87        $userCols = ['name', 'email', 'phone', 'address', 'aadhaar_masked', 'pan', 'role', 'is_locked'];

45        $allowed = ['name', 'email', 'phone', 'address'];

161        $dest = $webDir . '/' . $name;
162        @move_uploaded_file($tmp, $dest);
163        $note = $level === 0 ? ' (no checks — .php webshell accepted)' : '';
164        return ['ok' => true, 'message' => 'Uploaded ' . $name . $note, 'path' => 'uploads/' . $name];

96        $ext  = strtolower(pathinfo($name, PATHINFO_EXTENSION));
97        if (!in_array($ext, ['jpg', 'jpeg', 'png', 'pdf'], true)) {
98            return ['ok' => false, 'message' => 'Extension not allowed.', 'path' => null];
99        }
100        $mime = function_exists('mime_content_type') ? (string) mime_content_type($tmp) : '';
101        if (!in_array($mime, ['image/jpeg', 'image/png', 'application/pdf'], true)) {
102            return ['ok' => false, 'message' => 'File content does not match an allowed type.', 'path' => null];
103        }
104        $safeDir = '/var/loan_docs';            // outside /var/www/html
105        if (!is_dir($safeDir)) {
106            @mkdir($safeDir, 0700, true);
107        }
108        $dest = $safeDir . '/' . bin2hex(random_bytes(16)) . '.' . $ext;
109        @move_uploaded_file($tmp, $dest);