From 70c7c0d6b97984ae62b509640e000a70803fbc2b Mon Sep 17 00:00:00 2001
From: Curry141 <135717077+Daniongithub@users.noreply.github.com>
Date: Wed, 29 Oct 2025 18:42:15 +0100
Subject: [PATCH] Fixing untested code with more untested code

Interamente fatto con Claude AI Pro, se ne vedranno delle belle...
---
 htdocs/admin/subjects.php | 121 +++++++++++++++++++++++---------------
 htdocs/docenti.php        |  64 ++++++++++++++++----
 htdocs/laboratori.php     |  67 ++++++++++++++++++---
 htdocs/studenti.php       |  91 ++++++++++++++++------------
 4 files changed, 237 insertions(+), 106 deletions(-)

diff --git a/htdocs/admin/subjects.php b/htdocs/admin/subjects.php
index 22e4b68..b2e4205 100644
--- a/htdocs/admin/subjects.php
+++ b/htdocs/admin/subjects.php
@@ -3,20 +3,47 @@ session_start();
 if (!isset($_SESSION['admin'])) { header("Location: login.php"); exit; }
 include("../lib/db.php");
 
-if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['name'])) {
+// FIX: Usa prepared statements per sicurezza
+if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['name']) && !isset($_POST['update'])) {
     $name = $_POST['name']; 
     $teacher = $_POST['teacher']; 
     $room = $_POST['room'];
-    if (!empty($name)) { 
-        $conn->query("INSERT INTO subjects (name,teacher,room) VALUES ('$name','$teacher','$room')"); 
+    
+    if (!empty($name)) {
+        $stmt = $conn->prepare("INSERT INTO subjects (name, teacher, room) VALUES (?, ?, ?)");
+        $stmt->bind_param("sss", $name, $teacher, $room);
+        $stmt->execute();
+        $stmt->close();
     }
-    header("Location: subjects.php"); exit;
+    header("Location: subjects.php"); 
+    exit;
 }
 
+// FIX: Aggiunto redirect dopo update
+if(isset($_POST['update'])){
+    $id = intval($_POST['id']);
+    $name = $_POST['name'];
+    $teacher = $_POST['teacher'];
+    $room = $_POST['room'];
+
+    $stmt = $conn->prepare("UPDATE subjects SET name=?, teacher=?, room=? WHERE id=?");
+    $stmt->bind_param("sssi", $name, $teacher, $room, $id);
+    $stmt->execute();
+    $stmt->close();
+    
+    header("Location: subjects.php");
+    exit;
+}
+
+// FIX: Usa prepared statement anche per delete
 if (isset($_GET['delete'])) {
     $id = intval($_GET['delete']);
-    $conn->query("DELETE FROM subjects WHERE id=$id");
-    header("Location: subjects.php"); exit;
+    $stmt = $conn->prepare("DELETE FROM subjects WHERE id=?");
+    $stmt->bind_param("i", $id);
+    $stmt->execute();
+    $stmt->close();
+    header("Location: subjects.php"); 
+    exit;
 }
 ?>
 <!DOCTYPE html>
@@ -41,50 +68,50 @@ if (isset($_GET['delete'])) {
   <h1>Gestisci Materie</h1>
   <a href="index.php" class="back-link">⬅ Torna al Dashboard</a>
 
