diff --git a/admin/judges.inc.php b/admin/judges.inc.php index ac6f79d0..6f46aee6 100644 --- a/admin/judges.inc.php +++ b/admin/judges.inc.php @@ -8,10 +8,10 @@ function getJudgingTeams() FROM judges_teams WHERE - judges_teams.year='" . $config['FAIRYEAR'] . "' + judges_teams.year=? ORDER BY num,name"); - $q->execute(); + $q->execute([$config['FAIRYEAR']]); $lastteamid = -1; $lastteamnum = -1; @@ -28,8 +28,8 @@ function getJudgingTeams() $rounds = array(); $tq = $pdo->prepare("SELECT * FROM judges_teams_timeslots_link LEFT JOIN judges_timeslots ON judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id - WHERE judges_teams_timeslots_link.judges_teams_id='{$r->id}'"); - $tq->execute(); + WHERE judges_teams_timeslots_link.judges_teams_id=?"); + $tq->execute([$r->id]); $teams[$r->id]['timeslots'] = array(); $teams[$r->id]['rounds'] = array(); @@ -39,8 +39,8 @@ function getJudgingTeams() } foreach ($rounds as $round_id) { - $tq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='{$round_id}'"); - $tq->execute(); + $tq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?"); + $tq->execute([$round_id]); $teams[$r->id]['rounds'][] = $tq->fetch(PDO::FETCH_ASSOC); } @@ -55,12 +55,12 @@ function getJudgingTeams() judges_teams_link WHERE judges_teams_link.users_id=users.id AND - judges_teams_link.judges_teams_id='$r->id' + judges_teams_link.judges_teams_id=? ORDER BY captain DESC, lastname, firstname"); - $mq->execute(); + $mq->execute([$r->id]); show_pdo_errors_if_any($pdo); $teamlangs = array(); @@ -87,9 +87,9 @@ function getJudgingTeams() $lq = $pdo->prepare("SELECT projects.language FROM judges_teams_timeslots_projects_link LEFT JOIN projects ON judges_teams_timeslots_projects_link.projects_id=projects.id - WHERE judges_teams_timeslots_projects_link.year='{$config['FAIRYEAR']}' AND - judges_teams_id='$r->id' AND language!='' "); - $lq->execute(); + WHERE judges_teams_timeslots_projects_link.year=? AND + judges_teams_id=? AND language!='' "); + $lq->execute([$config['FAIRYEAR'],$r->id]); show_pdo_errors_if_any($pdo); $projectlangs = array(); while ($lr = $lq->fetch(PDO::FETCH_OBJ)) { @@ -113,13 +113,13 @@ function getJudgingTeams() award_types WHERE judges_teams_awards_link.award_awards_id=award_awards.id - AND judges_teams_awards_link.judges_teams_id='$r->id' + AND judges_teams_awards_link.judges_teams_id=? AND award_awards.award_types_id=award_types.id - AND award_types.year='{$config['FAIRYEAR']}' + AND award_types.year=? ORDER BY name "); - $aq->execute(); + $aq->execute([$r->id,$config['FAIRYEAR']]); while ($ar = $aq->fetch(PDO::FETCH_OBJ)) { $teams[$r->id]['awards'][] = array( 'id' => $ar->id, @@ -144,13 +144,13 @@ function getJudgingTeam($teamid) FROM judges_teams WHERE - judges_teams.year='" . $config['FAIRYEAR'] . "' AND - judges_teams.id='$teamid' + judges_teams.year=? AND + judges_teams.id=? ORDER BY num, name "); - $q->execute(); + $q->execute([$config['FAIRYEAR'],$teamid]); $team = array(); @@ -172,12 +172,12 @@ function getJudgingTeam($teamid) judges_teams_link WHERE judges_teams_link.users_id=users.id AND - judges_teams_link.judges_teams_id='$r->id' + judges_teams_link.judges_teams_id=? ORDER BY captain DESC, lastname, firstname"); - $mq->execute(); + $mq->execute([$r->id]); show_pdo_errors_if_any($pdo); while ($mr = $mq->fetch(PDO::FETCH_OBJ)) { @@ -200,13 +200,13 @@ function getJudgingTeam($teamid) award_types WHERE judges_teams_awards_link.award_awards_id=award_awards.id - AND judges_teams_awards_link.judges_teams_id='$r->id' + AND judges_teams_awards_link.judges_teams_id=? AND award_awards.award_types_id=award_types.id - AND award_types.year='{$config['FAIRYEAR']}' + AND award_types.year=? ORDER BY name "); - $aq->execute(); + $aq->execute([$r->id,$config['FAIRYEAR']]); while ($ar = $aq->fetch(PDO::FETCH_OBJ)) { $team['awards'][] = array( 'id' => $ar->id, @@ -248,11 +248,11 @@ function judges_load_all() $ret = array(); $query = "SELECT id FROM