<?php
header('Content-Type: application/json');

if (!isset($baseDir)) {
	$baseDir = $_SERVER['DOCUMENT_ROOT'];
}

require_once $baseDir . '/../scripts/session_functions.php';

ini_wkvs_session();

check_user_permission('wk_leitung');

verify_csrf();

$type = 'wkl';

$data = include $baseDir . '/../scripts/db/db-verbindung-script.php';

if ($data['success'] === false){
	echo json_encode(['success' => false, 'message' => $data['message']]);
    http_response_code(500);
    exit; 
}

require $baseDir . '/../scripts/db/db-tables.php';

if (!isset($_POST['ids']) || !is_array($_POST['ids']) || count($_POST['ids']) < 1) {
    echo json_encode(['success' => false, 'message' => 'Keine Id angegeben']);
    http_response_code(422);
    exit; 
}

$ids = $_POST['ids'];

// Validate: all IDs must be integers
$ids = array_filter($ids, fn($id) => ctype_digit(strval($id)));

if (count($ids) === 0) {
    echo json_encode(['success' => false, 'message' => 'Kein gültiger Input']);
    http_response_code(422);
    exit;
}

// Build placeholders for prepared statement
$placeholders = implode(',', array_fill(0, count($ids), '?'));

// Prepare the SQL statement
$sql = "DELETE FROM $tableOrders WHERE order_id IN ($placeholders)";
$stmt = $mysqli->prepare($sql);

if (!$stmt) {
    echo json_encode(['success' => false, 'message' => 'Fehler beim Vorbereiten der Abfrage']);
    http_response_code(500);
    exit;
}

// Bind parameters dynamically
$types = str_repeat('i', count($ids)); // all integers
$stmt->bind_param($types, ...$ids);

// Execute
if (!$stmt->execute()) {
    echo json_encode(['success' => false, 'message' => 'Fehler beim Löschen']);
    http_response_code(500);
    exit;
}

$stmt->close();
$mysqli->close();

echo json_encode(['success' => true, 'message' => 'Bestellungen erfolgreich gelöscht']);
http_response_code(200);
exit;