prepare("SELECT * FROM road_challans WHERE id = ?"); $stmt->bind_param("i", $id); $stmt->execute(); $result = $stmt->get_result(); if ($result->num_rows === 0) { echo "Record not found."; exit; } $challan = $result->fetch_assoc(); // echo '
';
// print_r($challan);
// die();
$stmt->close();

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $updated_at = date('Y-m-d H:i:s');

    // Helper function to escape and wrap string values safely
    function esc_str($conn, $val)
    {
        return "'" . mysqli_real_escape_string($conn, $val) . "'";
    }

    if ($_POST['form_id'] == 'challan_update') {
        // Escape all string inputs
        $consignorName = esc_str($conn, $_POST['consignorName'] ?? '');
        $consignorAddress = esc_str($conn, $_POST['consignorAddress'] ?? '');
        $consignorEmail = esc_str($conn, $_POST['consignorEmail'] ?? '');
        $consignorPhone = esc_str($conn, $_POST['consignorPhone'] ?? '');
        $consignorPincode = esc_str($conn, $_POST['consignorPincode'] ?? '');
        $consignorGst = esc_str($conn, $_POST['consignorGst'] ?? '');
        $name = esc_str($conn, $_POST['name'] ?? '');
        $address1 = esc_str($conn, $_POST['address1'] ?? '');
        $destination = esc_str($conn, $_POST['destination'] ?? '');
        $order_date = esc_str($conn, $_POST['order_date'] ?? '');
        $challan_no = esc_str($conn, $_POST['challan_no'] ?? '');
        $date = esc_str($conn, $_POST['date'] ?? '');
        $vehicle_no = esc_str($conn, $_POST['vehicle_no'] ?? '');
        $d_vehicle_date = esc_str($conn, $_POST['d_vehicle_date'] ?? '');
        $description = esc_str($conn, $_POST['description'] ?? '');
        $hsn = esc_str($conn, $_POST['hsn'] ?? '');
        $driver_no = esc_str($conn, $_POST['driver_no'] ?? '');
        $sig_datetime = esc_str($conn, $_POST['sig_datetime'] ?? '');

        // Cast numeric values safely
        $bags = isset($_POST['bags']) ? (int)$_POST['bags'] : '';
        // $quantity = isset($_POST['quantity']) ? (float)$_POST['quantity'] : '';


        $sql = "UPDATE road_challans SET 
            consignorName = $consignorName,
            consignorAddress = $consignorAddress,
            consignorEmail = $consignorEmail,
            consignorPhone = $consignorPhone,
            consignorPincode = $consignorPincode,
            consignorGst = $consignorGst,
            name = $name,
            address1 = $address1,
            destination = $destination,
            order_date = $order_date,
            challan_no = $challan_no,
            date = $date,
            vehicle_no = $vehicle_no,
            d_vehicle_date = $d_vehicle_date,
            description = $description,
            bags = $bags,
            
            hsn = $hsn,
            driver_no = $driver_no,
            sig_datetime = $sig_datetime,
            updated_at = '" . $updated_at . "'
            WHERE id = $id";

        if (mysqli_query($conn, $sql)) {
            echo "";
        } else {
            echo "Error updating challan: " . mysqli_error($conn);
        }
    } else if ($_POST['form_id'] == 'invoice_update') {
        // echo '
';
        // print_r($_POST);
        // die();
        // Assuming esc_str() is a function wrapping mysqli_real_escape_string for safety
        // A helper function to escape and quote a value, or set NULL if empty
        function esc_and_quote($conn, $val)
        {
            if (isset($val) && $val !== '') {
                return "'" . mysqli_real_escape_string($conn, $val) . "'";
            } else {
                return "NULL"; // or "'0'" if you want default zero string
            }
        }

        // Use for string fields
        $date_of_reach = esc_and_quote($conn, $_POST['date_of_reach'] ?? '');
        $date_raw = $_POST['date_of_unloading'] ?? '';
        $formatted_date = $date_raw ? date('Y-m-d H:i:s', strtotime($date_raw)) : null;
        $date_of_unloading = esc_and_quote($conn, $formatted_date);

        $quantity_billed = isset($_POST['quantity_billed']) ? (float)$_POST['quantity_billed'] : 0;
        $rate = isset($_POST['rate']) ? (float)$_POST['rate'] : 0;
        $amount = isset($_POST['amount']) ? (float)$_POST['amount'] : 0;

        $cgst = esc_and_quote($conn, $_POST['cgst'] ?? '');
        $sgst = esc_and_quote($conn, $_POST['sgst'] ?? '');
        $igst = esc_and_quote($conn, $_POST['igst'] ?? '');
        $finalAmount = esc_and_quote($conn, $_POST['finalAmount'] ?? '');
        $amountWords = esc_and_quote($conn, $_POST['amountWords'] ?? '');

        // Assuming $updated_at is a string and defined, escape it too
        $updated_at_escaped = esc_and_quote($conn, $updated_at);
        $id = (int)$id;

        $sql = "UPDATE road_challans SET
    date_of_reach = $date_of_reach,
    date_of_unloading = $date_of_unloading,
    quantity_billed = $quantity_billed,
    rate = $rate,
    amount = $amount,
    cgst = $cgst,
    sgst = $sgst,
    igst = $igst,
    finalAmount = $finalAmount,
    amountWords = $amountWords,
    updated_at = $updated_at_escaped
    WHERE id = $id";

        if (mysqli_query($conn, $sql)) {
            echo "";
        } else {
            echo "Error updating invoice: " . mysqli_error($conn);
        }
    } else if ($_POST['form_id'] == 'bill_book_update') {
        $bill_book_vendor = esc_str($conn, $_POST['bill_book_vendor'] ?? '');
        $bill_book_invoice = esc_str($conn, $_POST['bill_book_invoice'] ?? '');
        $bill_book_date = esc_str($conn, $_POST['bill_book_date'] ?? '');
        $bill_book_vehicle_type = esc_str($conn, $_POST['bill_book_vehicle_type'] ?? '');

        $bill_book_value = isset($_POST['bill_book_value']) ? (float)$_POST['bill_book_value'] : 0;
        $bill_book_loading_expenses = isset($_POST['bill_book_loading_expenses']) ? (float)$_POST['bill_book_loading_expenses'] : 0;
        $bill_book_office_expenses = isset($_POST['bill_book_office_expenses']) ? (float)$_POST['bill_book_office_expenses'] : 0;
        $bill_book_total_cost = isset($_POST['bill_book_total_cost']) ? (float)$_POST['bill_book_total_cost'] : 0;
        $bill_book_lease_exp = isset($_POST['bill_book_lease_exp']) ? (float)$_POST['bill_book_lease_exp'] : 0;
        $bill_book_fuel_exp = isset($_POST['bill_book_fuel_exp']) ? (float)$_POST['bill_book_fuel_exp'] : 0;
        $bill_book_toll_exp = isset($_POST['bill_book_toll_exp']) ? (float)$_POST['bill_book_toll_exp'] : 0;
        $bill_book_freight_exp = isset($_POST['bill_book_freight_exp']) ? (float)$_POST['bill_book_freight_exp'] : 0;
        $bill_book_road_exp = isset($_POST['bill_book_road_exp']) ? (float)$_POST['bill_book_road_exp'] : 0;
        $bill_book_total_exp = isset($_POST['bill_book_total_exp']) ? (float)$_POST['bill_book_total_exp'] : 0;

        $sql = "UPDATE road_challans SET
            bill_book_vendor = $bill_book_vendor,
            bill_book_invoice = $bill_book_invoice,
            bill_book_date = $bill_book_date,
            bill_book_value = $bill_book_value,
            bill_book_loading_expenses = $bill_book_loading_expenses,
            bill_book_office_expenses = $bill_book_office_expenses,
            bill_book_total_cost = $bill_book_total_cost,
            bill_book_vehicle_type = $bill_book_vehicle_type,
            bill_book_lease_exp = $bill_book_lease_exp,
            bill_book_fuel_exp = $bill_book_fuel_exp,
            bill_book_toll_exp = $bill_book_toll_exp,
            bill_book_freight_exp = $bill_book_freight_exp,
            bill_book_road_exp = $bill_book_road_exp,
            bill_book_total_exp = $bill_book_total_exp,
            updated_at = '" . $updated_at . "'
            WHERE id = $id";

        if (mysqli_query($conn, $sql)) {
            echo "";
        } else {
            echo "Error updating bill book: " . mysqli_error($conn);
        }
    } else {
        echo "Invalid form submission.";
    }

    exit;
}

// Include your header or other HTML/PHP below this point
require_once('includes/header.php');
?>