diff --git a/admin/user_editor_window.php b/admin/user_editor_window.php
index c97e2c78..c14f3825 100644
--- a/admin/user_editor_window.php
+++ b/admin/user_editor_window.php
@@ -98,8 +98,8 @@ if (array_key_exists('username', $_GET)) {
$username = $_GET['username'];
$type = $_GET['type'];
$un = $username;
- $q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username='$un' GROUP BY uid");
- $q->execute();
+ $q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username=? GROUP BY uid");
+ $q->execute([$un]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
@@ -119,8 +119,8 @@ if (array_key_exists('username', $_GET)) {
}
} else {
// undelete them?
- $stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'");
- $stmt->execute();
+ $stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?");
+ $stmt->execute([$r->id]);
// then load them?
$u = user_load($r->id);
}
diff --git a/admin/user_list.php b/admin/user_list.php
index ef6aec72..79b71b87 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -164,9 +164,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
$user = user_load($id);
// Determine if there is a more recent uid that may possibly be in the current FAIRYEAR (allows refresh page to work)
- $query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid='{$user['uid']}'
+ $query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid=?
ORDER BY year DESC LIMIT 1");
- $query->execute();
+ $query->execute([$user['uid']]);
$user_new = $query->fetch(PDO::FETCH_ASSOC);
@@ -178,9 +178,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
message_push(happy(i18n('User Updated')));
// find the newly updated user
- $q_reload = $pdo->prepare("SELECT id FROM users WHERE uid='{$user['uid']}'
+ $q_reload = $pdo->prepare("SELECT id FROM users WHERE uid=?
ORDER BY year DESC LIMIT 1");
- $q_reload->execute();
+ $q_reload->execute([$user['uid']]);
$reload_user = $q_reload->fetch(PDO::FETCH_ASSOC);
@@ -296,16 +296,16 @@ $querystr = "SELECT
GROUP BY uid
HAVING
u1.deleted='no'
- $having_year
- $where_types
- $where_complete
+ ?
+ ?
+ ?
ORDER BY
lastname ASC,
firstname ASC,
year DESC";
$q = $pdo->prepare($querystr);
-$q->execute();
+$q->execute([$having_year,$where_types,$where_complete]);
show_pdo_errors_if_any($pdo);
$num = $q->rowCount();
@@ -358,8 +358,8 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
if (in_array('fair', $types)) {
$qq = $pdo->prepare("SELECT * FROM users_fair
LEFT JOIN fairs ON fairs.id=users_fair.fairs_id
- WHERE users_id='{$r['id']}'");
-
+ WHERE users_id=?");
+ $qq->execute([$r['id']]);
$rr = $qq->fetch(PDO::FETCH_ASSOC);
$name = '{' . get_value_from_array($rr, 'name') . '}' . ((trim($name) == '') ? '' : " ($name)");
}
diff --git a/admin/winners.php b/admin/winners.php
index 5a747df1..74a858b0 100644
--- a/admin/winners.php
+++ b/admin/winners.php
@@ -56,21 +56,21 @@ switch ($action) {
}
// first check how many we are allowed to have
- $q = $pdo->prepare("SELECT number FROM award_prizes WHERE id='$prize_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT number FROM award_prizes WHERE id=?");
+ $q->execute([$prize_id]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$number = $r['number'];
/* Get the award info */
- $q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+ $q->execute([$award_awards_id]);
show_pdo_errors_if_any($pdo);
$a = $q->fetch(PDO::FETCH_ASSOC);
/* Get the project */
- $q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id='$projects_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id=?");
+ $q->execute([$projects_id]);
show_pdo_errors_if_any($pdo);
$p = $q->fetch(PDO::FETCH_ASSOC);
$fairs_id = $p['fairs_id'];
@@ -89,24 +89,24 @@ switch ($action) {
$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners
LEFT JOIN projects ON winners.projects_id=projects.id
WHERE
- projects.fairs_id='$fairs_id'
- awards_prizes_id='$prize_id'");
- $q->execute();
+ projects.fairs_id=?