users WHERE types LIKE '%judge%' - AND year='{$config['FAIRYEAR']}' + AND year=? AND deleted='no' ORDER BY lastname, firstname"; $r = $pdo->prepare($query); - $r->execute(); + $r->execute([$config['FAIRYEAR']]); while ($i = $r->fetch(PDO::FETCH_ASSOC)) { $u = user_load($i['id']); if ($u['judge_complete'] == 'no') diff --git a/admin/judges_teams.php b/admin/judges_teams.php index 822a3df3..75e06575 100644 --- a/admin/judges_teams.php +++ b/admin/judges_teams.php @@ -40,16 +40,16 @@ if (get_value_from_array($_POST, 'action')) if ($action == 'delete' && get_value_from_array($_GET, 'delete')) { // ALSO DELETE: team members, timeslots, projects, awards - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$_GET['delete'],$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$_GET['delete'],$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$_GET['delete'],$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$_GET['delete'],$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?"); + $stmt->execute([$_GET['delete'],$config['FAIRYEAR']]); message_push(happy(i18n('Judge team successfully removed, and all of its corresponding members, timeslots, projects and awards unlinked from team'))); } @@ -58,25 +58,26 @@ if (get_value_or_default($action) == 'deletealldivisional') { FROM \t judges_teams WHERE - year='" . $config['FAIRYEAR'] . "' + year=? AND autocreate_type_id='1' "); + $q2->execute([$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $numdeleted = 0; while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) { // okay now we can start deleting things! whew! // first delete any linkings to the team - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); $numdeleted++; } if ($numdeleted) @@ -89,24 +90,24 @@ if (get_value_or_default($action) == 'deleteall') { $q2 = $pdo->prepare("SELECT * FROM \tjudges_teams WHERE - year='" . $config['FAIRYEAR'] . "' + year=? "); - $q2->execute(); + $q2->execute([$config['FAIRYEAR']]); $numdeleted = 0; while ($r2 = $q2->FETCH(PDO::FETCH_OBJ)) { // okay now we can start deleting things! whew! // first delete any linkings to the team - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?"); + $stmt->execute([$r2->id,$config['FAIRYEAR']]); $numdeleted++; } if ($numdeleted) @@ -120,8 +121,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) { // but when we're done, if we're "assign" then go back to edit that team // if we're save, then go back to the team list $err = false; - $q = $pdo->prepare("UPDATE judges_teams SET num='" . $_POST['team_num'] . "', name='" . (stripslashes($_POST['team_name'])) . "' WHERE id='$edit'"); - $q->execute(); + $q = $pdo->prepare("UPDATE judges_teams SET num=?, name=? WHERE id=?"); + $q->execute([ $_POST['team_num'],(stripslashes($_POST['team_name'])),$edit]); if ($pdo->errorInfo()) { $err = true; message_push(error($pdo->errorInfo())); @@ -133,8 +134,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) { // the judges wouldnt know which projects to judge for which award. This doesnt apply for divisions // because the category/division is obvious based on project numbesr. A divisional judge team could easily // be assigned to do all of Comp Sci - Junior, Intermediate and Senior without any problems. - $q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.award_types_id=award_types.id AND award_awards.id='" . $_POST['award'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.award_types_id=award_types.id AND award_awards.id=?"); + $q->execute([$_POST['award']]); $aw = $q->fetch(PDO::FETCHH_OBJ); $addaward = true; @@ -144,12 +145,12 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) { award_awards, award_types WHERE - judges_teams_awards_link.judges_teams_id='$edit' + judges_teams_awards_link.judges_teams_id=? AND judges_teams_awards_link.award_awards_id=award_awards.id AND award_awards.award_types_id=award_types.id AND award_types.type='Special' "); - $q->exxecute(); + $q->exxecute([$edit]); $r = $q->fetch(PDO::FETCHH_OBJ); echo "special awards: $r->num"; if ($r->num) { @@ -162,8 +163,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) { if ($addaward) { // link up the award - $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('" . $_POST['award'] . "','$edit','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)"); + $stmt->execute([$_POST['award'],$edit,$config['FAIRYEAR']]); message_push(happy(i18n('Award assigned to team'))); } } @@ -182,8 +183,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) { } if (get_value_or_default($action) == 'unassign') { - $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$edit' AND award_awards_id='" . $_GET['unassign'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND award_awards_id=? AND year=?"); + $stmt->execute([$edit,$_GET['unassign'],$config['FAIRYEAR']]); message_push(happy(i18n('Award unassigned from judge team'))); // keep editing the same team $action = 'edit'; @@ -191,8 +192,8 @@ if (get_value_or_default($action) == 'unassign') { if (get_value_or_default($action) == 'createall') { // first make sure we dont have any non-divisional award teams (dont want people hitting refresh and adding all the teams twice - $q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year=?"); + $q->execute([$config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->c) { message_push(error(i18n("Cannot 'Create All' teams when any divisional teams currently exist. Try deleting all existing non-divisional teams first."))); @@ -207,18 +208,18 @@ if (get_value_or_default($action) == 'createall') { award_types WHERE \t award_awards.award_types_id=award_types.id - AND award_awards.year='" . $config['FAIRYEAR'] . "' - AND award_types.year='" . $config['FAIRYEAR'] . "' + AND award_awards.year=? + AND award_types.year=? AND award_types_id!='1' ORDER BY award_types_order, award_awards.order, name"); - $q->execute(); + $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]); // startat - $q2 = $pdo->prepare("SELECT MAX(num) AS lastnum FROM judges_teams WHERE year='{$config['FAIRYEAR']}'"); - $q2->execute(); + $q2 = $pdo->prepare("SELECT MAX(num) AS lastnum FROM judges_teams WHERE year=?"); + $q2->execute([$config['FAIRYEAR']]); $r2 = $q2->fetch(PDO::FETCH_OBJ); if ($r2->lastnum) $num = $r2->lastnum + 1; @@ -239,8 +240,8 @@ if (get_value_or_default($action) == 'createall') { $team_id = $pdo->lastInsertId(); if ($team_id) { // now link the new team to the award - $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)"); + $stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]); message_push(happy(i18n('Created team #%1: %2', array($num, $name)))); } else { message_push(error(i18n('Error creating team #%1: %2', array($num, $name)))); @@ -251,8 +252,8 @@ if (get_value_or_default($action) == 'createall') { } if (get_value_or_default($action) == 'add' && $_GET['num']) { - $stmt = $pdo->prepare("INSERT INTO judges_teams(num,year) VALUES ('" . $_GET['num'] . "','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams(num,year) VALUES (?,?)"); + $stmt->execute([$_GET['num'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $edit = $pdo->lastInsertId(); $action = 'edit'; @@ -342,10 +343,10 @@ function addclicked() ) LEFT JOIN judges_teams_awards_link ON award_awards.id = judges_teams_awards_link.award_awards_id WHERE - award_awards.year='" . $config['FAIRYEAR'] . "' AND + award_awards.year=? AND judges_teams_awards_link.award_awards_id IS NULL AND award_types.id=award_awards.award_types_id - AND award_types.year='{$config['FAIRYEAR']}' + AND award_types.year=? ORDER BY award_type_order, name"; @@ -353,7 +354,7 @@ function addclicked() echo ''; $q = $pdo->prepare($querystr); - $q->execute(); + $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); echo '\n"; echo "\n"; - $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?"); + $q->execute([$round_id]); $round_data = $q->fetch(PDO::FETCH_ASSOC); if ($action == 'addtimeslot') { @@ -299,8 +299,8 @@ if ($action == 'addtimeslot' || $action == 'edittimeslot') { $r['date'] = $round_data['date']; } else { echo '

