use prepare statements for final 4 files where possible

2025-02-07 20:36:47 +00:00 · 2025-02-07 20:36:47 +00:00 · 1411b97954
commit 1411b97954
parent e4edb741c1
4 changed files with 13 additions and 13 deletions
--- a/admin/award_download.php
+++ b/admin/award_download.php
@ -150,8 +150,8 @@ switch (get_value_from_array($_GET, 'action')) {
 				$sponsor_id = $sponsorr->id;
 			} else {
 				$q = $pdo->prepare("INSERT INTO sponsors (organization,year,notes) 
-				VALUES (?,?, Imported from external source: ?)");
-				$q->execute([$sponsor_str,$year,$r->name]);
+				VALUES (?,?,'" . "Imported from external source: $r->name" . "')");
+				$q->execute([$sponsor_str,$year]);
 				show_pdo_errors_if_any($pdo);
 				$sponsor_id = $pdo->lastInsertId();
 			}
@ -242,7 +242,7 @@ switch (get_value_from_array($_GET, 'action')) {
 						trophystudentreturn =?, 
 						trophyschoolkeeper =?, 
 						trophyschoolreturn =? 
-						WHERE id = ?");
+						WHERE id =?");
 				
 					$q->execute([
 						intval($prize['cash']),
--- a/config/backuprestore.php
+++ b/config/backuprestore.php
@ -40,13 +40,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 	$dump .= '#SFIAB FAIR NAME: ' . $config['fairname'] . "\n";
 	$dump .= "#-------------------------------------------------\n";

-	$tableq = $pdo->prepare("SHOW TABLES FROM ?");
-	$tableq->execute($DBNAME);
+	$tableq = $pdo->prepare("SHOW TABLES FROM $DBNAME");
+	$tableq->execute();
 	while ($tr = $tableq->fetch(PDO::FETCH_NUM)) {
 		$table = $tr[0];
 		$dump .= "#TABLE: $table\n";
-		$columnq = $pdo->prepare("SHOW COLUMNS FROM ?");
-		$columnq->execute($table);
+		$columnq = $pdo->prepare("SHOW COLUMNS FROM $table");
+		$columnq->execute();
 		$str = "INSERT INTO `$table` (";
 		unset($fields);
 		$fields = array();
@ -57,8 +57,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 		$str = substr($str, 0, -1);
 		$str .= ') VALUES (';

-		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY ?");
-		$dataq->execute([$fields[0]]);
+		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY $fields[0]");
+		$dataq->execute();
 		while ($data = $dataq->fetch(PDO::FETCH_OBJ)) {
 			$insertstr = $str;
 			foreach ($fields AS $field) {
--- a/config/rollover.php
+++ b/config/rollover.php
@ -91,8 +91,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 		$where = '1';

 	/* Get data */
-	$q = $pdo->prepare("SELECT * FROM ? WHERE year=? AND ?");
-	$q->execute([$table,$currentfairyear,$where]);
+	$q = $pdo->prepare("SELECT * FROM $table WHERE year=? AND $where");
+	$q->execute([$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';

--- a/scripts/rolloverschools.php
+++ b/scripts/rolloverschools.php
@ -34,8 +34,8 @@ require_once ('../config_editor.inc.php');
 function roll($currentfairyear, $newfairyear, $table, $fields)
 {
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM ? WHERE year=?");
-	$q->execute([$table,$currentfairyear]);
+	$q = $pdo->prepare("SELECT * FROM $table WHERE year=?");
+	$q->execute([$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {