<?php
session_start();
require 'db.php';

$ip = $_SERVER['REMOTE_ADDR'];

/* Rate limit: 1 post / minute */
$stmt = $pdo->prepare("SELECT created_at FROM posts WHERE ip=? ORDER BY created_at DESC LIMIT 1");
$stmt->execute([$ip]);
$last = $stmt->fetch();

if ($last && strtotime($last['created_at']) > time() - 60) {
    die("Rate limit exceeded (1 post/minute)");
}

$imageName = null;

if (!empty($_FILES['image']['name'])) {
    if ($_FILES['image']['size'] > 2 * 1024 * 1024) {
        die("Image too large");
    }

    $ext = strtolower(pathinfo($_FILES['image']['name'], PATHINFO_EXTENSION));
    if (!in_array($ext, ['png', 'jpeg', 'jpg'])) {
        die("Invalid file type");
    }

    $imageName = uniqid() . '.' . $ext;
    move_uploaded_file($_FILES['image']['tmp_name'], "uploads/$imageName");
}

$stmt = $pdo->prepare("INSERT INTO posts (message, image, ip) VALUES (?, ?, ?)");
$stmt->execute([$_POST['message'], $imageName, $ip]);

header("Location: index.php");