prepare("SELECT token FROM admin_tokens WHERE token=? AND expires_at > NOW()"); $stmt->execute([$token]); if (!$stmt->fetch()) { http_response_code(403); header('Content-Type: text/plain'); exit('Unauthorized — please log in to the admin panel first.'); } $ref = strtoupper(preg_replace('/[^A-Z0-9\-]/', '', $_GET['ref'] ?? '')); $type = in_array($_GET['type'] ?? '', ['license','insurance']) ? $_GET['type'] : ''; if (!$ref || !$type) { http_response_code(400); header('Content-Type: text/plain'); exit('Missing parameters.'); } $col = $type === 'license' ? 'license_file' : 'insurance_file'; $stmt = db()->prepare("SELECT {$col} AS file_path FROM bookings WHERE booking_ref=?"); $stmt->execute([$ref]); $row = $stmt->fetch(); if (!$row || !$row['file_path']) { http_response_code(404); header('Content-Type: text/plain'); exit('No document on file.'); } $root = dirname(__DIR__); $base = realpath($root . '/uploads'); $path = realpath($root . '/' . $row['file_path']); if (!$path || !$base || !str_starts_with($path, $base . DIRECTORY_SEPARATOR)) { http_response_code(404); header('Content-Type: text/plain'); exit('File not found.'); } $mime = mime_content_type($path); $allowed = ['image/jpeg' => 'jpg', 'image/png' => 'png', 'application/pdf' => 'pdf']; if (!isset($allowed[$mime])) { http_response_code(403); header('Content-Type: text/plain'); exit('Invalid file type.'); } $fname = $type . '-' . $ref . '.' . $allowed[$mime]; header('Content-Type: ' . $mime); header('Content-Disposition: inline; filename="' . $fname . '"'); header('Content-Length: ' . filesize($path)); header('Cache-Control: no-store, no-cache'); readfile($path);