parkerslingshotrentals/admin/view-doc.php

<?php
require_once dirname(__DIR__) . '/db.php';

$token = preg_replace('/[^a-f0-9]/', '', $_GET['_t'] ?? '');
$stmt  = db()->prepare("SELECT token FROM admin_tokens WHERE token=? AND expires_at > NOW()");
$stmt->execute([$token]);
if (!$stmt->fetch()) {
    http_response_code(403);
    header('Content-Type: text/plain');
    exit('Unauthorized — please log in to the admin panel first.');
}

$ref  = strtoupper(preg_replace('/[^A-Z0-9\-]/', '', $_GET['ref'] ?? ''));
$type = in_array($_GET['type'] ?? '', ['license','insurance']) ? $_GET['type'] : '';
if (!$ref || !$type) {
    http_response_code(400);
    header('Content-Type: text/plain');
    exit('Missing parameters.');
}

$col  = $type === 'license' ? 'license_file' : 'insurance_file';
$stmt = db()->prepare("SELECT {$col} AS file_path FROM bookings WHERE booking_ref=?");
$stmt->execute([$ref]);
$row  = $stmt->fetch();

if (!$row || !$row['file_path']) {
    http_response_code(404);
    header('Content-Type: text/plain');
    exit('No document on file.');
}

$root = dirname(__DIR__);
$base = realpath($root . '/uploads');
$path = realpath($root . '/' . $row['file_path']);

if (!$path || !$base || !str_starts_with($path, $base . DIRECTORY_SEPARATOR)) {
    http_response_code(404);
    header('Content-Type: text/plain');
    exit('File not found.');
}

$mime    = mime_content_type($path);
$allowed = ['image/jpeg' => 'jpg', 'image/png' => 'png', 'application/pdf' => 'pdf'];
if (!isset($allowed[$mime])) {
    http_response_code(403);
    header('Content-Type: text/plain');
    exit('Invalid file type.');
}

$fname = $type . '-' . $ref . '.' . $allowed[$mime];
header('Content-Type: ' . $mime);
header('Content-Disposition: inline; filename="' . $fname . '"');
header('Content-Length: ' . filesize($path));
header('Cache-Control: no-store, no-cache');
readfile($path);