0, 'path' => '/', 'secure' => $secure, 'httponly' => true, 'samesite' => 'Lax', ]); session_name('WLISTSESSID'); session_start(); require_once __DIR__ . '/config/config.php'; require_once __DIR__ . '/include/listgenerator.php'; // ===== Debug Toggle ===== if (!empty($app_debug)) { ini_set('display_errors', '1'); ini_set('display_startup_errors', '1'); ini_set('log_errors', '1'); if (!is_dir(__DIR__ . '/logs')) { @mkdir(__DIR__ . '/logs', 0750, true); } ini_set('error_log', __DIR__ . '/logs/php-error.log'); error_reporting(E_ALL); } else { ini_set('display_errors', '0'); ini_set('display_startup_errors', '0'); ini_set('log_errors', '1'); if (!is_dir(__DIR__ . '/logs')) { @mkdir(__DIR__ . '/logs', 0750, true); } ini_set('error_log', __DIR__ . '/logs/php-error.log'); error_reporting(E_ALL); } $message = null; if (!empty($_SESSION['flash']) && is_array($_SESSION['flash'])) { $message = $_SESSION['flash']; // ['msg'=>..., 'type'=> success|warning|danger] unset($_SESSION['flash']); } // ===== Helpers ===== function e(string $s): string { return htmlspecialchars($s, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); } function db(): mysqli { global $servername, $username, $password, $db; $m = new mysqli($servername, $username, $password, $db); if ($m->connect_error) { http_response_code(500); exit('Interner Fehler (DB)'); } $m->set_charset('utf8mb4'); return $m; } function ensure_csrf_token(): void { if (empty($_SESSION['csrf'])) { $_SESSION['csrf'] = bin2hex(random_bytes(32)); } } function require_csrf(): void { if ($_SERVER['REQUEST_METHOD'] === 'POST') { $ok = isset($_POST['csrf']) && hash_equals($_SESSION['csrf'] ?? '', (string) $_POST['csrf']); if (!$ok) { http_response_code(403); exit('Ungültiges CSRF-Token'); } } } ensure_csrf_token(); // ===== URL-Param: Liste per UUID (oder Alt-ID -> Redirect) ===== $ListID = -1; $ListUUID = ''; $showCreateEmptyState = false; if (!isset($_GET['list'])) { // Kein Parameter => nur Empty-State ohne Message $showCreateEmptyState = true; } else { $raw = trim((string) $_GET['list']); if ($raw === '') { // Leerer Parameter => nur Empty-State ohne Message $showCreateEmptyState = true; } elseif (preg_match('/^[0-9a-fA-F-]{32,36}$/', $raw)) { // UUID übergeben $c = db(); $s = $c->prepare('SELECT ID, uuid FROM lists WHERE uuid=?'); $s->bind_param('s', $raw); $s->execute(); $r = $s->get_result(); if ($r && ($row = $r->fetch_assoc())) { $ListID = (int) $row['ID']; $ListUUID = (string) $row['uuid']; } else { // UUID-Format ok, aber nicht vorhanden => Message + Empty-State $message = ['msg' => 'Diese Liste gibt es nicht. Lege eine neue an oder prüfe den Link.', 'type' => 'warning']; $showCreateEmptyState = true; } $s->close(); $c->close(); } elseif (preg_match('/^\d+$/', $raw)) { // Numerische ID übergeben -> auf UUID umleiten, wenn vorhanden $id = (int) $raw; $c = db(); $s = $c->prepare('SELECT uuid FROM lists WHERE ID=?'); $s->bind_param('i', $id); $s->execute(); $r = $s->get_result(); if ($r && ($row = $r->fetch_assoc())) { $uuid = (string) $row['uuid']; $scheme = $secure ? 'https' : 'http'; $host = $_SERVER['HTTP_HOST'] ?? ''; header('Location: ' . $scheme . '://' . $host . '/?list=' . urlencode($uuid), true, 301); exit; } else { // ID-Format ok, aber nicht vorhanden => Message + Empty-State $message = ['msg' => 'Diese Liste gibt es nicht. Lege eine neue an oder prüfe den Link.', 'type' => 'warning']; $showCreateEmptyState = true; } $s->close(); $c->close(); } else { // Weder gültige UUID noch Zahl => Message + Empty-State $message = ['msg' => 'Diese Liste gibt es nicht. Lege eine neue an oder prüfe den Link.', 'type' => 'warning']; $showCreateEmptyState = true; } } // ===== Sortierung (Whitelist) ===== $sortby = 'priority'; if (isset($_POST['sortby'])) $sortby = (string) $_POST['sortby']; elseif (isset($_POST['sortby_transfer'])) $sortby = (string) $_POST['sortby_transfer']; $allowedOrder = ['priority' => 'priority DESC', 'price_asc' => 'price ASC', 'price_desc' => 'price DESC', 