HealthMateWeb/createaccount2.php at master · StevenElberger/HealthMateWeb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
<?php
    // Grab security functions
    require_once("/private/initialize.php");
    // Error placeholders
    $firstNameError = $lastNameError = $usernameError = "";
    $genderError = $birthdayError = $requiredFields = $doctor_idError = "";
    // Placeholders for variables from form
    $doctor_id = $username = $first_name = $last_name = $gender = $birthday = "";

    // Return string
    $result = "";

    // Only process POST requests, not GET
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        // Check the required fields
        if (empty($_POST["doctor_id"])) {
            $doctor_idError = "*";
        } else {
            $doctor_id = test_input($_POST["doctor_id"]);
        }

        if (empty($_POST["username"])) {
            $usernameError = "*";
        } else {
            $username = test_input($_POST["username"]);
        }

        if (empty($_POST["first_name"])) {
            $firstNameError = "*";
        } else {
            $first_name = test_input($_POST["first_name"]);
        }

        if (empty($_POST["last_name"])) {
            $lastNameError = "*";
        } else {
            $last_name = test_input($_POST["last_name"]);
        }

        if (empty($_POST["gender"])) {
            $genderError = "*";
        } else {
            $gender = test_input($_POST["gender"]);
        }

        if (empty($_POST["birthday"])) {
            $birthdayError = "*";
        } else {
            $birthday = test_input($_POST["birthday"]);
        }
    }

    // As long as all variables were initialized, the data is good to go
    if (($first_name !== "") && ($last_name !== "") && ($username !== "") && ($gender !== "")
    && ($birthday !== "")) {

        // Create connection
        $conn = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_NAME);

        // Check connection
        if ($conn->connect_error) {
            die("Connection failed: " . $conn->connect_error);
        }
        $password = "password321";
        // Adds a new user account with form data into the physician table of the database
        // -- To do: form checking (e.g., username already exists, security, etc.)
        $sql = "INSERT INTO patient (group_id, doctor_id, username, first_name, last_name, birthday, gender, password) VALUES (2, '".$doctor_id."', '".$username."', '".$first_name."', '".$last_name."', '".$birthday."', '".$gender."', '".$password."')";

        if (username_exists($username, $conn)) {
            $result = "Username already exists.";
        } else if ($conn->query($sql) === TRUE) {
            // successful patient add
//            $result = "Patient added successfully.";

            $sql_get_patient_id = "SELECT patient_id FROM patient WHERE username = '" . $username . "'";
            $get_patient_id = $conn->query($sql_get_patient_id);
            $patient_id = "";

            if ($get_patient_id->num_rows > 0) {
                while ($row = $get_patient_id->fetch_assoc()) {
                    $patient_id .= $row["patient_id"];
                }
            } else {
                $result = "ERROR";
                echo $result;
                return;
            }

            $result = "<h3 class='text-center'>Patient Added Successfully</h3>";
            $result .= "<table class='table table-striped table-hover'>";
            $result .= "<thead>
                    <tr>
                        <th>PID #</th>
                        <th>Patient Name</th>
                        <th>Gender</th>
                        <th>Birthday</th>
                    </tr>
                    </thead>
                    <tbody>";
            $result .= "<tr>
                        <td>".$patient_id."</td>
                        <td>".$first_name. " " . $last_name."</td>
                        <td>".$gender."</td>
                        <td>".$birthday."</td>
                    </tr>";
            $result .= "</tbody>";
            $result .= "</table>";
        } else {
            echo "Error: " . $sql . "<br />" . $conn->error;
        }

        // Peace out
        $conn->close();

        echo $result;
    }

    // Removes unwanted and potentially malicious characters
    // from the form data to prevent XSS hacks / exploits
    function test_input($data) {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;
    }

    // Checks to see if given username already exists
    function username_exists($given_username, $existing_conn) {
        $sql = "SELECT username FROM patient WHERE username = '".$given_username."'";

        $result = $existing_conn->query($sql);

        return $result->num_rows > 0;
    }
?>