Untitled

<?php
require_once 'includes/config.php';

// Check if the admin is logged in
if (!isset($_SESSION['admin_id'])) {
    header("Location: login.php");
    exit;
}

// Only process POST requests
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    header("Location: staff.php");
    exit;
}

// Retrieve and sanitize form data
$name    = trim($_POST['name']);
$account = trim($_POST['account']);
$email   = trim($_POST['email']);
$password = $_POST['password']; // do not trim passwords

// Validate required fields
if (empty($name) || empty($account) || empty($email) || empty($password)) {
    header("Location: staff.php?toast=" . urlencode("Please fill in all required fields."));
    exit;
}

// Hash the password using SHA‑256
$hashedPassword = hash('sha256', $password);

// Prepare the INSERT statement
$sql = "INSERT INTO attendant (account, name, email, password, created_at) VALUES (?, ?, ?, ?, NOW())";
$stmt = $pdo->prepare($sql);

try {
    $stmt->execute([$account, $name, $email, $hashedPassword]);
    header("Location: staff.php?toast=" . urlencode("Staff member added successfully."));
    exit;
} catch (PDOException $e) {
    // In production, consider logging the error rather than exposing it to users
    header("Location: staff.php?toast=" . urlencode("Error adding staff member: " . $e->getMessage()));
    exit;
}
?>