'date_desc' => 'date DESC', 'date_asc' => 'date ASC', 'random' => 'RAND()']; if (!array_key_exists($sortby, $allowedOrder)) $sortby = 'priority'; // ===== Login-Status ===== $loggedin = (isset($_SESSION['listid']) && $ListID === (int) $_SESSION['listid']); $GLOBALS['loggedin'] = $loggedin; // für listgenerator.php // ===== POST-Actions (mit CSRF) ===== if ($_SERVER['REQUEST_METHOD'] === 'POST') { require_csrf(); // LOGIN if (isset($_POST['login'])) { $ListPassword = (string) ($_POST['ListPassword'] ?? ''); $ListIdFromForm = (int) ($_POST['ListID'] ?? -1); $c = db(); $s = $c->prepare('SELECT edit_pw, uuid FROM lists WHERE ID=?'); $s->bind_param('i', $ListIdFromForm); $s->execute(); $r = $s->get_result(); if ($r && ($row = $r->fetch_assoc())) { if (password_verify($ListPassword, (string) $row['edit_pw'])) { $_SESSION['listid'] = $ListIdFromForm; $loggedin = true; $ListUUID = (string) $row['uuid']; $message = ['msg' => 'Login erfolgreich', 'type' => 'success']; } else $message = ['msg' => 'Falsches Passwort', 'type' => 'warning']; } else $message = ['msg' => 'Liste nicht gefunden', 'type' => 'warning']; $s->close(); $c->close(); } // LISTE ANLEGEN if (isset($_POST['listadd'])) { $listName = (string) ($_POST['listName'] ?? ''); $listPasswordRaw = (string) ($_POST['listPassword'] ?? ''); $listDescription = (string) ($_POST['listDescription'] ?? ''); $listPassword = password_hash($listPasswordRaw, PASSWORD_DEFAULT); $c = db(); $s = $c->prepare('INSERT INTO lists (uuid, title, description, edit_pw) VALUES (UUID(), ?, ?, ?)'); $s->bind_param('sss', $listName, $listDescription, $listPassword); if ($s->execute()) { $last_id = $c->insert_id; $g = $c->prepare('SELECT uuid FROM lists WHERE ID=?'); $g->bind_param('i', $last_id); $g->execute(); $gr = $g->get_result(); $uuid = ($gr && ($row = $gr->fetch_assoc())) ? (string) $row['uuid'] : ''; $g->close(); $_SESSION['listid'] = $last_id; $loggedin = true; $scheme = $secure ? 'https' : 'http'; $host = $_SERVER['HTTP_HOST'] ?? ''; header('Location: ' . $scheme . '://' . $host . '/?list=' . urlencode($uuid)); exit; } else { $message = ['msg' => 'Unerwarteter Fehler beim Anlegen', 'type' => 'danger']; } $s->close(); $c->close(); } // LOGOUT if (isset($_POST['logout'])) { session_destroy(); $loggedin = false; $message = ['msg' => 'Logout erfolgreich', 'type' => 'success']; } // PRIORITÄT PUSHEN if (isset($_POST['pushprio'])) { $wishId = (int) ($_POST['WhishID'] ?? -1); $c = db(); $s = $c->prepare('SELECT COALESCE(MAX(priority),0) AS maxprio FROM wishes WHERE wishlist=?'); $s->bind_param('i', $ListID); $s->execute(); $r = $s->get_result(); $next = 1; if ($r && ($row = $r->fetch_assoc())) $next = ((int) $row['maxprio']) + 1; $s->close(); $u = $c->prepare('UPDATE wishes SET priority=? WHERE ID=?'); $u->bind_param('ii', $next, $wishId); $message = $u->execute() ? ['msg' => 'Wunschpriorität aktualisiert', 'type' => 'success'] : ['msg' => 'Uups, irgendwas ist schief gegangen!', 'type' => 'danger']; $u->close(); $c->close(); } // LÖSCHEN (nur eingeloggt) if (isset($_POST['delete']) && $loggedin === true) { $WhishID = (int) ($_POST['WhishID'] ?? -1); $WhishTitle = ''; $c = db(); $s = $c->prepare('SELECT image, title FROM wishes WHERE ID=?'); $s->bind_param('i', $WhishID); $s->execute(); $r = $s->get_result(); if ($r && ($row = $r->fetch_assoc())) { $WhishTitle = (string) $row['title']; $imageFile = (string) $row['image']; if (!empty($imageFile)) { global $imagedir; $full = rtrim($imagedir, '/') . '/' . $imageFile; if (is_file($full)) @unlink($full); } } $s->close(); $d = $c->prepare('DELETE FROM wishes WHERE ID=?'); $d->bind_param('i', $WhishID); $message = $d->execute() ? ['msg' => 'Wunsch "' . e($WhishTitle) . '" gelöscht', 'type' => 'success'] : ['msg' => 'Uups, irgendwas ist schief gegangen!', 'type' => 'danger']; $d->close(); $c->close(); } } ?> Simple Wishlist
Simple Wishlist

Willkommen bei Simple Wishlist

Es wurde keine gültige Liste ausgewählt. Du kannst jetzt eine neue Liste anlegen.