+ awards_prizes_id=?");
+ $q->execute([$fairs_id,$prize_id]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$count = $r['count'];
} else {
/* Count is the total number assigned */
- $q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id='$prize_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id=?");
+ $q->execute([$prize_id]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$count = $r['count'];
}
if ($count < $number) {
- $stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES ('$prize_id','$projects_id','{$config['FAIRYEAR']}')");
- $stmt->execute();
+ $stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES (?,?,?)");
+ $stmt->execute([$prize_id,$projects_id,$config['FAIRYEAR']]);
happy_('Winning project added');
} else {
error_('This prize cannot accept any more winners. Maximum: %1', $number);
@@ -119,8 +119,8 @@ switch ($action) {
$projects_id = intval($_GET['projects_id']);
if ($prize_id && $projects_id) {
- $stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id='$prize_id' AND projects_id='$projects_id'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id=? AND projects_id=?");
+ $stmt->execute([$prize_id,$projects_id]);
happy_('Winning project removed');
}
exit;
@@ -140,12 +140,12 @@ switch ($action) {
award_awards ,
award_types
WHERE
- award_awards.year='{$config['FAIRYEAR']}'
+ award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
AND \taward_types.year=award_awards.year
- AND\taward_awards.id='$award_awards_id'
+ AND\taward_awards.id=?
");
- $q->execute();
+ $q->execute([$config['FAIRYEAR'],$award_awards_id]);
show_pdo_errors_if_any($pdo);
@@ -177,12 +177,12 @@ switch ($action) {
award_awards ,
award_types
WHERE
- award_awards.year='{$config['FAIRYEAR']}'
+ award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
AND \taward_types.year=award_awards.year
- AND\taward_awards.id='$award_awards_id'
+ AND\taward_awards.id=?
");
- $q->execute();
+ $q->execute([$config['FAIRYEAR'],$award_awards_id]);
show_pdo_errors_if_any($pdo);
@@ -218,15 +218,15 @@ switch ($action) {
case 'additional_materials':
$fairs_id = intval($_GET['fairs_id']);
- $q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+ $q->execute([$award_awards_id]);
if ($fairs_id == 0) {
echo "Unsupported Action: Can't get additional materials for fairs_id=0. Edit the project and set it's fair to anything except 'Local/Unspecified'.";
exit;
}
$a = $q->fetch(PDO::FETCH_ASSOC);
- $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+ $q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$pdf = fair_additional_materials($fair, $a, $config['FAIRYEAR']);
foreach ($pdf['header'] as $h)
@@ -412,17 +412,17 @@ $q = $pdo->prepare("SELECT
award_types.type,
sponsors.organization
FROM
- award_awards $fair_join,
+ award_awards ?,
award_types,
sponsors
WHERE
- award_awards.year='{$config['FAIRYEAR']}'
+ award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
- AND\taward_types.year='{$config['FAIRYEAR']}'
+ AND\taward_types.year=?
AND\taward_awards.sponsors_id=sponsors.id
- $fair_where
+ ?
ORDER BY awards_order");
-$q->execute();
+$q->execute([$fair_join,$config['FAIRYEAR'],$config['FAIRYEAR'],$fair_where]);
show_pdo_errors_if_any($pdo);
@@ -500,11 +500,11 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
FROM
award_prizes
WHERE
- award_awards_id='{$r['id']}'
- AND award_prizes.year='{$config['FAIRYEAR']}'
+ award_awards_id=?
+ AND award_prizes.year=?
ORDER BY
`order`");
- $q->execute();
+ $q->execute([$r['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
echo '
';
@@ -535,9 +535,9 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
winners
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
- winners.awards_prizes_id='{$pr->id}'
- $fairs_where ");
- $cq->execute();
+ winners.awards_prizes_id=?
+ ? ");
+ $cq->execute([$pr->id,$fairs_where]);
show_pdo_errors_if_any($pdo);
$count = $cq->rowCount();
// echo "winners=$count";
diff --git a/app/projectinfo.php b/app/projectinfo.php
index eec7982a..8cc98aac 100644
--- a/app/projectinfo.php
+++ b/app/projectinfo.php
@@ -32,8 +32,8 @@ require ('../common.inc.php');
global $pdo;
// first, lets make sure someone isng tryint to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
+$q->execute([$config['dates']['postparticipants']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$pn = trim($_GET['n']);
@@ -56,20 +56,21 @@ if ($r->test) {
LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
- registrations.year='" . $config['FAIRYEAR'] . "'
- AND projectcategories.year='" . $config['FAIRYEAR'] . "'
- AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+ registrations.year=?
+ AND projectcategories.year=?
+ AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
- AND projects.projectnumber='$pn'
+ AND projects.projectnumber=?
