From 2791c013bda8f63d20ea569aec9df149b552f42a Mon Sep 17 00:00:00 2001
From: mikael-zakaria <mzi3721s@gmail.com>
Date: Fri, 6 Feb 2026 10:28:35 +0800
Subject: [PATCH] Update API_TM.php

---
 app/Controllers/API_TM.php | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/app/Controllers/API_TM.php b/app/Controllers/API_TM.php
index e241a91..99f0a7f 100644
--- a/app/Controllers/API_TM.php
+++ b/app/Controllers/API_TM.php
@@ -117,13 +117,20 @@ class API_TM extends ResourceController {
 		$sql = "select PATID, FIRSTNAME, LASTNAME from cmod.dbo.CM_TM_PATIENTS where PATNUMBER='$rm'";		
 		$query = $db->query($sql);
 		$result = $query->getResultArray();
-		if(isset($result[0])) { $patid = $result[0]['PATID']; $rfirstname = $result[0]['FIRSTNAME']; $rlastname = $result[0]['LASTNAME']; }
-		else { $patid = ''; }
+		if(isset($result[0])) { 
+			$patid = $result[0]['PATID']; 
+			$rfirstname = str_replace("'","''",$result[0]['FIRSTNAME']); 
+			$rlastname = str_replace("'","''",$result[0]['LASTNAME']); 
+		} else { $patid = ''; }
 
-		$sql = "select REQID, PATID from cmod.dbo.CM_TM_REQUESTS where REFFID='$reffid'";
+		$sql = "select REQID, PATID, REQNUMBER from cmod.dbo.CM_TM_REQUESTS where REFFID='$reffid'";
 		$query = $db->query($sql);
 		$result = $query->getResultArray();
-		if(isset($result[0])) { $reqid = $result[0]['REQID']; $rpatid = $result[0]['PATID'];  }
+		if(isset($result[0])) { 
+			$reqid = $result[0]['REQID']; 
+			$rpatid = $result[0]['PATID'];  
+			$rvisitnum = $result[0]['REQNUMBER'];
+		}
 		else { $reqid = ''; $rpatid = ''; }
 
 		//echo "$patid<br/>$reqid - $rpatid";
@@ -149,10 +156,18 @@ class API_TM extends ResourceController {
 					return $this->failForbidden('Error. Sample already received, cannot update patient data. ');
 				}
 			} else {
-				return $this->failForbidden('Error. Invalid patient data.');
+				return $this->failForbidden("Error. Invalid patient data. $rfirstname <> $firstname.$rlastname <> $lastname");
 			}
 		}
 		
+		// check f-in visit#
+		if(isset($rvisitnum)) {
+			if($rvisitnum != '' && $rvisitnum != $visitnum) {
+				return $this->failForbidden("Error. Invalid Visit#.");
+			}
+		}
+		
+
 		if($reqstatus != 1) { // reqstatus = order
 			if( $reqid == '' ) { // new request
 				$sql = "INSERT INTO cmod.dbo.CM_TM_REQUESTS (REFFID, REQNUMBER, REQDATE, AGENT, DOC, LOC, PATID, COMPANY, LOGDATE, BW, BH, VISITDESC, VISITTYPE, REQSTATUS)