linkDB(); $erg = array(); // Whitelist of allowed sort columns $allowedSortColumns = ['id', 'title', 'owner_username', 'updated_at']; $allowedSortOrders = ['ASC', 'DESC']; $sortBy = in_array($sortBy, $allowedSortColumns) ? $sortBy : 'updated_at'; $sortOrder = in_array(strtoupper($sortOrder), $allowedSortOrders) ? strtoupper($sortOrder) : 'DESC'; try { if ($isAdmin) { $sql = "SELECT n.*, u.username AS owner_username FROM notes n JOIN users u ON n.user_id = u.id ORDER BY {$sortBy} {$sortOrder}"; $stmt = $pdo->prepare($sql); $stmt->execute(); } else { $sql = "SELECT id, title, content, created_at, updated_at FROM notes WHERE user_id = :userid ORDER BY {$sortBy} {$sortOrder}"; $stmt = $pdo->prepare($sql); $stmt->execute(['userid' => $userid]); } $erg = $stmt->fetchAll(\PDO::FETCH_ASSOC); return $erg; } catch (PDOException $e) { error_log("Database Error in selectNotesForUser: " . $e->getMessage()); return false; } } function getNoteById($noteId) { $pdo = $this->linkDB(); if (!$pdo) return null; try { if ($_SESSION['role'] === 'admin') { // Admin can fetch any note $stmt = $pdo->prepare("SELECT n.*, u.username as owner_username FROM notes n JOIN users u ON n.user_id = u.id WHERE n.id = ?"); $stmt->execute([$noteId]); } else { // Regular user can only fetch their own notes $stmt = $pdo->prepare("SELECT * FROM notes WHERE id = ? AND user_id = ?"); $stmt->execute([$noteId, $_SESSION['user_id']]); } return $stmt->fetch(); } catch (PDOException $e) { error_log("Get Note Error: " . $e->getMessage()); return null; } } }