+  <?php
+  // Mostra form di modifica solo se richiesto
+  if(isset($_GET['edit'])){
+      $id = intval($_GET['edit']);
+      $stmt = $conn->prepare("SELECT * FROM subjects WHERE id=?");
+      $stmt->bind_param("i", $id);
+      $stmt->execute();
+      $res = $stmt->get_result();
+      
+      if($res->num_rows > 0){
+          $subject = $res->fetch_assoc();
+          ?>
+          <h3>Modifica materia</h3>
+          <form method="post" action="subjects.php">
+              <input type="hidden" name="id" value="<?php echo $subject['id']; ?>">
+              
+              <label>Materia:</label>
+              <input type="text" name="name" value="<?php echo htmlspecialchars($subject['name']); ?>" required><br>
+              
+              <label>Docente:</label>
+              <input type="text" name="teacher" value="<?php echo htmlspecialchars($subject['teacher']); ?>" required><br>
+              
+              <label>Aula (opzionale):</label>
+              <input type="text" name="room" value="<?php echo htmlspecialchars($subject['room']); ?>"><br>
+              
+              <button type="submit" name="update">Salva modifiche</button>
+              <a href="subjects.php" style="margin-left: 10px;">Annulla</a>
+          </form>
+          <hr>
+          <?php
+      }
+      $stmt->close();
+  }
+  ?>
+
+  <h2>Aggiungi Nuova Materia</h2>
   <form method="POST">
     <input type="text" name="name" placeholder="Materia" required>
     <input type="text" name="teacher" placeholder="Docente" required>
     <input type="text" name="room" placeholder="Laboratorio (opzionale)">
     <button type="submit">Aggiungi</button>
   </form>
-  <?php
-// 1. Aggiornamento dati
-if(isset($_POST['update'])){
-    $id = intval($_POST['id']);
-    $name = $conn->real_escape_string($_POST['name']);
-    $teacher = $conn->real_escape_string($_POST['teacher']);
-    $room = $conn->real_escape_string($_POST['room']);
 
-    $conn->query("UPDATE subjects 
-                  SET name='$name', teacher='$teacher', room='$room' 
-                  WHERE id=$id");
-}
-// 2. Mostrare il form se edit richiesto
-if(isset($_GET['edit'])){
-    $id = intval($_GET['edit']);
-    $res = $conn->query("SELECT * FROM subjects WHERE id=$id");
-    if($res->num_rows > 0){
-        $subject = $res->fetch_assoc();
-        ?>
-        <h3>Modifica materia</h3>
-        <form method="post" action="subjects.php">
-            <input type="hidden" name="id" value="<?php echo $subject['id']; ?>">
-            
-            <label>Materia:</label>
-            <input type="text" name="name" value="<?php echo htmlspecialchars($subject['name']); ?>"><br>
-            
-            <label>Docente:</label>
-            <input type="text" name="teacher" value="<?php echo htmlspecialchars($subject['teacher']); ?>"><br>
-            
-            <label>Aula:</label>
-            <input type="text" name="room" value="<?php echo htmlspecialchars($subject['room']); ?>"><br>
-            
-            <button type="submit" name="update">Salva modifiche</button>
-        </form>
-        <?php
-    }
-}
-?>
+  <h2>Elenco Materie</h2>
   <table>
     <tr>
       <th>ID</th>
@@ -98,12 +125,12 @@ if(isset($_GET['edit'])){
     while($row=$res->fetch_assoc()){
       echo "<tr>
               <td>{$row['id']}</td>
-              <td>{$row['name']}</td>
-              <td>{$row['teacher']}</td>
-              <td>{$row['room']}</td>
+              <td>" . htmlspecialchars($row['name']) . "</td>
+              <td>" . htmlspecialchars($row['teacher']) . "</td>
+              <td>" . htmlspecialchars($row['room']) . "</td>
               <td>
                 <a href='subjects.php?edit={$row['id']}' class='edit-link'>Modifica</a> | 
-                <a href='subjects.php?delete={$row['id']}' class='delete-link'>Elimina</a>
+                <a href='subjects.php?delete={$row['id']}' class='delete-link' onclick='return confirm(\"Sei sicuro di voler eliminare questa materia?\")'>Elimina</a>
               </td>
             </tr>";
     }
diff --git a/htdocs/docenti.php b/htdocs/docenti.php
index a6d4cd3..55c62df 100644
--- a/htdocs/docenti.php
+++ b/htdocs/docenti.php
@@ -1,6 +1,5 @@
 <?php
 include("lib/db.php");
-$teacher = $_GET['teacher'];
 $days = ["Lunedì","Martedì","Mercoledì","Giovedì","Venerdì","Sabato"];
 $hours = [
   1 => "Prima ora<br>7:50 - 8:50",
@@ -10,16 +9,19 @@ $hours = [
   5 => "Quinta ora<br>11:55 - 12:50",
   6 => "Sesta ora<br>12:50 - 13:50"
 ];
-if ($teacher == "No Lezione" || $teacher == "sconosciuto") {
-	  header("Location: index.php");
-    exit;
-}
-else if (!isset($_GET['teacher'])) {
+
+if (!isset($_GET['teacher'])) {
     header("Location: index.php");
     exit;
 }
 