LIMIT 1
");
+ $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$pn]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$regid = $r['reg_id'];
- $q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id='$regid' ORDER BY lastname");
- $q2->execute();
+ $q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id=? ORDER BY lastname");
+ $q2->execute([$regid]);
$students = '';
while ($stud = $q2->fetch(PDO::FETCH_OBJ)) {
if ($stud->webfirst == 'yes')
diff --git a/app/projectlist.php b/app/projectlist.php
index 4f728e62..e0b2f425 100644
--- a/app/projectlist.php
+++ b/app/projectlist.php
@@ -31,8 +31,8 @@ require ('../common.inc.php');
global $pdo;
// first, lets make sure someone isnt trying to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
+$q->execute([$config['dates']['postparticipants']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->test) {
@@ -52,16 +52,16 @@ if ($r->test) {
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
1
- AND registrations.year='" . $config['FAIRYEAR'] . "'
- AND projectcategories.year='" . $config['FAIRYEAR'] . "'
- AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+ AND registrations.year=?
+ AND projectcategories.year=?
+ AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
ORDER BY
projectcategories.id,
projectdivisions.id,
projects.projectnumber
");
- $q->execute();
+ $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$lastcat = 'something_that_does_not_exist';
diff --git a/app/projects.php b/app/projects.php
index 41d50207..ba8a5108 100644
--- a/app/projects.php
+++ b/app/projects.php
@@ -31,8 +31,8 @@ require ('../common.inc.php');
global $pdo;
// first, lets make sure someone isnt trying to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
+$q->execute([$config['dates']['postparticipants']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$ret = array();
@@ -56,16 +56,16 @@ if ($r->test) {
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
1
- AND registrations.year='" . $config['FAIRYEAR'] . "'
- AND projectcategories.year='" . $config['FAIRYEAR'] . "'
- AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+ AND registrations.year=?
+ AND projectcategories.year=?
+ AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
ORDER BY
projectcategories.id,
projectdivisions.id,
projects.projectnumber
");
- $q->execute();
+ $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$lastcat = 'something_that_does_not_exist';
diff --git a/config/backuprestore.php b/config/backuprestore.php
index 555c775c..894fbf99 100644
--- a/config/backuprestore.php
+++ b/config/backuprestore.php
@@ -40,13 +40,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
$dump .= '#SFIAB FAIR NAME: ' . $config['fairname'] . "\n";
$dump .= "#-------------------------------------------------\n";
- $tableq = $pdo->prepare("SHOW TABLES FROM `$DBNAME`");
- $tableq->execute();
+ $tableq = $pdo->prepare("SHOW TABLES FROM ?");
+ $tableq->execute($DBNAME);
while ($tr = $tableq->fetch(PDO::FETCH_NUM)) {
$table = $tr[0];
$dump .= "#TABLE: $table\n";
- $columnq = $pdo->prepare("SHOW COLUMNS FROM `$table`");
- $columnq->execute();
+ $columnq = $pdo->prepare("SHOW COLUMNS FROM ?");
+ $columnq->execute($table);
$str = "INSERT INTO `$table` (";
unset($fields);
$fields = array();
@@ -57,8 +57,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
$str = substr($str, 0, -1);
$str .= ') VALUES (';
- $dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY `{$fields[0]}`");
- $dataq->execute();
+ $dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY ?");
+ $dataq->execute([$fields[0]]);
while ($data = $dataq->fetch(PDO::FETCH_OBJ)) {
$insertstr = $str;
foreach ($fields AS $field) {
@@ -171,25 +171,25 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
if (mb_ereg('^[a-z0-9]{32}$', $_POST['realfilename']) && file_exists('../data/backuprestore/' . $_POST['realfilename'])) {
$filename = $_POST['realfilename'];
echo i18n('Proceeding with database restore from %1', array($_POST['filename'])) . '...';
- $lines = file("../data/backuprestore/$filename");
+ $lines = file("../data/backuprestore/?");
$err = false;
echo '
';
foreach ($lines AS $line) {
$line = trim($line);
if (mb_ereg('^#TABLE: (.*)', $line, $args)) {
// empty out the table
- $sql = 'TRUNCATE TABLE `' . $args[1] . '`';
+ $sql = 'TRUNCATE TABLE ?';
// echo $sql."\n";
$stmt = $pdo->prepare($sql);
- $stmt->execute();
+ $stmt->execute([$args[1]]);
} else if (mb_ereg('^#', $line)) {
// just skip it
} else {
// insert the new data
$stmt = $pdo->prepare($line);
- $stmt->execute();
+ $stmt->execute([$filename]);
if ($pdo->errorInfo()) {
echo $line . "\n";
echo $pdo->errorInfo() . "\n";
@@ -226,13 +226,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
user_purge($judge, 'judge');
} else {
// Find max year of judge
- $max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid = ' . $judge['uid'] . ' ORDER BY year DESC limit 1');
- $max_year_query->execute();
+ $max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid =? ORDER BY year DESC limit 1');
+ $max_year_query->execute([$judge['uid']]);
$judge_max_year = $max_year_query->fetch(PDO::FETCH_ASSOC);
// Grab old judge info.
