芝麻web文件管理V1.00

编辑当前文件:/home/pulsehostuk9/public_html/teafund.pulsehost.co.uk/api/fund_add.php

<?php
// api/fund_add.php — Hardened (Patch 38)
// - No HTTP 500s: all failures redirect back to Admin → Tools with codes
// - CSRF fallback if csrf_validate() unavailable
// - Ensures 'funds' table exists
// - Checks for duplicate names
require_once __DIR__ . '/../includes/auth.php';
require_once __DIR__ . '/../includes/db.php';
require_manage();

function goback(string $qs) {
  header('Location: /admin/?tab=tools&' . $qs);
  exit;
}

// --- CSRF ---
$csrf_ok = false;
try {
  require_once __DIR__ . '/../includes/csrf.php';
  $token = $_POST['csrf_token'] ?? '';
  if (function_exists('csrf_validate')) {
    $csrf_ok = csrf_validate($token);
  } else {
    if (session_status() !== PHP_SESSION_ACTIVE) @session_start();
    $session_token = $_SESSION['csrf_token'] ?? '';
    if ($session_token && is_string($token)) $csrf_ok = hash_equals((string)$session_token, (string)$token);
  }
} catch (Throwable $e) {
  error_log('[fund_add csrf] ' . $e->getMessage());
  $csrf_ok = false;
}

if (!$csrf_ok) {
  goback('fund_error=csrf');
}

$name = trim($_POST['name'] ?? '');
if ($name === '' || mb_strlen($name) < 2 || mb_strlen($name) > 100) {
  goback('fund_error=bad_name');
}

$TRACE = 'start';

try {
  $TRACE = 'pdo_connect';
  $pdo = get_pdo();

// Ensure funds table exists
  $TRACE = 'ensure_table';
  $pdo->exec("CREATE TABLE IF NOT EXISTS funds (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(100) NOT NULL
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci");

// Optional: try to add a unique index on name (ignore if it already exists)
  try {
    $pdo->exec("ALTER TABLE funds ADD UNIQUE KEY idx_funds_name (name)");
  } catch (Throwable $e) {
    // ignore
  }

// Duplicate check
  $TRACE = 'dupe_check';
  $dupe = $pdo->prepare("SELECT id FROM funds WHERE name = ? LIMIT 1");
  if (!$dupe || !$dupe->execute([$name])) {
    goback('fund_error=db_read&trace=' . urlencode($TRACE));
  }
  if ($dupe->fetchColumn()) {
    goback('fund_error=exists');
  }

// Insert
  $TRACE = 'insert';
  $ins = $pdo->prepare("INSERT INTO funds (name) VALUES (?)");
  if (!$ins || !$ins->execute([$name])) {
    goback('fund_error=db_write&trace=' . urlencode($TRACE));
  }

$new_id = (int)$pdo->lastInsertId();
  goback('fund_added=1&fund_id=' . $new_id);

} catch (Throwable $e) {
  error_log('[fund_add fatal] step=' . $TRACE . ' msg=' . $e->getMessage());
  goback('fund_error=server&trace=' . urlencode($TRACE));
}