 $teacher = $conn->real_escape_string($_GET['teacher']);
+
+if ($teacher == "No Lezione" || $teacher == "sconosciuto") {
+    header("Location: index.php");
+    exit;
+}
+
 $res = $conn->query("SELECT DISTINCT teacher FROM subjects WHERE teacher = '$teacher' LIMIT 1");
 
 if ($res->num_rows === 0) {
@@ -42,8 +44,11 @@ if ($res->num_rows === 0) {
       <a href="index.php">Home</a>
     </div>
   </div>
+  
   <h1>Orario docente <?php echo htmlspecialchars($teacher); ?></h1>
-  <table>
+  
+  <!-- Visualizzazione Desktop -->
+  <table class="desktop-schedule">
     <tr>
       <th></th>
       <?php foreach($days as $d) echo "<th>$d</th>"; ?>
@@ -59,10 +64,12 @@ if ($res->num_rows === 0) {
                            WHERE subjects.teacher='$teacher' AND timetable.day='$d' AND timetable.hour=$hnum");
         if($row = $q->fetch_assoc()){
           echo "<td data-label='$d'>
-                  <div class='subject'>{$row['name']}</div>
-                  <div class='teacher'>{$row['class_name']}</div>
-                  <div class='room'>{$row['room']}</div>
-                </td>";
+                  <div class='subject'>" . htmlspecialchars($row['name']) . "</div>
+                  <div class='teacher'>" . htmlspecialchars($row['class_name']) . "</div>";
+          if(!empty($row['room'])) {
+            echo "<div class='room'>" . htmlspecialchars($row['room']) . "</div>";
+          }
+          echo "</td>";
         } else {
           echo "<td data-label='$d'></td>";
         }
@@ -71,6 +78,41 @@ if ($res->num_rows === 0) {
     }
     ?>
   </table>
+
+  <!-- FIX: Visualizzazione Mobile aggiunta -->
+  <div class="mobile-schedule">
+  <?php foreach($days as $d): ?>
+    <div class="day">
+      <h2><?= htmlspecialchars($d) ?></h2>
+      <?php
+      foreach($hours as $hnum => $hlabel):
+        $q = $conn->query("SELECT subjects.name, classes.name AS class_name, subjects.room
+                           FROM timetable 
+                           LEFT JOIN subjects ON timetable.subject_id = subjects.id
+                           LEFT JOIN classes ON timetable.class_id = classes.id
+                           WHERE subjects.teacher='$teacher' AND timetable.day='$d' AND timetable.hour=$hnum");
+        
+        if($row = $q->fetch_assoc()):
+      ?>
+          <div class="lesson">
+            <div class="hour"><?= strip_tags($hlabel) ?></div>
+            <div class="subject"><?= htmlspecialchars($row['name']) ?></div>
+            <div class="teacher"><?= htmlspecialchars($row['class_name']) ?></div>
+            <?php if(!empty($row['room'])): ?>
+              <div class="room"><?= htmlspecialchars($row['room']) ?></div>
+            <?php endif; ?>
+          </div>
+      <?php else: ?>
+          <div class="lesson empty">
+            <div class="hour"><?= strip_tags($hlabel) ?></div>
+            <div class="subject">—</div>
+          </div>
+      <?php endif; ?>
+      <?php endforeach; ?>
+    </div>
+  <?php endforeach; ?>
+  </div>
+
 <p style="text-align: center;">Copyright (C) 2025 EmmeV. - Released under <a href="https://git.vichingo455.freeddns.org/emmev-code/orario/src/branch/stable/LICENSE.txt" target="_blank">GNU AGPL 3.0 License</a>.</p>
 </body>
 </html>
diff --git a/htdocs/laboratori.php b/htdocs/laboratori.php
index f7f3232..9596617 100644
--- a/htdocs/laboratori.php
+++ b/htdocs/laboratori.php
@@ -1,6 +1,5 @@
 <?php
 include("lib/db.php");
-$room = $_GET['room']; // aula selezionata
 $days = ["Lunedì","Martedì","Mercoledì","Giovedì","Venerdì","Sabato"];
 $hours = [
   1 => "Prima ora<br>7:50 - 8:50",
@@ -10,6 +9,7 @@ $hours = [
   5 => "Quinta ora<br>11:55 - 12:50",
   6 => "Sesta ora<br>12:50 - 13:50"
 ];
+
 if (!isset($_GET['room'])) {
     header("Location: index.php");
     exit;
@@ -19,7 +19,6 @@ $room = $conn->real_escape_string($_GET['room']);
 $res = $conn->query("SELECT DISTINCT room FROM subjects WHERE room = '$room' LIMIT 1");
 
