corrected the database server name and patient's database queries

[Enockbii9]

The database server name was suppose to be localhost, while the patients database queries was suppose to have the changes as shown below.

Summary by CodeRabbit

• Refactor
  • Updated database connectivity for improved reliability and standardized English error messaging.
  • Streamlined patient processes—including booking, account management, appointments, and scheduling—to provide a smoother, more consistent user experience.

[coderabbitai]

Walkthrough

This pull request updates the way the application interacts with the database. In connection.php, the database connection parameters have been modified and the error message updated. In multiple patient-related PHP files, the original use of prepared statements with parameter binding has been replaced by direct SQL queries that interpolate variables into the query strings. These changes affect how patient, appointment, doctor, and schedule data are retrieved and manipulated.

Changes

File(s)	Change Summary
connection.php	Updated database connection parameters: changed $servername from "db" to "localhost", updated $dbname from "edoc" to "sql_database_edoc", and revised the connection error message from French ("Échec de la connexion : ") to English ("Error! connection failed").
patient/appointment.php patient/booking-complete.php patient/booking.php patient/delete-account.php patient/delete-appointment.php patient/doctors.php patient/edit-user.php patient/index.php patient/patient.php patient/schedule.php patient/settings.php	Replaced the use of prepared statements with direct SQL queries using variable interpolation. The modifications span fetching patient records, appointment deletions, doctor and specialty retrieval, account deletion, and schedule queries.

Poem

I'm a happy rabbit, hopping with glee,
Seeing SQL queries change right before me.
The safe old stash of prepared code's gone,
Direct queries now make a new dawn.
I nibble on carrots and bytes all day,
Celebrating each change in my rabbit way!
🐇✨

Tip

⚡💬 Agentic Chat (Pro Plan, General Availability)

• We're introducing multi-step agentic chat in review comments and issue comments, within and outside of PR's. This feature enhances review and issue discussions with the CodeRabbit agentic chat by enabling advanced interactions, including the ability to create pull requests directly from comments and add commits to existing pull requests.

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 24

🔭 Outside diff range comments (1)

patient/patient.php (1)

376-377: ⚠️ Potential issue

Repeated Unsanitized Query
As above, $id is being used unsafely in a query.

Use prepared statements here as well:

- $sqlmain= "select * from patient where pid='$id'";
- $result= $database->query($sqlmain);
+ $stmt = $database->prepare("SELECT * FROM patient WHERE pid = ?");
+ $stmt->bind_param("i", $id);
+ $stmt->execute();
+ $result = $stmt->get_result();

🧹 Nitpick comments (1)

connection.php (1)

10-10: Add clarity to your error message for better debugging.
Appending the raw $database->connect_error directly to “Error! connection failed” may be sufficient, but consider adding punctuation or whitespace. For instance:

die("Error! Connection failed: " . $database->connect_error);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6550c48 and e8e6d92.

📒 Files selected for processing (12)

• connection.php (1 hunks)
• patient/appointment.php (2 hunks)
• patient/booking-complete.php (1 hunks)
• patient/booking.php (2 hunks)
• patient/delete-account.php (2 hunks)
• patient/delete-appointment.php (0 hunks)
• patient/doctors.php (2 hunks)
• patient/edit-user.php (2 hunks)
• patient/index.php (1 hunks)
• patient/patient.php (3 hunks)
• patient/schedule.php (2 hunks)
• patient/settings.php (4 hunks)

💤 Files with no reviewable changes (1)

• patient/delete-appointment.php

🔇 Additional comments (2)

connection.php (1)

2-5:

❓ Verification inconclusive

Confirm environment consistency for new DB server and DB name.
Switching from "db" to "localhost" and "edoc" to "sql_database_edoc" may break code outside of Docker-like setups or if the new database name does not exist. Ensure that these changes align with your local/production database environment and that "sql_database_edoc" is set up accordingly.

You can verify by checking the actual DB names and environment variables with this script:

---

🏁 Script executed:

#!/bin/bash
# Check if the "sql_database_edoc" DB is present and "localhost" is accessible.

# List databases
mysql -h localhost -u root -p -e "SHOW DATABASES;"

# Verify the presence of 'sql_database_edoc' in the list

Length of output: 148

---

Action Required: Verify New Database Connection Settings

Please ensure that your updated database connection parameters in connection.php (i.e., "localhost", "root", empty password, and "sql_database_edoc") are consistent with your intended environment. The automated verification script failed because the mysql command was not found. Kindly verify manually that:

• The MySQL client is installed and accessible in your environment.
• The "sql_database_edoc" database exists and is correctly configured for your local/production setups.

patient/settings.php (1)

548-548: No Meaningful Change Detected
This appears to be a closing tag without functional changes.

