successfully.';
|
|
} else {
|
|
// Insert new product
|
|
$sql = "INSERT INTO products (name, description, price, stock_quantity, image_url) VALUES (?, ?, ?, ?, ?)";
|
|
$stmt = $pdo->prepare($sql);
|
|
$stmt->execute([$name, $description, $price, $stock_quantity, $image_url]);
|
|
$_SESSION['success_message'] = 'Product added successfully.';
|
|
}
|
|
} catch (PDOException $e) {
|
|
$_SESSION['error_message'] = 'Database error. Could not save product.';
|
|
}
|
|
|
|
} else {
|
|
$_SESSION['error_message'] = 'Invalid request method.';
|
|
}
|
|
|
|
header('Location: index.php');
|
|
exit; |