 if ($res->num_rows === 0) {
-    // Aula non trovata
     header("Location: index.php");
     exit;
 }
@@ -42,7 +41,8 @@ if ($res->num_rows === 0) {
 
   <h1>Orario <?php echo htmlspecialchars($room); ?></h1>
 
-  <table>
+  <!-- Visualizzazione Desktop -->
+  <table class="desktop-schedule">
     <tr>
       <th></th>
       <?php foreach($days as $d) echo "<th>$d</th>"; ?>
@@ -66,15 +66,13 @@ if ($res->num_rows === 0) {
           $entries = [];
 
           while($row = $q->fetch_assoc()){
-            // salvo materia (prendo la prima, di solito è la stessa per tutti)
             if($subject === null) {
               $subject = $row['subject_name'];
             }
-            // accumulo classi + docente
             $entries[] = $row['class_name'] . " (" . $row['teacher'] . ")";
           }
 
-          // unisci le classi con " e " se sono 2, altrimenti virgole + "e" finale
+          // FIX: Gestione corretta di multiple classi
           if(count($entries) > 1){
             $last = array_pop($entries);
             $entries_list = implode(", ", $entries) . " e " . $last;
@@ -83,8 +81,8 @@ if ($res->num_rows === 0) {
           }
 
           echo "<td data-label='$d'>
-                  <div class='subject'>$subject</div>
-                  <div class='room'>$entries_list</div>
+                  <div class='subject'>" . htmlspecialchars($subject) . "</div>
+                  <div class='room'>" . htmlspecialchars($entries_list) . "</div>
                 </td>";
         } else {
           echo "<td data-label='$d'></td>";
@@ -94,6 +92,57 @@ if ($res->num_rows === 0) {
     }
     ?>
   </table>
-  <p style="text-align: center;">Copyright (C) 2025 EmmeV. All rights reserved.</p>
+
+  <!-- FIX: Visualizzazione Mobile aggiunta -->
+  <div class="mobile-schedule">
+  <?php foreach($days as $d): ?>
+    <div class="day">
+      <h2><?= htmlspecialchars($d) ?></h2>
+      <?php
+      foreach($hours as $hnum => $hlabel):
+        $q = $conn->query("
+          SELECT subjects.name AS subject_name, subjects.teacher, classes.name AS class_name
+          FROM timetable
+          LEFT JOIN subjects ON timetable.subject_id = subjects.id
+          LEFT JOIN classes ON timetable.class_id = classes.id
+          WHERE subjects.room='". $conn->real_escape_string($room) ."' 
+            AND timetable.day='$d' AND timetable.hour=$hnum
+        ");
+
+        if($q->num_rows > 0):
+          $subject = null;
+          $entries = [];
+
+          while($row = $q->fetch_assoc()){
+            if($subject === null) {
+              $subject = $row['subject_name'];
+            }
+            $entries[] = $row['class_name'] . " (" . $row['teacher'] . ")";
+          }
+
+          if(count($entries) > 1){
+            $last = array_pop($entries);
+            $entries_list = implode(", ", $entries) . " e " . $last;
+          } else {
+            $entries_list = $entries[0];
+          }
+      ?>
+          <div class="lesson">
+            <div class="hour"><?= strip_tags($hlabel) ?></div>
+            <div class="subject"><?= htmlspecialchars($subject) ?></div>
