$sender_id = $_SESSION['mid']; $sid_query = "SELECT sid FROM Mothers_Scientists where mid={$sender_id}"; $result = mysql_query($sid_query); if (!$result) { error_log(mysql_error()); } $row = mysql_fetch_row($result); $recipient_id = $row[0]; $meta = INBOX_SENDER_MOTHER | INBOX_RECIPIENT_SCIENTIST | INBOX_MESSAGE_UNREAD; } else { if (isset($_SESSION['sid'])) { // A consultant is sending a message to one of the mothers. $sender_id = $_SESSION['sid']; $recipient_id = (int) $_REQUEST['mailto']; // cast to an int to avoid sql exploits if (!can_access_mother($recipient_id)) { header('Content-type: application/json'); die('{ "error": "You are not authorized to send mail to this mother." }'); } $meta = INBOX_SENDER_SCIENTIST | INBOX_RECIPIENT_MOTHER | INBOX_MESSAGE_UNREAD; } } $query = "INSERT INTO Inbox \n (`message`, `messageDate`, `senderId`, `recipientId`, `metadata`)\n VALUES\n ('" . mysql_real_escape_string(urldecode($_REQUEST['message'])) . "', NOW(), {$sender_id}, {$recipient_id}, {$meta});"; $result = mysql_query($query); if (!$result) { error_log(mysql_error()); } else { header('Content-type: application/json'); $response = array("message" => "Your message was sent", "timestamp" => date("U"), "id" => mysql_insert_id(), "content" => urldecode($_REQUEST['message']), "sent" => true); if ($jsonp) { echo "{$callback}(";
return _("System Feedback"); case ACTION_SYSTEM_PERCEPTION: return _("System Perception"); case ACTION_BREASTFEEDING_FOLLOWUP: return _("Breastfeeding Followup"); case ACTION_SELF_EFFICACY: return _("Self Efficacy"); case ACTION_BREASTFEEDING_EVALUATION: return _("Breastfeeding Evaluation"); case ACTION_POSTNATAL_DEPRESSION: return _("Postnatal Depression"); default: return ""; } } if (!can_access_mother((int) $_POST['mid'])) { header("HTTP/1.0 403 Forbidden"); die("<h1>Forbidden</h1>"); } $survey = $_POST["survey"]; $query = "SELECT * FROM " . surveyTable($survey) . " WHERE mid in ( %s );"; if (isset($_POST['downloadAll'])) { if ($_SESSION['admin'] == SUPER_ADMIN) { $query = sprintf($query, "SELECT M.mid FROM Mothers M"); } else { if ($_SESSION['admin'] == HOSPITAL_ADMIN) { $query = sprintf($query, "SELECT M.mid FROM Mothers M where M.hospital_id = " . $_SESSION['hospital_id']); } else { $query = sprintf($query, "SELECT M.mid FROM Mothers M,Mothers_Scientists MS where M.mid=MS.mid AND MS.sid=" . $_SESSION['sid']); } }