// Old judge info consists of all entries in the database that are not the most recent for the specific judge
- $deletable = $pdo->prepare('SELECT * FROM users WHERE uid =' . $judge['uid'] . ' AND year NOT LIKE ' . $judge_max_year['year']);
- $deletable->execute();
+ $deletable = $pdo->prepare('SELECT * FROM users WHERE uid =? AND year NOT LIKE ?');
+ $deletable->execute([$judge['uid'],$judge_max_year['year']]);
// and if they have old data from previous fair years
if ($deletable->rowCount() > 0) {
// delete old data one by one
@@ -260,8 +260,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
error(i18n($pdo->errorInfo()[0]));
}
} else if (get_value_from_array($_POST, 'action') == 'clean_parents') {
- $query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=' . $config['FAIRYEAR']);
- $query_parents->execute();
+ $query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=?');
+ $query_parents->execute([$config['FAIRYEAR']]);
while ($parent = $query_parents->fetch(PDO::FETCH_ASSOC)) {
if (!is_array($parent['types'])) {
$parent['types'] = array($parent['types']);
diff --git a/config/categories.php b/config/categories.php
index b388e43c..911604be 100644
--- a/config/categories.php
+++ b/config/categories.php
@@ -42,21 +42,21 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
if (get_value_from_array($_POST, 'action') == 'edit') {
// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'category') && isset($_POST['mingrade']) && $_POST['maxgrade']) {
- $q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $q->execute();
+ $q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
+ $q->execute([$_POST['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
} else {
$stmt = $pdo->prepare('UPDATE projectcategories SET '
- . "id='" . $_POST['id'] . "', "
- . "category='" . stripslashes($_POST['category']) . "', "
- . "category_shortform='" . stripslashes($_POST['category_shortform']) . "', "
- . "mingrade='" . $_POST['mingrade'] . "', "
- . "maxgrade='" . $_POST['maxgrade'] . "' "
- . "WHERE id='" . $_POST['saveid'] . "'");
+ . "id=?, "
+ . "category=?, "
+ . "category_shortform=?, "
+ . "mingrade=?, "
+ . "maxgrade=?"
+ . "WHERE id=?");
echo happy(i18n('Category successfully saved'));
- $stmt->execute();
+ $stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),$_POST['mingrade'],$_POST['maxgrade'],$_POST['saveid']]);
}
} else {
echo error(i18n('All fields are required'));
@@ -66,8 +66,8 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
if (get_value_from_array($_POST, 'action') == 'new') {
// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
if (get_value_from_array($_POST, 'id') && $_POST['category'] && isset($_POST['mingrade']) && $_POST['maxgrade']) {
- $q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $q->execute();
+ $q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
+ $q->execute([$_POST['id'],$config['FAIRYEAR']]);
if ($q->rowCount()) {
echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
} else {
@@ -89,11 +89,11 @@ if (get_value_from_array($_POST, 'action') == 'new') {
if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
// for this division exist they should be deleted
- $stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id=? AND year=?");
+ $stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
// ####
- $stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id=? AND year=?");
+ $stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
echo happy(i18n('Category successfully removed'));
}
@@ -118,8 +118,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo '\n";
if (get_value_from_array($_GET, 'action') == 'edit') {
echo '\n";
- $q = $pdo->prepare("SELECT * FROM projectcategories WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectcategories WHERE id=? AND year=?");