Edit Judging Timeslot

'; - $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$timeslot_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?"); + $q->execute([$timeslot_id]); if ($q->rowCount() != 1) { echo "UNKNOWN ROUND $round_id"; exit; @@ -334,8 +334,8 @@ if ($action == 'addmultiple') { echo "\n"; echo "\n"; - $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?"); + $q->execute([$round_id]); $round_data = $q->fetch(PDO::FETCH_ASSOC); echo ''; @@ -375,12 +375,12 @@ if ($action == '') { echo ''; echo ''; - $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='{$config['FAIRYEAR']}' AND `type`!='timeslot' ORDER BY date,starttime"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND `type`!='timeslot' ORDER BY date,starttime"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { echo ''; - $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r->id}' ORDER BY `date`,`starttime`"); - $qq->execute(); + $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? ORDER BY `date`,`starttime`"); + $qq->execute([$r->id]); $c = $qq->rowCount() + 1; echo "'; diff --git a/admin/judging_score_edit.php b/admin/judging_score_edit.php index 8f6ba0b4..61ffad22 100644 --- a/admin/judging_score_edit.php +++ b/admin/judging_score_edit.php @@ -51,10 +51,10 @@ if ($_GET['projectid']) { $score_error = '*** ERROR **** You entered a value greater than 100.00'; } $stmt = $pdo->prepare("UPDATE judges_teams_timeslots_projects_link - \t \t\t\t\t\tSET score=" . $score - . ' WHERE judges_teams_id = ' . $_POST['team_' . $curr_team . '_id'] - . " and projects_id =$project_id and year=$year"); - $stmt->execute(); + \t \t\t\t\t\tSET score=?" + . ' WHERE judges_teams_id =?' + . " and projects_id =? and year=?"); + $stmt->execute([$score,$_POST['team_' . $curr_team . '_id'],$project_id,$year]); show_pdo_errors_if_any($pdo); } $curr_team--; @@ -64,18 +64,18 @@ if ($_GET['projectid']) { ?> prepare("SELECT * FROM projects WHERE projects.id = '" . $project_id . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE projects.id =?"); + $q->execute([$project_id]); $r = $q->fetch(PDO::FETCH_OBJ); $project_number = $r->projectnumber; $project_title = $r->title; - $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); + $q->execute([$year]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $cats[$r->id] = $r->category; - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); + $q->execute([$year]); $q = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id, \t score, @@ -83,8 +83,8 @@ if ($project_id) { \t FROM judges_teams_timeslots_projects_link, \t judges_teams \t WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id - \t AND projects_id = " . $project_id . ' ORDER BY judges_teams_id'); - $q->execute(); + \t AND projects_id =? ORDER BY judges_teams_id"); + $q->execute([$project_id]); show_pdo_errors_if_any($pdo); echo 'Project# ' . $project_number . ' ' . $project_title . '
'; if ($score_error != '') { diff --git a/admin/judging_score_entry.php b/admin/judging_score_entry.php index 697af43a..fae2dea4 100644 --- a/admin/judging_score_entry.php +++ b/admin/judging_score_entry.php @@ -101,15 +101,15 @@ if ($_GET['csv'] != 'yes') { while ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($_GET['csv'] == 'yes') { - echo "$r->projectnumber \t $r->title \t" . $cats[$r->projectcategories_id] . "\t" . $divs[$r->projectdivisions_id] . " \t $r->score \t $r->norm_score "; + echo "$r->projectnumber \t ? \t ? \t ? \t ? \t ? "; $p = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id, \t \t\t\t\t score, \t judges_teams.num \t FROM judges_teams_timeslots_projects_link, \t judges_teams \t WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id - \t AND projects_id = " . $r->projectid . ' ORDER BY judges_teams_id'); - $p->execute(); + \t