[coderabbitai]

⚠️ Potential issue

Reintroduce parameterized queries to avoid SQL injection.
By constructing the query with $useremail directly in the string, you risk SQL injection if $useremail is not fully trusted. It’s safer to use parameter binding:

-$userrow = $database->query("select * from patient where pemail='$useremail'");
+$stmt = $database->prepare("SELECT * FROM patient WHERE pemail = ?");
+$stmt->bind_param("s", $useremail);
+$stmt->execute();
+$userrow = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$userrow = $database->query("select * from patient where pemail='$useremail'");
	$stmt = $database->prepare("SELECT * FROM patient WHERE pemail = ?");
	$stmt->bind_param("s", $useremail);
	$stmt->execute();
	$userrow = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Restore prepared statements to ensure secure user lookups.
Constructing SQL with '$email' directly eliminates the protection from prepared statements. To prevent SQL injection, use parameter binding:

-$aab="select patient.pid from patient inner join webuser on patient.pemail=webuser.email where webuser.email='$email';";
-$result= $database->query($aab);
+$stmt = $database->prepare("SELECT patient.pid FROM patient 
+    INNER JOIN webuser ON patient.pemail = webuser.email 
+    WHERE webuser.email = ?");
+$stmt->bind_param("s", $email);
+$stmt->execute();
+$result = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$aab="select patient.pid from patient inner join webuser on patient.pemail=webuser.email where webuser.email='$email';";
	$result= $database->query($aab);
	$stmt = $database->prepare("SELECT patient.pid FROM patient
	INNER JOIN webuser ON patient.pemail = webuser.email
	WHERE webuser.email = ?");
	$stmt->bind_param("s", $email);
	$stmt->execute();
	$result = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Avoid direct string interpolation for user email to prevent SQL injection.
Replace the unbound query with a prepared statement:

-$userrow = $database->query("select * from patient where pemail='$useremail'");
-$userfetch=$userrow->fetch_assoc();
+$stmt = $database->prepare("SELECT * FROM patient WHERE pemail = ?");
+$stmt->bind_param("s", $useremail);
+$stmt->execute();
+$userfetch = $stmt->get_result()->fetch_assoc();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$userrow = $database->query("select * from patient where pemail='$useremail'");
	$userfetch=$userrow->fetch_assoc();
	$stmt = $database->prepare("SELECT * FROM patient WHERE pemail = ?");
	$stmt->bind_param("s", $useremail);
	$stmt->execute();
	$userfetch = $stmt->get_result()->fetch_assoc();

[coderabbitai]

⚠️ Potential issue

Use parameterized queries for keyword-based searching.
Directly concatenating $keyword into your SQL allows malicious input to break your query. Switch to prepared statements:

-$sqlmain= "select * from schedule inner join doctor on schedule.docid=doctor.docid 
-    where schedule.scheduledate>='$today' and (doctor.docname='$keyword' 
-    or doctor.docname like '$keyword%' or doctor.docname like '%$keyword' 
-    or doctor.docname like '%$keyword%' or ... ) order by schedule.scheduledate asc";
+$sqlmain = "SELECT * FROM schedule
+    INNER JOIN doctor ON schedule.docid = doctor.docid
+    WHERE schedule.scheduledate >= ? 
+      AND (doctor.docname = ? OR doctor.docname LIKE CONCAT(?,'%') 
+           OR doctor.docname LIKE CONCAT('%',?) 
+           OR doctor.docname LIKE CONCAT('%',?,'%')
+           OR ... ) 
+    ORDER BY schedule.scheduledate ASC";
+
+$stmt = $database->prepare($sqlmain);
+$likeKeyword = $keyword;
+$stmt->bind_param("sssss", $today, $keyword, $likeKeyword, $likeKeyword, $likeKeyword);
+$stmt->execute();
+$result = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$keyword=$_POST["search"];
	$sqlmain= "select * from schedule inner join doctor on schedule.docid=doctor.docid where schedule.scheduledate>='$today' and (doctor.docname='$keyword' or doctor.docname like '$keyword%' or doctor.docname like '%$keyword' or doctor.docname like '%$keyword%' or schedule.title='$keyword' or schedule.title like '$keyword%' or schedule.title like '%$keyword' or schedule.title like '%$keyword%' or schedule.scheduledate like '$keyword%' or schedule.scheduledate like '%$keyword' or schedule.scheduledate like '%$keyword%' or schedule.scheduledate='$keyword' ) order by schedule.scheduledate asc";
	$keyword = $_POST["search"];
	$sqlmain = "SELECT * FROM schedule
	INNER JOIN doctor ON schedule.docid = doctor.docid
	WHERE schedule.scheduledate >= ?
	AND (doctor.docname = ? OR doctor.docname LIKE CONCAT(?,'%')
	OR doctor.docname LIKE CONCAT('%',?)
	OR doctor.docname LIKE CONCAT('%',?,'%')
	OR ... )
	ORDER BY schedule.scheduledate ASC";
	$stmt = $database->prepare($sqlmain);
	$likeKeyword = $keyword;
	$stmt->bind_param("sssss", $today, $keyword, $likeKeyword, $likeKeyword, $likeKeyword);
	$stmt->execute();
	$result = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Potential SQL injection vulnerability.
Inserting $useremail directly into the SQL string creates a risk of SQL injection if the input is not sanitized. Use prepared statements to ensure security.

