芝麻web文件管理V1.00

编辑当前文件:/home/pulsehostuk9/public_html/teafund.pulsehost.co.uk/api/fund_update.php

<?php
// api/fund_update.php — Hardened (Patch 38b)
require_once __DIR__ . '/../includes/auth.php';
require_once __DIR__ . '/../includes/db.php';
require_manage();

function goback(string $qs) { header('Location: /admin/?tab=tools&' . $qs); exit; }

// CSRF (with fallback)
$csrf_ok = false;
try {
  require_once __DIR__ . '/../includes/csrf.php';
  $token = $_POST['csrf_token'] ?? '';
  if (function_exists('csrf_validate')) {
    $csrf_ok = csrf_validate($token);
  } else {
    if (session_status() !== PHP_SESSION_ACTIVE) @session_start();
    $session_token = $_SESSION['csrf_token'] ?? '';
    if ($session_token && is_string($token)) $csrf_ok = hash_equals((string)$session_token, (string)$token);
  }
} catch (Throwable $e) { error_log('[fund_update csrf] ' . $e->getMessage()); }
if (!$csrf_ok) goback('fund_error=csrf');

$fund_id = isset($_POST['fund_id']) ? (int)$_POST['fund_id'] : 0;
$name = trim($_POST['name'] ?? '');
if ($fund_id <= 0 || $name === '' || mb_strlen($name) < 2 || mb_strlen($name) > 100) {
  goback('fund_error=bad_request');
}

$TRACE = 'start';
try {
  $TRACE = 'pdo_connect';
  $pdo = get_pdo();

// Ensure funds table exists
  $TRACE = 'ensure_table';
  $pdo->exec("CREATE TABLE IF NOT EXISTS funds (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(100) NOT NULL
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci");

// Check fund exists
  $TRACE = 'fund_exists';
  $chk = $pdo->prepare("SELECT id FROM funds WHERE id = ?");
  if (!$chk || !$chk->execute([$fund_id])) goback('fund_error=db_read&trace=' . urlencode($TRACE));
  if (!$chk->fetchColumn()) goback('fund_error=not_found');

// Ensure unique name (other than me)
  $TRACE = 'dupe_check';
  $dupe = $pdo->prepare("SELECT id FROM funds WHERE name = ? AND id <> ? LIMIT 1");
  if (!$dupe || !$dupe->execute([$name, $fund_id])) goback('fund_error=db_read&trace=' . urlencode($TRACE));
  if ($dupe->fetchColumn()) goback('fund_error=exists');

// Update
  $TRACE = 'update';
  $upd = $pdo->prepare("UPDATE funds SET name = ? WHERE id = ?");
  if (!$upd || !$upd->execute([$name, $fund_id])) goback('fund_error=db_write&trace=' . urlencode($TRACE));

goback('fund_renamed=1&fund_id=' . $fund_id);

} catch (Throwable $e) {
  error_log('[fund_update fatal] step=' . $TRACE . ' msg=' . $e->getMessage());
  goback('fund_error=server&trace=' . urlencode($TRACE));
}