+ $q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
$categoryr = $q->fetch(PDO::FETCH_OBJ);
$buttontext = 'Save';
} else if (get_value_from_array($_GET, 'action') == 'new') {
@@ -135,8 +135,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo '
';
echo '
';
} else {
- $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
+ $q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '
';
echo "
$r->id
";
diff --git a/config/dates.php b/config/dates.php
index 5b49acd4..58f1c740 100644
--- a/config/dates.php
+++ b/config/dates.php
@@ -57,8 +57,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
$d = stripslashes($val);
$t = stripslashes($_POST['savetimes'][$key]);
$v = "$d $t";
- $stmt = $pdo->prepare("UPDATE dates SET date='$v' WHERE year='" . $config['FAIRYEAR'] . "' AND id='$key'");
- $stmt->execute();
+ $stmt = $pdo->prepare("UPDATE dates SET date=? WHERE year=? AND id=?");
+ $stmt->execute([$v,$config['FAIRYEAR'],$key]);
}
}
echo happy(i18n('Dates successfully saved'));
@@ -83,8 +83,8 @@ $dates = array('fairdate' => array(),
/* Now copy the SQL data into the above array */
-$q = $pdo->prepare("SELECT * FROM dates WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY date");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM dates WHERE year=? ORDER BY date");
+$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$dates[$r->name]['description'] = $r->description;
$dates[$r->name]['id'] = $r->id;
@@ -131,12 +131,12 @@ foreach ($dates as $dn => $d) {
$def = $defaultdates[$dn];
// hmm if we dont have a record for this date this year, INSERT the sql from the default
$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
- '" . $def->date . "',
- '" . $dn . "',
- '" . $def->description . "',
- '" . $config['FAIRYEAR'] . "'
+ ?,
+ ?,
+ ?,
+ ?
)");
- $stmt->execute();
+ $stmt->execute([$def->date,$dn,$def->description,$config['FAIRYEAR']]);
$d['id'] = $pdo->lastInsertId();
$d['description'] = $def->description;
$d['date'] = $def->date;
diff --git a/config/divisions.php b/config/divisions.php
index 81af49d8..42951f2b 100644
--- a/config/divisions.php
+++ b/config/divisions.php
@@ -45,22 +45,22 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
if (get_value_from_array($_POST, 'action') == 'edit') {
if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
- $q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $q->execute();
+ $q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
+ $q->execute([$_POST['id'],$config['FAIRYEAR']]);
if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
} else {
$stmt = $pdo->prepare('UPDATE projectdivisions SET '
- . "id='" . $_POST['id'] . "', "
- . "division='" . stripslashes($_POST['division']) . "', "
- . "division_shortform='" . stripslashes($_POST['division_shortform']) . "' "
- . "WHERE id='" . $_POST['saveid'] . "' AND year='{$config['FAIRYEAR']}'");
- $stmt->execute();
+ . "id=?, "
+ . "division=?, "
+ . "division_shortform=?"
+ . "WHERE id=? AND year=?");
+ $stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$_POST['saveid'],$config['FAIRYEAR']]);
// ###### Feature Specific - filtering divisions by category
if ($config['filterdivisionbycategory'] == 'yes') {
- $stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id='" . $_POST['saveid'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND year=?");
+ $stmt->execute([ $_POST['saveid'],$config['FAIRYEAR']]);
if (is_array($_POST['divcat'])) {
foreach ($_POST['divcat'] as $tempcat) {
$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
diff --git a/config/divisions_cwsf.php b/config/divisions_cwsf.php
index 46accfe8..cc68b9c3 100644
--- a/config/divisions_cwsf.php
+++ b/config/divisions_cwsf.php
@@ -35,8 +35,8 @@ send_header('CWSF Project Divisions',
// //// FIX ME!!!!!
if (count(get_value_from_array($_POST, 'cwsfdivision', []))) {
foreach ($_POST['cwsfdivision'] AS $k => $v) {
- $stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid='$v' WHERE id='$k' AND year='" . $config['FAIRYEAR'] . "'");
- $stmt->execute();
+ $stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid=? WHERE id=? AND year=?");
+ $stmt->execute([$v,$k,$config['FAIRYEAR']]);
}
echo happy(i18n('Corresponding CWSF divisions saved'));
}
@@ -53,8 +53,8 @@ echo '
' . i18n('Your Division') . "
\n";
echo '
' . i18n('Corresponding CWSF Division') . "
\n";
echo '
';
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '
';
echo '
' . i18n($r->division) . '
';
diff --git a/config/languagepacks.php b/config/languagepacks.php
index 3b86a000..e85b1f0e 100644
--- a/config/languagepacks.php
+++ b/config/languagepacks.php
@@ -88,7 +88,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
$packs = loadLanguagePacks();
$loaded = 0;
if ($packs[$_GET['install']]) {
- $lines = file("http://www.sfiab.ca/languages/{$packs[$_GET['install']]['filename']}");
+ $lines = file("http://www.sfiab.ca/languages/?");
$totallines = count($lines);
$numtranslations = round($totallines / 2);
echo i18n('There are %1 translations in this language pack... processing...', array($numtranslations));
@@ -98,7 +98,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
if (substr($line, 0, 6) == 'UPDATE' || substr($line, 0, 6) == 'INSERT') {
$stmt = $pdo->prepare($line);
- $stmt->execute();
+ $stmt->execute([$packs[$_GET['install']]['filename']]);
$a = $pdo->rowwCount();
$loaded += $a;
} else
diff --git a/config/pagetexts.php b/config/pagetexts.php
index ac0746ee..2a236b4a 100644
--- a/config/pagetexts.php
+++ b/config/pagetexts.php
@@ -43,8 +43,8 @@
while($r=$q->fetch(PDO::FETCH_OBJ))
{
foreach($config['languages'] AS $lang=>$langname) {
- $q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=".$pdo->quote($config['FAIRYEAR'])." and textname=".$pdo->quote($r->textname)."");
- $q_current->execute();
+ $q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=? and textname=?");
+ $q_current->execute([$pdo->quote($config['FAIRYEAR']),$pdo->quote($r->textname)]);
if ($q_current->rowCount() == 0) {
$q1 = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES (
@@ -82,8 +82,8 @@
if(get_value_from_array($_GET, 'textname'))
{
- $q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."'");
- $q->execute();
+ $q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=?");
+ $q->execute([$_GET['textname'],$config['FAIRYEAR']]);
//needs to be at least one entry in any languages
if($r=$q->fetch(PDO::FETCH_OBJ))
{
@@ -93,14 +93,14 @@
foreach($config['languages'] AS $lang=>$langname) {
- $q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."' AND lang='$lang'");
- $q->execute();
+ $q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=? AND lang=?");
+ $q->execute([$_GET['textname'],$config['FAIRYEAR'],$lang]);
$r=$q->fetch(PDO::FETCH_OBJ);
if(!$r)
{
- $stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES ('".$pdo->quote($_GET['textname'])."','".$config['FAIRYEAR']."','$lang')");
- $stmt->execute();
+ $stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES (?,?,?)");
+ $stmt->execute([$pdo->quote($_GET['textname']),$config['FAIRYEAR'],$lang]);
show_pdo_errors_if_any($pdo);
}
@@ -140,8 +140,8 @@
echo i18n("Choose a page text to edit");
echo "
";
- $q=$pdo->prepare("SELECT * FROM pagetext WHERE year='".$config['FAIRYEAR']."' AND lang='".$config['default_language']."' ORDER BY textname");
- $q->execute();
+ $q=$pdo->prepare("SELECT * FROM pagetext WHERE year=? AND lang=? ORDER BY textname");
+ $q->execute([$config['FAIRYEAR'],$config['default_language']]);
echo "
".i18n("Page Text Description")."
".i18n("Last Update")."
";
while($r=$q->fetch(PDO::FETCH_OBJ))
{
diff --git a/config/rollover.php b/config/rollover.php
index e537b090..dc475df4 100644
--- a/config/rollover.php
+++ b/config/rollover.php
@@ -66,8 +66,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
*/
/* Get field list for this table */
- $q = $pdo->prepare("SHOW COLUMNS IN `$table`");
- $q->execute();
+ $q = $pdo->prepare("SHOW COLUMNS IN ?");
+ $q->execute([$table]);
show_pdo_errors_if_any($pdo);
while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
$col[$c['Field']] = $c;
@@ -91,8 +91,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
$where = '1';
/* Get data */
- $q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear' AND $where");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM ? WHERE year=? AND ?");
+ $q->execute([$table,$currentfairyear,$where]);
show_pdo_errors_if_any($pdo);
$names = '`' . join('`,`', $fields) . '`';
@@ -108,8 +108,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
$vals .= ',' . $pdo->quote($r[$f]);
}
- $stmt = $pdo->prepare("INSERT INTO `$table`(`year`,$names) VALUES ('$newfairyear'$vals)");
- $stmt->execute();
+ $stmt = $pdo->prepare("INSERT INTO ?(`year`,?) VALUES (??)");
+ $stmt->execute([$table,$names,$newfairyear,$vals]);
show_pdo_errors_if_any($pdo);
}
}
@@ -134,8 +134,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
// now the dates
echo i18n('Rolling dates') . ' ';
- $q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
@@ -149,8 +149,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
// page text
echo i18n('Rolling page texts') . ' ';
- $q = $pdo->prepare("SELECT * FROM pagetext WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM pagetext WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,lastupdate,year,lang) VALUES (
@@ -166,8 +166,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling project categories') . ' ';
// project categories
- $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
@@ -183,8 +183,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling project divisions') . ' ';
// project divisions
- $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectdivisions (id,division,division_shortform,cwsfdivisionid,year) VALUES (
@@ -199,8 +199,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling project category-division links') . ' ';
// project categories divisions links
- $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (
@@ -213,8 +213,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling project sub-divisions') . ' ';
// project subdivisions
- $q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (
@@ -228,8 +228,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling safety questions') . ' ';
// safety questions
- $q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES (
@@ -245,8 +245,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling awards') . ' ';
// awards
- $q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
/* Roll the one award */
@@ -265,8 +265,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling award types') . ' ';
// award types
- $q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
@@ -280,8 +280,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling schools') . ' ';
// award types
- $q = $pdo->prepare("SELECT * FROM schools WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$puid = ($r->principal_uid == null) ? 'NULL' : ("'" . intval($r->principal_uid) . "'");
@@ -314,8 +314,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
}
echo i18n('Rolling questions') . ' ';
- $q = $pdo->prepare("SELECT * FROM questions WHERE year='$currentfairyear'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES (
@@ -341,8 +341,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
// timeslots and rounds
echo i18n('Rolling judging timeslots and rounds') . ' ';
- $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='$currentfairyear' AND round_id='0'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND round_id='0'");
+ $q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$d = $newfairyear - $currentfairyear;
@@ -352,8 +352,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
$stmt->execute();
show_pdo_errors_if_any($pdo);
$round_id = $pdo->lastInsertId();
- $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
- $qq->execute();
+ $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
+ $qq->execute([$r['id']]);
show_pdo_errors_if_any($pdo);
while ($rr = $qq->fetch(PDO::FETCH_ASSOC)) {
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`)
@@ -365,8 +365,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
}
echo '
';
- $stmt = $pdo->prepare("UPDATE config SET val='$newfairyear' WHERE var='FAIRYEAR' AND year=0");
- $stmt->execute();
+ $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FAIRYEAR' AND year=0");
+ $stmt->execute([$newfairyear]);
show_pdo_errors_if_any($pdo);
echo happy(i18n('Fair year has been rolled over from %1 to %2', array($currentfairyear, $newfairyear)));
send_footer();
diff --git a/config/rolloverfiscal.php b/config/rolloverfiscal.php
index e2a7133c..03eda941 100644
--- a/config/rolloverfiscal.php
+++ b/config/rolloverfiscal.php
@@ -82,8 +82,8 @@ function rolloverfiscalyear($newYear)
// first we'll roll over fundraising_campaigns:
$fields = '`name`,`type`,`startdate`,`enddate`,`followupdate`,`active`,`target`,`fundraising_goal`,`filterparameters`';
- $q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear = $oldYear");
- $q->execute();
+ $q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear =?");
+ $q->execute([$oldYear]);
while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
foreach (array('startdate', 'enddate', 'followupdate') as $dateField) {
@@ -100,16 +100,16 @@ function rolloverfiscalyear($newYear)
foreach ($values as $idx => $val) {
$values[$idx] = $val;
}
- $query = 'INSERT INTO fundraising_campaigns (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+ $query = 'INSERT INTO fundraising_campaigns (?) VALUES(?)';
$stmt = $pdo->prepare($query);
- $stmt->execute();
+ $stmt->execute([implode('`,`', $fields),implode("','", $values)]);
}
// next we'll hit findraising_donor_levels
$fields = '`level`,`min`,`max`,`description`';
if ($pdo->errorInfo()[0] == 0)
- $q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear = $oldYear");
- $q->execute();
+ $q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear =?");
+ $q->execute([$oldYear]);
while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
$r['fiscalyear'] = $newYear;
$fields = array_keys($r);
@@ -117,16 +117,16 @@ function rolloverfiscalyear($newYear)
foreach ($values as $idx => $val) {
$values[$idx] = $val;
}
- $query = 'INSERT INTO fundraising_donor_levels (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+ $query = 'INSERT INTO fundraising_donor_levels (?) VALUES(?)';
$stmt = $pdo->prepare($query);
- $stmt->execute();
+ $stmt->execute([implode('`,`', $fields),implode("','", $values)]);
}
// and now we'll do findraising_goals
$fields = '`goal`,`name`,`description`,`system`,`budget`,`deadline`';
if ($pdo->errorInfo()[0] == 0) {
- $q = $pdo->prepare("SELECT $fields FROM fundraising_goals WHERE fiscalyear = $oldYear");
- $q->execute();
+ $q = $pdo->prepare("SELECT ? FROM fundraising_goals WHERE fiscalyear =?");
+ $q->execute([$fields,$oldYear]);
}
while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
$dateval = $r['deadline'];
@@ -142,15 +142,15 @@ function rolloverfiscalyear($newYear)
foreach ($values as $idx => $val) {
$values[$idx] = $val;
}
- $query = 'INSERT INTO fundraising_goals (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+ $query = 'INSERT INTO fundraising_goals (?) VALUES(?)';
$stmt = $pdo->prepare($query);
- $stmt->execute();
+ $stmt->execute([implode('`,`', $fields),implode("','", $values)]);
}
// finally, let's update the fiscal year itself:
if ($pdo->errorInfo()[0] == 0) {
- $stmt = $pdo->prepare("UPDATE config SET val='$newYear' WHERE var='FISCALYEAR'");
- $stmt->execute();
+ $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FISCALYEAR'");
+ $stmt->execute([$newYear]);
}
if ($pdo->errorInfo()[0] == 0) {
diff --git a/config/safetyquestions.php b/config/safetyquestions.php
index 320e54c2..35e335d1 100644
--- a/config/safetyquestions.php
+++ b/config/safetyquestions.php
@@ -67,8 +67,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
}
if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
- $stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id=? AND year=?");
+ $stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
echo happy(i18n('Safety question successfully removed'));
}
@@ -82,8 +82,8 @@ if ((get_value_from_array($_GET, 'action') == 'edit' && get_value_from_array($_G
} else if ($_GET['action'] == 'edit') {
$buttontext = 'Save safety question';
echo "\n";
- $q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id='" . $_GET['edit'] . "' AND year='" . $config['FAIRYEAR'] . "'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id=? AND year=?");
+ $q->execute([$_GET['edit'],$config['FAIRYEAR'] ]);
echo '\n";
if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
$showform = false;
@@ -141,8 +141,8 @@ echo ' ';
echo '' . i18n('Add new safety question') . '';
echo '
';
-$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY ord");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
+$q->execute([$config['FAIRYEAR']]);
echo '
' . i18n('Ord') . '
' . i18n('Question') . '
' . i18n('Type') . '
' . i18n('Required') . '
' . i18n('Actions') . '
';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '
';
diff --git a/judge.inc.php b/judge.inc.php
index 2089b762..60b3180e 100644
--- a/judge.inc.php
+++ b/judge.inc.php
@@ -85,16 +85,16 @@ function judge_status_questions($u)
*/
global $config, $pdo;
// get the questions we're looking for
- $q = $pdo->prepare('SELECT id FROM questions WHERE year=' . $config['FAIRYEAR'] . " AND required='yes'");
- $q->execute([]);
+ $q = $pdo->prepare('SELECT id FROM questions WHERE year=?'"AND required='yes'");
+ $q->execute([$config['FAIRYEAR']]);
$idList = array();
while ($row = $q->fetch(PDO::FETCH_ASSOC))
$idList[] = $row['id'];
$rval = 'complete';
if (count($idList)) {
- $q = $pdo->prepare('SELECT COUNT(*) AS tally FROM question_answers WHERE questions_id IN(' . implode(',', $idList) . ') AND users_id=' . $u['id'] . ' AND answer IS NOT NULL');
- $q->execute();
+ $q = $pdo->prepare('SELECT COUNT(*) AS tally FROM question_answers WHERE questions_id IN(?) AND users_id=? AND answer IS NOT NULL');
+ $q->execute([implode(',', $idList),$u['id']]);
$row = $q->fetch(PDO::FETCH_ASSOC);
if (intval($row['tally']) != count($idList))
$rval = 'incomplete';