school-management-system/students.php at main · errorcodegh/school-management-system · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<?php
// api/students.php
require_once __DIR__ . '/../functions.php';
header('Content-Type: application/json');

// simple auth guard for unsafe methods (adjust role checks as needed)
if (in_array($_SERVER['REQUEST_METHOD'], ['POST','PUT','DELETE'])) {
    require_auth();
    $user = get_user();
    if ($user['role'] !== 'admin' && $user['role'] !== 'staff') {
        http_response_code(403);
        echo json_encode(['error'=>'Forbidden']);
        exit;
    }
}

$method = $_SERVER['REQUEST_METHOD'];

try {
    if ($method === 'GET') {
        if (!empty($_GET['id'])) {
            $stmt = $pdo->prepare('SELECT * FROM students WHERE id = :id');
            $stmt->execute(['id'=>$_GET['id']]);
            $row = $stmt->fetch();
            echo json_encode(['student'=>$row]);
            exit;
        }
        // list with optional pagination
        $stmt = $pdo->query('SELECT s.*, d.name as department_name FROM students s LEFT JOIN departments d ON s.department_id = d.id ORDER BY s.created_at DESC');
        $rows = $stmt->fetchAll();
        echo json_encode(['students'=>$rows]);
    }

    if ($method === 'POST') {
        $data = json_decode(file_get_contents('php://input'), true);
        $sql = "INSERT INTO students (student_number, first_name, last_name, department_id, email, phone, admission_date, status)
                VALUES (:student_number,:first_name,:last_name,:department_id,:email,:phone,:admission_date,:status)";
        $stmt = $pdo->prepare($sql);
        $stmt->execute([
            'student_number'=>$data['student_number'],
            'first_name'=>$data['first_name'],
            'last_name'=>$data['last_name'],
            'department_id'=>$data['department_id'] ?: null,
            'email'=>$data['email'],
            'phone'=>$data['phone'],
            'admission_date'=>$data['admission_date'],
            'status'=>$data['status'] ?? 'active'
        ]);
        echo json_encode(['success'=>true,'id'=>$pdo->lastInsertId()]);
    }

    if ($method === 'PUT') {
        parse_str(file_get_contents("php://input"), $put);
        $id = $_GET['id'] ?? $put['id'] ?? null;
        if (!$id) { http_response_code(400); echo json_encode(['error'=>'Missing id']); exit; }
        $sql = "UPDATE students SET student_number=:student_number, first_name=:first_name, last_name=:last_name, department_id=:department_id, email=:email, phone=:phone, admission_date=:admission_date, status=:status WHERE id=:id";
        $stmt = $pdo->prepare($sql);
        $stmt->execute([
            'student_number'=>$put['student_number'],
            'first_name'=>$put['first_name'],
            'last_name'=>$put['last_name'],
            'department_id'=>$put['department_id'] ?: null,
            'email'=>$put['email'],
            'phone'=>$put['phone'],
            'admission_date'=>$put['admission_date'],
            'status'=>$put['status'],
            'id'=>$id
        ]);
        echo json_encode(['success'=>true]);
    }

    if ($method === 'DELETE') {
        $id = $_GET['id'] ?? null;
        if (!$id) { http_response_code(400); echo json_encode(['error'=>'Missing id']); exit; }
        $stmt = $pdo->prepare('DELETE FROM students WHERE id = :id');
        $stmt->execute(['id'=>$id]);
        echo json_encode(['success'=>true]);
    }
} catch (Exception $e) {
    http_response_code(500);
    echo json_encode(['error'=>$e->getMessage()]);
}