<?php
require_once 'config.php';
require_once 'security.php';
require_once 'functions.php';
// รับค่า Action จากทั้ง GET และ POST [cite: 2025-07-09]
$action = isset($_GET['action']) ? $_GET['action'] : (isset($_POST['action']) ? $_POST['action'] : '');
if ($action == 'login') {
$user = mysqli_real_escape_string($conn, $_POST['username']);
$pass = $_POST['password'];
$sql = "SELECT * FROM users WHERE username = '$user'";
$res = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($res);
// ตรวจสอบรหัสผ่านโดยใช้ฟังก์ชันถอดรหัส [cite: 2025-07-09]
if ($row && decrypt_password($row['password']) == $pass) {
$_SESSION['u_id'] = $row['u_id'];
$_SESSION['fullname'] = $row['fullname'];
$_SESSION['type'] = $row['type'];
if ($row['type'] == 'admin') {
header("Location: admin_dashboard.php");
} else {
header("Location: user_dashboard.php");
}
} else {
header("Location: index.php?error=1");
}
exit();
}
if ($action == 'save_work') {
$att_id = (int)$_POST['att_id'];
// รับค่าสถานที่ปฏิบัติงาน
$work_location = isset($_POST['work_location']) ? mysqli_real_escape_string($conn, $_POST['work_location']) : '';
if ($work_location == 'office') {
// หากเลือกสำนักงาน ให้บันทึกข้อความตายตัว
$detail = "ปฏิบัติงานในสำนักงาน";
} else {
// หากเลือกบ้าน ให้รับค่าจาก Textarea
$detail = mysqli_real_escape_string($conn, $_POST['work_detail']);
}
// ตรวจสอบความถูกต้องของข้อมูลก่อนบันทึก
if (!empty($work_location) && !empty($att_id)) {
$sql = "UPDATE attendance SET
work_location = '$work_location',
work_detail = '$detail'
WHERE att_id = '$att_id'";
if (mysqli_query($conn, $sql)) {
header("Location: user_dashboard.php?save=success");
} else {
// กรณี Error ให้แสดงข้อความเพื่อตรวจสอบ
die("Error updating record: " . mysqli_error($conn));
}
} else {
header("Location: user_dashboard.php?error=missing_data");
}
exit();
}
// --- การลงเวลาปฏิบัติงาน (User) [cite: 2025-07-09] ---
if ($action == 'checkin') {
$u_id = $_SESSION['u_id'];
$date = date('Y-m-d');
$time = date('H:i:s');
// ตรวจสอบว่าวันนี้ลงเวลาไปหรือยังเพื่อป้องกันข้อมูลซ้ำ
$check = mysqli_query($conn, "SELECT * FROM attendance WHERE u_id = '$u_id' AND att_date = '$date'");
if (mysqli_num_rows($check) == 0) {
mysqli_query($conn, "INSERT INTO attendance (u_id, att_date, time_in) VALUES ('$u_id', '$date', '$time')");
}
header("Location: user_dashboard.php");
exit();
}
if ($action == 'save_work') {
$att_id = (int)$_POST['att_id'];
$detail = mysqli_real_escape_string($conn, $_POST['work_detail']);
mysqli_query($conn, "UPDATE attendance SET work_detail = '$detail' WHERE att_id = '$att_id'");
header("Location: user_dashboard.php");
exit();
}
if ($action == 'checkout') {
$att_id = (int)$_POST['att_id'];
$time_out = $_POST['time_out'];
mysqli_query($conn, "UPDATE attendance SET time_out = '$time_out' WHERE att_id = '$att_id'");
header("Location: user_dashboard.php");
exit();
}
// --- จัดการบุคลากร (Admin) [cite: 2025-07-09] ---
if ($action == 'add_user') {
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = encrypt_password($_POST['password']);
$fullname = mysqli_real_escape_string($conn, $_POST['fullname']);
$position = mysqli_real_escape_string($conn, $_POST['position']);
$g_id = (int)$_POST['g_id'];
$p_id = (int)$_POST['p_id']; // ประเภทบุคลากร
$type = $_POST['type'];
$sig_name = "";