+            <div class="room"><?= htmlspecialchars($entries_list) ?></div>
+          </div>
+      <?php else: ?>
+          <div class="lesson empty">
+            <div class="hour"><?= strip_tags($hlabel) ?></div>
+            <div class="subject">—</div>
+          </div>
+      <?php endif; ?>
+      <?php endforeach; ?>
+    </div>
+  <?php endforeach; ?>
+  </div>
+
+  <p style="text-align: center;">Copyright (C) 2025 EmmeV. - Released under <a href="https://git.vichingo455.freeddns.org/emmev-code/orario/src/branch/stable/LICENSE.txt" target="_blank">GNU AGPL 3.0 License</a>.</p>
 </body>
 </html>
diff --git a/htdocs/studenti.php b/htdocs/studenti.php
index 4f46db7..6ed50cf 100644
--- a/htdocs/studenti.php
+++ b/htdocs/studenti.php
@@ -1,5 +1,5 @@
 <?php
-#include("lib/db.php");
+include("lib/db.php");  // FIX: Decommentato
 $class_id = intval($_GET['class_id']);
 $class = $conn->query("SELECT * FROM classes WHERE id=$class_id")->fetch_assoc();
 $days = ["Lunedì","Martedì","Mercoledì","Giovedì","Venerdì","Sabato"];
@@ -11,16 +11,17 @@ $hours = [
   5 => "Quinta ora<br>11:55 - 12:50",
   6 => "Sesta ora<br>12:50 - 13:50"
 ];
+
+// FIX: Validazione classe prima di tutto
 if (!isset($_GET['class_id'])) {
     header("Location: index.php");
     exit;
 }
 
-$class_id = intval($_GET['class_id']); // sicurezza
+$class_id = intval($_GET['class_id']);
 $res = $conn->query("SELECT id FROM classes WHERE id = $class_id LIMIT 1");
 
 if ($res->num_rows === 0) {
-    // Classe non trovata
     header("Location: index.php");
     exit;
 }
@@ -28,7 +29,7 @@ if ($res->num_rows === 0) {
 <!DOCTYPE html>
 <html>
 <head>
-  <title>Orario <?php echo $class['name']; ?></title>
+  <title>Orario <?php echo htmlspecialchars($class['name']); ?></title>
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <link rel="stylesheet" href="css/timetable.css">
   <link rel="stylesheet" href="css/navbar.css">
@@ -40,8 +41,10 @@ if ($res->num_rows === 0) {
       <a href="index.php">Home</a>
     </div>
   </div>
-  <h1>Orario della classe <?php echo $class['name']; ?></h1>
-  <table>
+  <h1>Orario della classe <?php echo htmlspecialchars($class['name']); ?></h1>
+  
+  <!-- Visualizzazione Desktop -->
+  <table class="desktop-schedule">
     <tr>
       <th></th>
       <?php foreach($days as $d) echo "<th>$d</th>"; ?>
@@ -56,31 +59,34 @@ if ($res->num_rows === 0) {
                            WHERE class_id=$class_id AND day='$d' AND hour=$hnum");
 
         if($q->num_rows > 0){
-          $row = $q->fetch_assoc();
-          $subject = $row['name'];
-          $room = $row['room'];
+          // FIX: Gestione corretta di multipli docenti/materie
+          $entries = [];
+          $subject = null;
+          $room = null;
           
-          // metto il primo docente
-          $teachers = [$row['teacher']];
-          
-          // aggiungo eventuali altri docenti
           while($row = $q->fetch_assoc()){
-            $teachers[] = $row['teacher'];
+            if($subject === null) {
+              $subject = $row['name'];
+              $room = $row['room'];
+            }
+            $entries[] = $row['teacher'];
           }
 