-$userrow = $database->query("select * from patient where pemail='$useremail'");
+$stmt = $database->prepare("SELECT * FROM patient WHERE pemail = ?");
+$stmt->bind_param("s", $useremail);
+$stmt->execute();
+$userrow = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$userrow = $database->query("select * from patient where pemail='$useremail'");
	$stmt = $database->prepare("SELECT * FROM patient WHERE pemail = ?");
	$stmt->bind_param("s", $useremail);
	$stmt->execute();
	$userrow = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

String Interpolation of $spe
$spcil_res= $database->query("select sname from specialties where id='$spe'"); is susceptible to injection if $spe is untrusted.

Proposed fix:

- $spcil_res= $database->query("select sname from specialties where id='$spe'");
+ $stmt = $database->prepare("SELECT sname FROM specialties WHERE id = ?");
+ $stmt->bind_param("i", $spe);
+ $stmt->execute();
+ $spcil_res = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$spcil_res= $database->query("select sname from specialties where id='$spe'");
	$stmt = $database->prepare("SELECT sname FROM specialties WHERE id = ?");
	$stmt->bind_param("i", $spe);
	$stmt->execute();
	$spcil_res = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Possible SQL Injection:
Directly inserting $useremail into the query string can be exploited.

Consider prepared statements:

- $userrow = $database->query("select * from patient where pemail='$useremail'");
+ $stmt = $database->prepare("SELECT * FROM patient WHERE pemail=?");
+ $stmt->bind_param("s", $useremail);
+ $stmt->execute();
+ $userrow = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$userrow = $database->query("select * from patient where pemail='$useremail'");
	$stmt = $database->prepare("SELECT * FROM patient WHERE pemail=?");
	$stmt->bind_param("s", $useremail);
	$stmt->execute();
	$userrow = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Severe SQL injection vulnerability

This code introduces a critical SQL injection vulnerability by directly including user input ($id from $_GET["id"]) in an SQL query without any sanitization or parameterization.

Replace with a prepared statement to protect against SQL injection:

-$result001= $database->query("select * from patient where pid=$id;");
+$sqlmain = "select * from patient where pid=?";
+$stmt = $database->prepare($sqlmain);
+$stmt->bind_param("i", $id);
+$stmt->execute();
+$result001 = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$result001= $database->query("select * from patient where pid=$id;");
	$sqlmain = "select * from patient where pid=?";
	$stmt = $database->prepare($sqlmain);
	$stmt->bind_param("i", $id);
	$stmt->execute();
	$result001 = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Reintroduce prepared statements to prevent SQL injection

This change replaces a secure prepared statement with direct string interpolation in the SQL query. This introduces a significant security vulnerability known as SQL injection.

Replace this line with a prepared statement:

-$userrow = $database->query("select * from patient where pemail='$useremail'");
+$sqlmain = "select * from patient where pemail=?";
+$stmt = $database->prepare($sqlmain);
+$stmt->bind_param("s", $useremail);
+$stmt->execute();
+$userrow = $stmt->get_result();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$userrow = $database->query("select * from patient where pemail='$useremail'");
	$sqlmain = "select * from patient where pemail=?";
	$stmt = $database->prepare($sqlmain);
	$stmt->bind_param("s", $useremail);
	$stmt->execute();
	$userrow = $stmt->get_result();

[coderabbitai]

⚠️ Potential issue

Use prepared statements for delete operations

These direct query executions introduce SQL injection vulnerabilities. Even though $email comes from a database query result, it's best practice to use prepared statements for all database operations.

Replace with prepared statements:

-$sql= $database->query("delete from webuser where email='$email';");
-$sql= $database->query("delete from patient where pemail='$email';");
+$sqlmain = "delete from webuser where email=?";
+$stmt = $database->prepare($sqlmain);
+$stmt->bind_param("s", $email);
+$stmt->execute();
+
+$sqlmain = "delete from patient where pemail=?";
+$stmt = $database->prepare($sqlmain);
+$stmt->bind_param("s", $email);
+$stmt->execute();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$sql= $database->query("delete from webuser where email='$email';");
	$sql= $database->query("delete from patient where pemail='$email';");
	$sqlmain = "delete from webuser where email=?";
	$stmt = $database->prepare($sqlmain);
	$stmt->bind_param("s", $email);
	$stmt->execute();
	$sqlmain = "delete from patient where pemail=?";
	$stmt = $database->prepare($sqlmain);
	$stmt->bind_param("s", $email);
	$stmt->execute();