<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

session_start();

if (empty($_SESSION['user_id']))
{
    header('Location: login.php');
    exit();
}

$userId = (int)$_SESSION['user_id'];

if ($_SERVER['REQUEST_METHOD'] !== 'POST')
{
    header('Location: account.php');
    exit();
}

if (!isset($_FILES['uploadFile']) || !is_array($_FILES['uploadFile']))
{
    header('Location: account.php?upload=err');
    exit();
}

$file = $_FILES['uploadFile'];

$fileError = isset($file['error']) ? (int)$file['error'] : UPLOAD_ERR_NO_FILE;
if ($fileError !== UPLOAD_ERR_OK)
{
    error_log('Upload: PHP upload error code=' . $fileError);
    header('Location: account.php?upload=err');
    exit();
}

// Basic Validierung
$tmp = isset($file['tmp_name']) ? (string)$file['tmp_name'] : '';
if ($tmp === '' || !is_uploaded_file($tmp))
{
    header('Location: account.php?upload=err');
    exit();
}

$allowedMimeToExt = [
    'image/jpeg' => 'jpg',
    'image/png' => 'png',
    'image/webp' => 'webp'
];

$finfo = new finfo(FILEINFO_MIME_TYPE);
$mime = $finfo->file($tmp);

if (!$mime || !isset($allowedMimeToExt[$mime]))
{
    header('Location: account.php?upload=err');
    exit();
}

$ext = $allowedMimeToExt[$mime];

// Wichtig: Auf Linux ist ein Pfad mit führendem "/" ein Pfad ab Dateisystem-Root.
// Für move_uploaded_file() brauchen wir einen Dateisystempfad; die Public-URL ist separat.
$documentRoot = isset($_SERVER['DOCUMENT_ROOT']) ? (string)$_SERVER['DOCUMENT_ROOT'] : '';
$webRoot = rtrim($documentRoot, "\\/");

$relativeTargetDir = '/assets/images/profilePictures';

// Robust: __DIR__ ist der Ordner, in dem upload.php liegt (bei dir: WEBROOT).
// DOCUMENT_ROOT kann auf manchen Setups leer oder z.B. nur '/' sein; dann würde in '/assets/...' geschrieben.
$dirBasedRoot = rtrim(__DIR__, "\\/");

define('UPLOAD_DEBUG', true);

$candidateFromDocRoot = ($webRoot !== '' && $webRoot !== '/') ? ($webRoot . $relativeTargetDir) : '';
$candidateFromDir = $dirBasedRoot . $relativeTargetDir;

// Bevorzugt __DIR__; nur wenn DOCUMENT_ROOT plausibel ist und der DIR-Fallback nicht existiert, nutzen wir DOCUMENT_ROOT.
$targetDir = $candidateFromDir;
if ($candidateFromDocRoot !== '' && !is_dir($candidateFromDir) && is_dir($candidateFromDocRoot))
{
    $targetDir = $candidateFromDocRoot;
}

if (UPLOAD_DEBUG)
{
    error_log('Upload: DOCUMENT_ROOT=' . $documentRoot);
    error_log('Upload: __DIR__=' . __DIR__);
    error_log('Upload: targetDir=' . $targetDir);
}

if (!is_dir($targetDir))
{
    $mkOk = @mkdir($targetDir, 0755, true);
    if (!$mkOk)
    {
        error_log('Upload: mkdir failed for ' . $targetDir);
        header('Location: account.php?upload=err');
        exit();
    }
}

if (!is_writable($targetDir))
{
    error_log('Upload: targetDir not writable: ' . $targetDir);
    header('Location: account.php?upload=err');
    exit();
}

// Fallback-kompatibler Name (auch ohne random_bytes)
$rand = uniqid('', true);
$rand = str_replace('.', '', $rand);
$filename = 'user_' . $userId . '_' . $rand . '.' . $ext;
$targetPath = rtrim($targetDir, "\\/") . DIRECTORY_SEPARATOR . $filename;
error_log('Upload: resolved targetPath=' . $targetPath);

if (!move_uploaded_file($tmp, $targetPath))
{
    $lastErr = error_get_last();
    $lastErrMsg = (is_array($lastErr) && isset($lastErr['message'])) ? (string)$lastErr['message'] : 'unknown';
    error_log('Upload: move_uploaded_file failed to ' . $targetPath . ' - ' . $lastErrMsg);
    header('Location: account.php?upload=err');
    exit();
}

// Pfad, der in HTML genutzt wird (URL relativ zur Webroot)
$publicPath = 'assets/images/profilePictures/' . $filename;

$servername = "localhost";
$port = 3306;
$username = "FSST";
$password = "L9wUNZZ9Qkbt";
$db = "FSST";

$conn = mysqli_connect($servername, $username, $password, $db, $port);
if (!$conn)
{
    header('Location: account.php?upload=err');
    exit();
}

$stmt = mysqli_prepare($conn, "UPDATE users SET profilePicture = ? WHERE userID = ?");
if (!$stmt)
{
    mysqli_close($conn);
    header('Location: account.php?upload=err');
    exit();
}

mysqli_stmt_bind_param($stmt, 'si', $publicPath, $userId);
$ok = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
mysqli_close($conn);

if (!$ok)
{
    header('Location: account.php?upload=err');
    exit();
}

header('Location: account.php?upload=ok');
exit();