芝麻web文件管理V1.00

编辑当前文件:/home/pulsehostuk9/public_html/teafund.pulsehost.co.uk/api/fund_delete.php

<?php
// api/fund_delete.php — Hardened (Patch 38b)
require_once __DIR__ . '/../includes/auth.php';
require_once __DIR__ . '/../includes/db.php';
require_manage();

function goback(string $qs) { header('Location: /admin/?tab=tools&' . $qs); exit; }

// CSRF (with fallback)
$csrf_ok = false;
try {
  require_once __DIR__ . '/../includes/csrf.php';
  $token = $_POST['csrf_token'] ?? '';
  if (function_exists('csrf_validate')) {
    $csrf_ok = csrf_validate($token);
  } else {
    if (session_status() !== PHP_SESSION_ACTIVE) @session_start();
    $session_token = $_SESSION['csrf_token'] ?? '';
    if ($session_token && is_string($token)) $csrf_ok = hash_equals((string)$session_token, (string)$token);
  }
} catch (Throwable $e) { error_log('[fund_delete csrf] ' . $e->getMessage()); }
if (!$csrf_ok) goback('fund_error=csrf');

$fund_id = isset($_POST['fund_id']) ? (int)$_POST['fund_id'] : 0;
$dest_id = isset($_POST['dest_fund_id']) ? (int)$_POST['dest_fund_id'] : 0;
if ($fund_id <= 0) goback('fund_error=bad_request');

$TRACE = 'start';
try {
  $TRACE = 'pdo_connect';
  $pdo = get_pdo();

// Ensure funds table exists
  $TRACE = 'ensure_table';
  $pdo->exec("CREATE TABLE IF NOT EXISTS funds (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(100) NOT NULL
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci");

// Prevent deleting last fund
  $TRACE = 'count_funds';
  $total = (int)$pdo->query("SELECT COUNT(*) FROM funds")->fetchColumn();
  if ($total <= 1) goback('fund_error=last_fund');

// Check fund exists
  $TRACE = 'fund_exists';
  $src = $pdo->prepare("SELECT id, name FROM funds WHERE id = ?");
  if (!$src || !$src->execute([$fund_id])) goback('fund_error=db_read&trace=' . urlencode($TRACE));
  $srcRow = $src->fetch(PDO::FETCH_ASSOC);
  if (!$srcRow) goback('fund_error=not_found');

// Normalize destination
  if ($dest_id === $fund_id) $dest_id = 0;
  if ($dest_id) {
    $TRACE = 'dest_exists';
    $dst = $pdo->prepare("SELECT id FROM funds WHERE id = ?");
    if (!$dst || !$dst->execute([$dest_id])) goback('fund_error=db_read&trace=' . urlencode($TRACE));
    if (!$dst->fetchColumn()) goback('fund_error=dest_not_found');
  }

$pdo->beginTransaction();

if ($dest_id) {
    // Merge: move members
    $TRACE = 'move_members';
    $mv = $pdo->prepare("UPDATE members SET fund_id = ? WHERE fund_id = ?");
    if (!$mv || !$mv->execute([$dest_id, $fund_id])) { $pdo->rollBack(); goback('fund_error=db_write&trace=' . urlencode($TRACE)); }

// Move payments if payments.fund_id exists
    $TRACE = 'check_payments_col';
    $has = $pdo->prepare("SELECT 1 FROM information_schema.columns WHERE table_schema = DATABASE() AND table_name='payments' AND column_name='fund_id'");
    $has->execute();
    if ($has->fetchColumn()) {
      $TRACE = 'move_payments';
      $up = $pdo->prepare("UPDATE payments SET fund_id = ? WHERE fund_id = ?");
      if (!$up || !$up->execute([$dest_id, $fund_id])) { $pdo->rollBack(); goback('fund_error=db_write&trace=' . urlencode($TRACE)); }
    }

// Keep stock alert history: null fund_id
    $TRACE = 'alerts_null_fund';
    $pdo->prepare("UPDATE stock_alerts SET fund_id = NULL WHERE fund_id = ?")->execute([$fund_id]);

// Delete fund
    $TRACE = 'delete_fund';
    $del = $pdo->prepare("DELETE FROM funds WHERE id = ?");
    if (!$del || !$del->execute([$fund_id])) { $pdo->rollBack(); goback('fund_error=db_write&trace=' . urlencode($TRACE)); }

$pdo->commit();
    goback('fund_merge=1&fund_id=' . $dest_id);
  } else {
    // Delete only if empty (no members), and no payments (if fund_id exists)
    $TRACE = 'check_members_empty';
    $mc = $pdo->prepare("SELECT COUNT(*) FROM members WHERE fund_id = ?");
    if (!$mc || !$mc->execute([$fund_id])) { $pdo->rollBack(); goback('fund_error=db_read&trace=' . urlencode($TRACE)); }
    if ((int)$mc->fetchColumn() > 0) { $pdo->rollBack(); goback('fund_error=not_empty'); }

$TRACE = 'check_payments_empty';
    $has = $pdo->prepare("SELECT 1 FROM information_schema.columns WHERE table_schema = DATABASE() AND table_name='payments' AND column_name='fund_id'");
    $has->execute();
    if ($has->fetchColumn()) {
      $pc = $pdo->prepare("SELECT COUNT(*) FROM payments WHERE fund_id = ?");
      if (!$pc || !$pc->execute([$fund_id])) { $pdo->rollBack(); goback('fund_error=db_read&trace=' . urlencode($TRACE)); }
      if ((int)$pc->fetchColumn() > 0) { $pdo->rollBack(); goback('fund_error=payments_exist'); }
    }

$TRACE = 'delete_fund';
    $del = $pdo->prepare("DELETE FROM funds WHERE id = ?");
    if (!$del || !$del->execute([$fund_id])) { $pdo->rollBack(); goback('fund_error=db_write&trace=' . urlencode($TRACE)); }

$pdo->commit();
    goback('fund_deleted=1');
  }

} catch (Throwable $e) {
  error_log('[fund_delete fatal] step=' . $TRACE . ' msg=' . $e->getMessage());
  try { if ($pdo && $pdo->inTransaction()) $pdo->rollBack(); } catch (Throwable $e2) {}
  goback('fund_error=server&trace=' . urlencode($TRACE));
}