-          // se più docenti -> unisci con virgola e "e" finale
-          if(count($teachers) > 1){
-            $last = array_pop($teachers);
-            $teachers_list = implode(", ", $teachers) . " e " . $last;
+          // Unisci i docenti correttamente
+          if(count($entries) > 1){
+            $last = array_pop($entries);
+            $teachers_list = implode(", ", $entries) . " e " . $last;
           } else {
-            $teachers_list = $teachers[0];
+            $teachers_list = $entries[0];
           }
 
           echo "<td data-label='$d'>
-                  <div class='subject'>$subject</div>
-                  <div class='teacher'>$teachers_list</div>
-                  <div class='room'>$room</div>
-                </td>";
+                  <div class='subject'>" . htmlspecialchars($subject) . "</div>
+                  <div class='teacher'>" . htmlspecialchars($teachers_list) . "</div>";
+          if(!empty($room)) {
+            echo "<div class='room'>" . htmlspecialchars($room) . "</div>";
+          }
+          echo "</td>";
         } else {
           echo "<td data-label='$d'></td>";
         }
@@ -89,10 +95,12 @@ if ($res->num_rows === 0) {
     }
     ?>
   </table>
+
+  <!-- Visualizzazione Mobile -->
   <div class="mobile-schedule">
   <?php foreach($days as $d): ?>
     <div class="day">
-      <h2><?= $d ?></h2>
+      <h2><?= htmlspecialchars($d) ?></h2>
       <?php
       foreach($hours as $hnum => $hlabel):
         $q = $conn->query("SELECT subjects.name, subjects.teacher, subjects.room 
@@ -101,31 +109,35 @@ if ($res->num_rows === 0) {
                            WHERE class_id=$class_id AND day='$d' AND hour=$hnum");
 
         if($q->num_rows > 0):
-          $row = $q->fetch_assoc();
-          $subject = $row['name'];
-          $room = $row['room'];
-
-          $teachers = [$row['teacher']];
+          // FIX: Stessa logica corretta anche per mobile
+          $entries = [];
+          $subject = null;
+          $room = null;
+          
           while($row = $q->fetch_assoc()){
-            $teachers[] = $row['teacher'];
+            if($subject === null) {
+              $subject = $row['name'];
+              $room = $row['room'];
+            }
+            $entries[] = $row['teacher'];
           }
 
-          if(count($teachers) > 1){
-            $last = array_pop($teachers);
-            $teachers_list = implode(", ", $teachers) . " e " . $last;
+          if(count($entries) > 1){
+            $last = array_pop($entries);
+            $teachers_list = implode(", ", $entries) . " e " . $last;
           } else {
-            $teachers_list = $teachers[0];
+            $teachers_list = $entries[0];
           }
       ?>
           <div class="lesson">
-            <div class="hour"><?= $hlabel ?></div>
-            <div class="subject"><?= $subject ?></div>
-            <div class="teacher"><?= $teachers_list ?></div>
-            <?php if($room): ?><div class="room"><?= $room ?></div><?php endif; ?>
+            <div class="hour"><?= strip_tags($hlabel) ?></div>
+            <div class="subject"><?= htmlspecialchars($subject) ?></div>
+            <div class="teacher"><?= htmlspecialchars($teachers_list) ?></div>
+            <?php if(!empty($room)): ?><div class="room"><?= htmlspecialchars($room) ?></div><?php endif; ?>
           </div>
       <?php else: ?>
           <div class="lesson empty">
-            <div class="hour"><?= $hlabel ?></div>
+            <div class="hour"><?= strip_tags($hlabel) ?></div>
             <div class="subject">—</div>
           </div>
       <?php endif; ?>
@@ -133,6 +145,7 @@ if ($res->num_rows === 0) {
     </div>
   <?php endforeach; ?>
   </div>
+
 <p style="text-align: center;">Copyright (C) 2025 EmmeV. - Released under <a href="https://git.vichingo455.freeddns.org/emmev-code/orario/src/branch/stable/LICENSE.txt" target="_blank">GNU AGPL 3.0 License</a>.</p>
 </body>
 </html>