From 1411b9795499f9bbffd0f36dfe474f685b844eda Mon Sep 17 00:00:00 2001
From: Muad Sakah <muadsakah@yahoo.com>
Date: Fri, 7 Feb 2025 20:36:47 +0000
Subject: [PATCH] use prepare statements for final 4 files where possible

---
 admin/award_download.php    |  6 +++---
 config/backuprestore.php    | 12 ++++++------
 config/rollover.php         |  4 ++--
 scripts/rolloverschools.php |  4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/admin/award_download.php b/admin/award_download.php
index 8d044c4d..f4deba09 100644
--- a/admin/award_download.php
+++ b/admin/award_download.php
@@ -150,8 +150,8 @@ switch (get_value_from_array($_GET, 'action')) {
 				$sponsor_id = $sponsorr->id;
 			} else {
 				$q = $pdo->prepare("INSERT INTO sponsors (organization,year,notes) 
-				VALUES (?,?, Imported from external source: ?)");
-				$q->execute([$sponsor_str,$year,$r->name]);
+				VALUES (?,?,'" . "Imported from external source: $r->name" . "')");
+				$q->execute([$sponsor_str,$year]);
 				show_pdo_errors_if_any($pdo);
 				$sponsor_id = $pdo->lastInsertId();
 			}
@@ -242,7 +242,7 @@ switch (get_value_from_array($_GET, 'action')) {
 						trophystudentreturn =?, 
 						trophyschoolkeeper =?, 
 						trophyschoolreturn =? 
-						WHERE id = ?");
+						WHERE id =?");
 				
 					$q->execute([
 						intval($prize['cash']),
diff --git a/config/backuprestore.php b/config/backuprestore.php
index 1f9d8470..9c655ceb 100644
--- a/config/backuprestore.php
+++ b/config/backuprestore.php
@@ -40,13 +40,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 	$dump .= '#SFIAB FAIR NAME: ' . $config['fairname'] . "\n";
 	$dump .= "#-------------------------------------------------\n";
 
-	$tableq = $pdo->prepare("SHOW TABLES FROM ?");
-	$tableq->execute($DBNAME);
+	$tableq = $pdo->prepare("SHOW TABLES FROM $DBNAME");
+	$tableq->execute();
 	while ($tr = $tableq->fetch(PDO::FETCH_NUM)) {
 		$table = $tr[0];
 		$dump .= "#TABLE: $table\n";
-		$columnq = $pdo->prepare("SHOW COLUMNS FROM ?");
-		$columnq->execute($table);
+		$columnq = $pdo->prepare("SHOW COLUMNS FROM $table");
+		$columnq->execute();
 		$str = "INSERT INTO `$table` (";
 		unset($fields);
 		$fields = array();
@@ -57,8 +57,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 		$str = substr($str, 0, -1);
 		$str .= ') VALUES (';
 
-		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY ?");
-		$dataq->execute([$fields[0]]);
+		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY $fields[0]");
+		$dataq->execute();
 		while ($data = $dataq->fetch(PDO::FETCH_OBJ)) {
 			$insertstr = $str;
 			foreach ($fields AS $field) {
diff --git a/config/rollover.php b/config/rollover.php
index ba09bbd8..a61fe54c 100644
--- a/config/rollover.php
+++ b/config/rollover.php
@@ -91,8 +91,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 		$where = '1';
 
 	/* Get data */
-	$q = $pdo->prepare("SELECT * FROM ? WHERE year=? AND ?");
-	$q->execute([$table,$currentfairyear,$where]);
+	$q = $pdo->prepare("SELECT * FROM $table WHERE year=? AND $where");
+	$q->execute([$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
 
diff --git a/scripts/rolloverschools.php b/scripts/rolloverschools.php
index f8802653..c3af3fbb 100644
--- a/scripts/rolloverschools.php
+++ b/scripts/rolloverschools.php
@@ -34,8 +34,8 @@ require_once ('../config_editor.inc.php');
 function roll($currentfairyear, $newfairyear, $table, $fields)
 {
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM ? WHERE year=?");
-	$q->execute([$table,$currentfairyear]);
+	$q = $pdo->prepare("SELECT * FROM $table WHERE year=?");
+	$q->execute([$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {