| 1 | <?php
|
|---|
| 2 | require_once('./inc/common.php');
|
|---|
| 3 |
|
|---|
| 4 | /**
|
|---|
| 5 | * Only logged in reviewers can submit a review. If the user is not a reviewer, redirect to the list of businesses with an appropriate error message. Otherwise, continue with the checks.
|
|---|
| 6 | */
|
|---|
| 7 | if (! isset($_SESSION['is_reviewer'])) {
|
|---|
| 8 | header('Location: /businesses.php?err=permission_error');
|
|---|
| 9 | exit;
|
|---|
| 10 | }
|
|---|
| 11 |
|
|---|
| 12 | /**
|
|---|
| 13 | * Did the reviewer post a form?
|
|---|
| 14 | */
|
|---|
| 15 | if (($_SERVER['REQUEST_METHOD'] == 'POST')) {
|
|---|
| 16 | /**
|
|---|
| 17 | * Perform data validation: are all required fields posted and do they have values?
|
|---|
| 18 | */
|
|---|
| 19 | if (
|
|---|
| 20 | (isset($_POST['business'])) && (! empty($_POST['business'])) &&
|
|---|
| 21 | (isset($_POST['address'])) && (! empty($_POST['address'])) &&
|
|---|
| 22 | (isset($_POST['rating'])) && (! empty($_POST['rating'])) &&
|
|---|
| 23 | (isset($_POST['title'])) && (! empty($_POST['title'])) &&
|
|---|
| 24 | (isset($_POST['text'])) && (! empty($_POST['text']))
|
|---|
| 25 | ) {
|
|---|
| 26 | /**
|
|---|
| 27 | * For security reasons, treat all user input as malicious. Strip any tags before inserting that data into the database.
|
|---|
| 28 | */
|
|---|
| 29 | $business = strip_tags($_POST['business']);
|
|---|
| 30 | $address = strip_tags($_POST['address']);
|
|---|
| 31 | $rating = strip_tags($_POST['rating']);
|
|---|
| 32 | $title = strip_tags($_POST['title']);
|
|---|
| 33 | $text = strip_tags($_POST['text']);
|
|---|
| 34 |
|
|---|
| 35 | /**
|
|---|
| 36 | * Insert the values that the reviewer posted into the database.
|
|---|
| 37 | */
|
|---|
| 38 | $sql = '
|
|---|
| 39 | insert into review (
|
|---|
| 40 | review_title,
|
|---|
| 41 | review_text,
|
|---|
| 42 | review_stars,
|
|---|
| 43 | business_id,
|
|---|
| 44 | address_id,
|
|---|
| 45 | reviewer_id)
|
|---|
| 46 | values (
|
|---|
| 47 | :title,
|
|---|
| 48 | :text,
|
|---|
| 49 | :rating,
|
|---|
| 50 | :business,
|
|---|
| 51 | :address,
|
|---|
| 52 | :reviewer
|
|---|
| 53 | )';
|
|---|
| 54 | $stm = $conn->prepare($sql);
|
|---|
| 55 | $stm->execute([
|
|---|
| 56 | ':title' => $title,
|
|---|
| 57 | ':text' => $text,
|
|---|
| 58 | ':rating' => $rating,
|
|---|
| 59 | ':business' => $business,
|
|---|
| 60 | ':address' => $address,
|
|---|
| 61 | ':reviewer' => $_SESSION['reviewer_id'],
|
|---|
| 62 | ]);
|
|---|
| 63 |
|
|---|
| 64 | /**
|
|---|
| 65 | * All is well, so redirect back to the business with the message that the review was added.
|
|---|
| 66 | */
|
|---|
| 67 | header('Location: /business.php?id=' . $_POST['business'] . '&msg=review_added');
|
|---|
| 68 | exit;
|
|---|
| 69 | } else {
|
|---|
| 70 | /**
|
|---|
| 71 | * Redirect back to the business with the error message that some parameters were missing.
|
|---|
| 72 | */
|
|---|
| 73 | header('Location: /business.php?id=' . $_POST['business'] . '&err=missing_params#add-review');
|
|---|
| 74 | exit;
|
|---|
| 75 | }
|
|---|
| 76 | }
|
|---|
| 77 |
|
|---|
| 78 | /**
|
|---|
| 79 | * If the code execution reaches this point, then some parameters were incorrect or missing. Redirect to the list of businesses with an appropriate error message.
|
|---|
| 80 | */
|
|---|
| 81 | header('Location: /businesses.php?err=missing_params');
|
|---|
| 82 | exit;
|
|---|
