admin/34968-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
34968-vm/process_review.php
Flatlogic Bot 7a0a2165fc V12
2025-10-15 14:58:19 +00:00

78 lines
2.5 KiB
PHP
Raw Blame History

<?php
session_start();
require_once 'db/config.php';
// Ensure user is logged in
if (!isset($_SESSION['user_id'])) {
// Not logged in
http_response_code(403);
exit("You must be logged in to submit a review.");
}
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
// Not a POST request
http_response_code(405);
exit("Invalid request method.");
}
$db = db();
$user_id = $_SESSION['user_id'];
// Get POST data
$order_id = isset($_POST['order_id']) ? (int)$_POST['order_id'] : 0;
$restaurant_id = isset($_POST['restaurant_id']) ? (int)$_POST['restaurant_id'] : 0;
$rating = isset($_POST['rating']) ? (int)$_POST['rating'] : 0;
$review = isset($_POST['review']) ? trim($_POST['review']) : '';
// --- Server-side validation ---
// 1. Basic validation
if ($order_id <= 0 || $restaurant_id <= 0 || $rating < 1 || $rating > 5) {
$_SESSION['error_message'] = "Invalid data provided. Please try again.";
header("Location: leave_review.php?order_id=" . $order_id);
exit();
}
// 2. Security and integrity validation
$stmt = $db->prepare("SELECT id, status FROM orders WHERE id = ? AND user_id = ? AND restaurant_id = ?");
$stmt->execute([$order_id, $user_id, $restaurant_id]);
$order = $stmt->fetch();
if (!$order) {
$_SESSION['error_message'] = "You cannot review this order.";
header("Location: order_history.php");
exit();
} elseif ($order['status'] !== 'Delivered') {
$_SESSION['error_message'] = "You can only review delivered orders.";
header("Location: leave_review.php?order_id=" . $order_id);
exit();
}
// 3. Check if a review already exists
$stmt_rating = $db->prepare("SELECT id FROM ratings WHERE order_id = ?");
$stmt_rating->execute([$order_id]);
if ($stmt_rating->fetch()) {
$_SESSION['error_message'] = "You have already reviewed this order.";
header("Location: order_history.php");
exit();
}
// --- All checks passed, insert into database ---
try {
$stmt_insert = $db->prepare(
"INSERT INTO ratings (order_id, restaurant_id, user_id, rating, review) VALUES (?, ?, ?, ?, ?)"
);
$stmt_insert->execute([$order_id, $restaurant_id, $user_id, $rating, $review]);
$_SESSION['success_message'] = "Thank you for your review!";
header("Location: order_history.php");
exit();
} catch (PDOException $e) {
// Log error properly in a real application
// error_log($e->getMessage());
$_SESSION['error_message'] = "A database error occurred. Please try again later.";
header("Location: leave_review.php?order_id=" . $order_id);
exit();
}
Reference in New Issue View Git Blame Copy Permalink