-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathviewpatientlist.php
88 lines (75 loc) · 2.92 KB
/
viewpatientlist.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?php
// Grab security functions
require_once("/private/initialize.php");
// Error placeholders
$firstNameError = $lastNameError = $usernameError = "";
$genderError = $birthdayError = $requiredFields = $doctor_idError = "";
// Placeholders for variables from form
$doctor_id = $username = $first_name = $last_name = $gender = $birthday = "";
// Return string
$result = "";
// Only process POST requests, not GET
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Check the required fields
if (empty($_POST["doctor_id"])) {
$doctor_idError = "*";
} else {
$doctor_id = test_input($_POST["doctor_id"]);
}
}
// As long as all variables were initialized, the data is good to go
if ($doctor_id !== "") {
// Create connection
$conn = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Retrieves all relevant patient information for patients under this doctor's care
$sql = "SELECT patient_id, first_name, last_name, birthday, gender FROM patient WHERE doctor_id = '".$doctor_id."'";
$queryResult = $conn->query($sql);
if ($queryResult->num_rows > 0) {
$result = "<h3 class='text-center'>Patient List</h3>";
$result .= "<table class='table table-striped table-hover'>";
$result .= "<thead>
<tr>
<th>PID #</th>
<th>Patient Name</th>
<th>Gender</th>
<th>Birthday</th>
</tr>
</thead>
<tbody>";
while ($row = $queryResult->fetch_assoc()) {
$patient_id = $row["patient_id"];
$patient_first_name = $row["first_name"];
$patient_last_name = $row["last_name"];
$patient_gender = $row["gender"];
$patient_birthday = $row["birthday"];
$result .= "<tr id='patient-$patient_id' onclick='viewPatientProfile($patient_id)'>
<td>".$patient_id."</td>
<td>".$patient_first_name. " " . $patient_last_name."</td>
<td>".$patient_gender."</td>
<td>".$patient_birthday."</td>
</tr>";
}
$result .= "</tbody>";
$result .= "</table>";
} else {
$result = "ERROR";
echo $result;
return;
}
// Peace out
$conn->close();
echo $result;
}
// Removes unwanted and potentially malicious characters
// from the form data to prevent XSS hacks / exploits
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>