<?php
    include("common.php");
    
    # if they asked for reviews for a product select those
    if(isset($_GET["product_id"])){
        #protect against sql injection
        $prod_id = $db->quote($_GET["product_id"]);
        
        $rows = $db->query("SELECT product_id, review FROM reviews" .
                            " WHERE product_id = $prod_id;");
        
        header("Content-Type: application/json");
        $output = array();
        $output["reviews"] = array();
        
        foreach($rows as $row){
            $product_array = array();
            $product_array["review"] = $row["review"];
            $product_array["product_id"] = $row["product_id"];
            
            $output["reviews"] []= $product_array;
        }
        
        print(json_encode($output));
        
    } else if(isset($_POST["product_id"]) && isset($_POST["review"])){
        # if they are posting a review for a product, insert it
        
        #protect against sql injection
        $prod_id = $db->quote($_POST["product_id"]);
        $review = $db->quote($_POST["review"]);
        
        $numRows = $db->exec("INSERT INTO reviews  (product_id, review) " . 
                    "VALUES ($prod_id, $review);");
        
        $output = array();
        $output["success"] = "$numRows rows effected";
        
        print(json_encode($output));
    }
?>