update profile

public/userarea/update-profile.php

@@ -6,47 +6,88 @@ if (!Auth::check()) {
     redirectTo('../public/login');
 }
 
-$user = Auth::user();
-$id = $_POST['iduserlogin'];
-
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $first_name = $_POST['first_name'];
-    $last_name = $_POST['last_name'];
-    $email = $_POST['email'];
-    $password = $_POST['password'] ?: null;
-
-    $db = DBHandlerSelect::getInstance()->getConnection();
-
-    // Gestione avatar
-    $avatar = $user->present()->avatar;
-    if (isset($_FILES['avatar']) && $_FILES['avatar']['error'] === UPLOAD_ERR_OK) {
-        $avatar = time() . '_' . basename($_FILES['avatar']['name']);
-        $uploadDir = __DIR__ . '/../../public/upload/users/';
-        if (!is_dir($uploadDir)) {
-            mkdir($uploadDir, 0755, true);
-        }
-        move_uploaded_file($_FILES['avatar']['tmp_name'], $uploadDir . $avatar);
-    }
-
-    // Aggiornamento dati
-    $sql = "UPDATE auth_users SET first_name = ?, last_name = ?, email = ?, avatar = ? WHERE id = ?";
-    $stmt = $db->prepare($sql);
-    $stmt->execute([$first_name, $last_name, $email, $avatar, $id]);
-
-    // Aggiornamento password se fornita
-    if ($password) {
-        $hashedPassword = password_hash($password, PASSWORD_BCRYPT);
-        $sql = "UPDATE auth_users SET password = ? WHERE id = ?";
-        $stmt = $db->prepare($sql);
-        $stmt->execute([$hashedPassword, $id]);
-    }
-
-    // Aggiorna la sessione con i nuovi dati
-    $_SESSION["nameuser"] = $first_name;
-    $_SESSION["surnameuser"] = $last_name;
-    $_SESSION["emailuser"] = $email;
-    $_SESSION["photouser"] = $avatar;
-
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     header('Location: user-profile.php');
     exit;
 }
+
+$user = Auth::user();
+$id = isset($_POST['iduserlogin']) ? (int)$_POST['iduserlogin'] : 0;
+
+$first_name = trim($_POST['first_name'] ?? '');
+$last_name = trim($_POST['last_name'] ?? '');
+$email = trim($_POST['email'] ?? '');
+$password = trim($_POST['password'] ?? '');
+
+$lims_user_id = isset($_POST['lims_user_id']) && $_POST['lims_user_id'] !== ''
+    ? (int)$_POST['lims_user_id']
+    : null;
+
+$lims_global_user_id = isset($_POST['lims_global_user_id']) && $_POST['lims_global_user_id'] !== ''
+    ? (int)$_POST['lims_global_user_id']
+    : null;
+
+if ($id <= 0) {
+    die('Invalid user ID');
+}
+
+$db = DBHandlerSelect::getInstance()->getConnection();
+
+// Current avatar
+$avatar = $user->present()->avatar;
+
+// Avatar upload
+if (isset($_FILES['avatar']) && $_FILES['avatar']['error'] === UPLOAD_ERR_OK) {
+    $originalName = basename($_FILES['avatar']['name']);
+    $safeName = preg_replace('/[^A-Za-z0-9_\.-]/', '_', $originalName);
+    $avatar = time() . '_' . $safeName;
+
+    $uploadDir = __DIR__ . '/../../public/upload/users/';
+    if (!is_dir($uploadDir)) {
+        mkdir($uploadDir, 0755, true);
+    }
+
+    move_uploaded_file($_FILES['avatar']['tmp_name'], $uploadDir . $avatar);
+}
+
+// Update main user data
+$sql = "UPDATE auth_users 
+        SET first_name = ?, 
+            last_name = ?, 
+            email = ?, 
+            avatar = ?, 
+            lims_user_id = ?, 
+            lims_global_user_id = ?
+        WHERE id = ?";
+$stmt = $db->prepare($sql);
+$stmt->execute([
+    $first_name,
+    $last_name,
+    $email,
+    $avatar,
+    $lims_user_id,
+    $lims_global_user_id,
+    $id
+]);
+
+// Update password only if provided
+if ($password !== '') {
+    $hashedPassword = password_hash($password, PASSWORD_BCRYPT);
+
+    $sql = "UPDATE auth_users SET password = ? WHERE id = ?";
+    $stmt = $db->prepare($sql);
+    $stmt->execute([$hashedPassword, $id]);
+}
+
+// Update session
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
+$_SESSION["nameuser"] = $first_name;
+$_SESSION["surnameuser"] = $last_name;
+$_SESSION["emailuser"] = $email;
+$_SESSION["photouser"] = $avatar;
+
+header('Location: user-profile.php');
+exit;