if ($_FILES['signature']['name']) {
$ext = pathinfo($_FILES['signature']['name'], PATHINFO_EXTENSION);
$sig_name = "sig_" . time() . "." . $ext;
move_uploaded_file($_FILES['signature']['tmp_name'], "uploads/" . $sig_name);
}
$sql = "INSERT INTO users (username, password, fullname, position, g_id, p_id, type, signature)
VALUES ('$username', '$password', '$fullname', '$position', '$g_id', '$p_id', '$type', '$sig_name')";
mysqli_query($conn, $sql);
header("Location: admin_users.php");
exit();
}
if ($action == 'edit_user') {
$u_id = (int)$_POST['u_id'];
$fullname = mysqli_real_escape_string($conn, $_POST['fullname']);
$position = mysqli_real_escape_string($conn, $_POST['position']);
$g_id = (int)$_POST['g_id'];
$p_id = (int)$_POST['p_id'];
$type = $_POST['type'];
mysqli_query($conn, "UPDATE users SET fullname='$fullname', position='$position', g_id='$g_id', p_id='$p_id', type='$type' WHERE u_id='$u_id'");
if (!empty($_POST['password'])) {
$password = encrypt_password($_POST['password']);
mysqli_query($conn, "UPDATE users SET password='$password' WHERE u_id='$u_id'");
}
if ($_FILES['signature']['name']) {
$old = mysqli_fetch_assoc(mysqli_query($conn, "SELECT signature FROM users WHERE u_id='$u_id'"));
if ($old['signature'] && file_exists("uploads/".$old['signature'])) unlink("uploads/".$old['signature']);
$ext = pathinfo($_FILES['signature']['name'], PATHINFO_EXTENSION);
$sig_name = "sig_" . time() . "." . $ext;
move_uploaded_file($_FILES['signature']['tmp_name'], "uploads/" . $sig_name);
mysqli_query($conn, "UPDATE users SET signature='$sig_name' WHERE u_id='$u_id'");
}
header("Location: admin_users.php");
exit();
}
if ($action == 'del_user') {
$u_id = secure_id($_GET['id']);
$res = mysqli_query($conn, "SELECT signature FROM users WHERE u_id = '$u_id'");
$row = mysqli_fetch_assoc($res);
if ($row['signature'] && file_exists("uploads/".$row['signature'])) unlink("uploads/".$row['signature']);
mysqli_query($conn, "DELETE FROM users WHERE u_id = '$u_id'");
header("Location: admin_users.php");
exit();
}
// --- จัดการกลุ่มงาน [cite: 2025-07-09] ---
if ($action == 'add_group') {
$g_name = mysqli_real_escape_string($conn, $_POST['g_name']);
mysqli_query($conn, "INSERT INTO `groups` (g_name) VALUES ('$g_name')");
header("Location: admin_groups.php");
exit();
}
if ($action == 'del_group') {
$g_id = secure_id($_GET['id']);
mysqli_query($conn, "DELETE FROM `groups` WHERE g_id = '$g_id'");
header("Location: admin_groups.php");
exit();
}
// --- จัดการประเภทบุคลากร [cite: 2025-07-09] ---
if ($action == 'add_type') {
$p_name = mysqli_real_escape_string($conn, $_POST['p_name']);
mysqli_query($conn, "INSERT INTO personnel_types (p_name) VALUES ('$p_name')");
header("Location: admin_types.php");
exit();
}
if ($action == 'edit_type') {
$p_id = (int)$_POST['p_id'];
$p_name = mysqli_real_escape_string($conn, $_POST['p_name']);
mysqli_query($conn, "UPDATE personnel_types SET p_name='$p_name' WHERE p_id='$p_id'");
header("Location: admin_types.php");
exit();
}
if ($action == 'del_type') {
$id = secure_id($_GET['id']);
mysqli_query($conn, "DELETE FROM personnel_types WHERE p_id='$id'");
header("Location: admin_types.php");
exit();
}
if ($action == 'logout') {
session_destroy();
header("Location: index.php");
exit();
}
?>
