zibo-dashboard/public/userarea/ajax/employee_profile/upload_training_attachment.php

<?php
require_once(__DIR__ . '/../hr_auth_check.php');

header('Content-Type: application/json');

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(['success' => false, 'message' => 'Metodo non consentito.']);
    exit;
}

$pdo = DBHandlerSelect::getInstance()->getConnection();

$trainingId = (int)($_POST['training_id'] ?? 0);
if ($trainingId <= 0) {
    echo json_encode(['success' => false, 'message' => 'ID formazione non valido.']);
    exit;
}

$tr = $pdo->prepare("SELECT employee_id FROM employee_trainings WHERE id = :id");
$tr->execute(['id' => $trainingId]);
$trainingRow = $tr->fetch(PDO::FETCH_ASSOC);
if (!$trainingRow) {
    echo json_encode(['success' => false, 'message' => 'Formazione non trovata.']);
    exit;
}
$employeeId = (int)$trainingRow['employee_id'];

if (empty($_FILES['file']) || $_FILES['file']['error'] !== UPLOAD_ERR_OK) {
    $errCode = $_FILES['file']['error'] ?? -1;
    $msg = 'Errore nel caricamento del file.';
    if ($errCode === UPLOAD_ERR_INI_SIZE || $errCode === UPLOAD_ERR_FORM_SIZE) {
        $msg = 'Il file supera la dimensione massima consentita.';
    }
    echo json_encode(['success' => false, 'message' => $msg]);
    exit;
}

$originalName = $_FILES['file']['name'];
$tmpPath      = $_FILES['file']['tmp_name'];
$size         = (int)$_FILES['file']['size'];
$mimeType     = mime_content_type($tmpPath) ?: ($_FILES['file']['type'] ?? null);

$dir = __DIR__ . '/../../files/employees/' . $employeeId . '/trainings';
if (!is_dir($dir)) {
    if (!mkdir($dir, 0775, true) && !is_dir($dir)) {
        echo json_encode(['success' => false, 'message' => 'Impossibile creare la cartella di destinazione.']);
        exit;
    }
}

$safeOriginal = preg_replace('/[^a-zA-Z0-9._-]/', '_', $originalName);
$storedName   = uniqid('tr_') . '_' . $safeOriginal;
$destPath     = $dir . '/' . $storedName;

if (!move_uploaded_file($tmpPath, $destPath)) {
    echo json_encode(['success' => false, 'message' => 'Impossibile salvare il file su disco.']);
    exit;
}

try {
    $pdo->beginTransaction();

    $ins = $pdo->prepare("
        INSERT INTO employee_training_attachments
            (training_id, original_name, stored_name, mime_type, size, uploaded_by, created_at)
        VALUES
            (:tid, :original_name, :stored_name, :mime_type, :size, :uploaded_by, NOW())
    ");
    $ins->execute([
        'tid'           => $trainingId,
        'original_name' => $originalName,
        'stored_name'   => $storedName,
        'mime_type'     => $mimeType,
        'size'          => $size,
        'uploaded_by'   => $currentUserId,
    ]);
    $attachmentId = (int)$pdo->lastInsertId();

    $pdo->prepare("
        INSERT INTO employee_training_log
            (employee_id, training_id, action, field, old_value, new_value, changed_by, changed_at)
        VALUES
            (:eid, :tid, 'attachment_added', 'attachment', NULL, :name, :cb, NOW())
    ")->execute([
        'eid'  => $employeeId,
        'tid'  => $trainingId,
        'name' => $originalName,
        'cb'   => $currentUserId,
    ]);

    $pdo->commit();
    echo json_encode(['success' => true, 'id' => $attachmentId]);
} catch (Exception $e) {
    if ($pdo->inTransaction()) $pdo->rollBack();
    @unlink($destPath);
    echo json_encode(['success' => false, 'message' => $e->getMessage()]);
}