AND projects_id =? ORDER BY judges_teams_id"); + $p->execute([$r->title,$cats[$r->projectcategories_id] ,$divs[$r->projectdivisions_id],$r->score,$r->norm_score,$r->projectid]); show_pdo_errors_if_any($pdo); while ($s = $p->fetch(PDO::FETCH_OBJ)) { $team = getJudgingTeam($s->judges_teams_id); diff --git a/admin/project_editor.php b/admin/project_editor.php index 98ffb84e..0e548632 100644 --- a/admin/project_editor.php +++ b/admin/project_editor.php @@ -293,8 +293,8 @@ function countwords() prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year='" . $config['FAIRYEAR'] . "' AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' ORDER BY division"); - $q->execute(); + $q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=? AND projectdivisions.year=? AND projectcategoriesdivisions_link.year=? ORDER BY division'); + $q->execute([$projectcategories_id,$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); // ### } else diff --git a/config/signaturepage.php b/config/signaturepage.php index 1afa723f..2f130f41 100644 --- a/config/signaturepage.php +++ b/config/signaturepage.php @@ -56,20 +56,20 @@ if (get_value_from_array($_POST, 'action') == 'save') { $val = get_value_from_array($_POST, 'exhibitordeclaration'); $stmt = $pdo->prepare("UPDATE signaturepage SET `use` = :useex, `text` = :text WHERE name = 'exhibitordeclaration'"); - $stmt->bindParam(':useex', $useex); - $stmt->bindParam(':text', $val); - $stmt->execute(); + $stmt->bindParam(':useex', '?'); + $stmt->bindParam(':text', '?'); + $stmt->execute([$useex,$val]); $val = get_value_from_array($_POST, 'exhibitordeclaration'); $stmt = $pdo->prepare("UPDATE signaturepage SET `use` = :usepg, `text` = :text WHERE name = 'parentdeclaration'"); - $stmt->bindParam(':usepg', $usepg); - $stmt->bindParam(':text', $val); - $stmt->execute(); + $stmt->bindParam(':usepg', '?'); + $stmt->bindParam(':text', '?'); + $stmt->execute([$usepg,$val]); - $stmt = $pdo->prepare("UPDATE signaturepage SET `use`='$usepa', `text`='" . get_value_from_array($_POST, 'postamble') . "' WHERE name='postamble'"); - $stmt->execute(); - $stmt = $pdo->prepare("UPDATE signaturepage SET `use`='$userf', `text`='' WHERE name='regfee'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE signaturepage SET `use`=?, `text`=? WHERE name='postamble'"); + $stmt->execute([$usepa,get_value_from_array($_POST, 'postamble')]); + $stmt = $pdo->prepare("UPDATE signaturepage SET `use`=?, `text`='' WHERE name='regfee'"); + $stmt->execute([$userf]); echo happy(i18n("$sentence_begin_participationform text successfully saved")); } diff --git a/config/subdivisions.php b/config/subdivisions.php index 7d810540..835cb641 100644 --- a/config/subdivisions.php +++ b/config/subdivisions.php @@ -41,17 +41,17 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE if (get_value_from_array($_POST, 'action') == 'edit') { if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'projectdivisions_id') && get_value_from_array($_POST, 'subdivision')) { - $q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id=? AND year=?"); + $q->execute([$_POST['id'],$config['FAIRYEAR']]); if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) { echo error(i18n('Sub-Division ID %1 already exists', array($_POST['id']))); } else { $stmt = $pdo->prepare('UPDATE projectsubdivisions SET ' - . "id='" . $_POST['id'] . "', " - . "projectdivisions_id='" . $_POST['projectdivisions_id'] . "', " - . "subdivision='" . stripslashes($_POST['subdivision']) . "' " - . "WHERE id='" . $_POST['saveid'] . "'"); - $stmt->execute(); + . "id=?, " + . "projectdivisions_id=?, " + . "subdivision=?" + . "WHERE id=?"); + $stmt->execute([$_POST['id'],$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$_POST['saveid']]); echo happy(i18n('Sub-Division successfully saved')); } } else { @@ -69,8 +69,8 @@ if (get_value_from_array($_POST, 'action') == 'new') { } else $newid = $_POST['id']; - $q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id='$newid' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id=? AND year=?"); + $q->execute([$newid,$config['FAIRYEAR']]); if ($q->rowCount()) { echo error(i18n('Sub-Division ID %1 already exists', array($newid))); } else { @@ -88,8 +88,8 @@ if (get_value_from_array($_POST, 'action') == 'new') { } if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) { - $stmt = $pdo->prepare("DELETE FROM projectsubdivisions WHERE id='" . $_GET['remove'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM projectsubdivisions WHERE id=?"); + $stmt->execute([$_GET['remove']]); echo happy(i18n('Sub-Division successfully removed')); } @@ -111,8 +111,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE $divisionr = array(); if (get_value_from_array($_GET, 'action') == 'edit') { echo '\n"; - $q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE id=? AND year=?"); + $q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]); $divisionr = $q->fetch(PDO::FETCH_OBJ); $buttontext = 'Save'; } else if ($_GET['action'] == 'new') { @@ -121,8 +121,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE echo ''; echo ' '; diff --git a/config/variables.php b/config/variables.php index fe6149fd..4d30f7dc 100644 --- a/config/variables.php +++ b/config/variables.php @@ -46,8 +46,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { if (get_value_from_array($_POST, 'action') == 'save') { if (get_value_from_array($_POST, 'specialconfig')) { foreach ($_POST['specialconfig'] as $key => $val) { - $stmt = $pdo->prepare("UPDATE config SET val='" . stripslashes($val) . "' WHERE year='0' AND var='$key'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE config SET val=? WHERE year='0' AND var=?"); + $stmt->execute([stripslashes($val),$key]); } } message_push(happy(i18n('Configuration successfully saved'))); diff --git a/db/db.update.111.php b/db/db.update.111.php index a06e669f..1c88a363 100644 --- a/db/db.update.111.php +++ b/db/db.update.111.php @@ -3,16 +3,16 @@ function db_update_111_post() { global $config, $pdo; // grab the index page - $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year=?"); + $q->execute([$config['FAIRYEAR']]); if (!$q->rowCount()) { $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year='-1'"); $q->execute(); } while ($r = $q->fetch(PDO::FETCH_OBJ)) { // insert it into the CMS under index.html - $stmt = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,showlogo) VALUES ('index.html','$r->lastupdate','$r->lang','" . $r->text . "','1')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,showlogo) VALUES ('index.html',?,?,?,'1')"); + $stmt->execute([$r->lastupdate,$r->lang,$r->text]); } // and remove it from the pagetext $stmt = $pdo->prepare("DELETE FROM pagetext WHERE textname='index'"); diff --git a/db/db.update.116.php b/db/db.update.116.php index 7cf337ec..ebab6a87 100644 --- a/db/db.update.116.php +++ b/db/db.update.116.php @@ -4,8 +4,8 @@ function db_update_116_post() global $config, $pdo; /* Fix the users that have a 0 year */ - $q = $pdo->prepare("UPDATE `users` SET year={$config['FAIRYEAR']} WHERE year=0"); - $q->execute(); + $q = $pdo->prepare("UPDATE `users` SET year=? WHERE year=0"); + $q->execute([$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); /* Fix users without a username */ @@ -25,8 +25,8 @@ function db_update_116_post() $username = ''; for ($x = 0; $x < 16; $x++) $username .= $available[rand(0, $len)]; - $stmt = $pdo->prepare("UPDATE users SET username='$username' WHERE id='$r->id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET username=? WHERE id=?"); + $stmt->execute([$username,$r->id]); } // okay now finally, there's a chance of duplicates from @@ -37,9 +37,9 @@ function db_update_116_post() while ($r = $q->fetch(PDO::FETCH_ASSOC)) { $orig_r = $r; $qq = $pdo->prepare("SELECT * FROM `users` WHERE - (`username`='{$r['username']}' OR `email`='{$r['email']}') - AND `id`!={$r['id']}"); - $qq->execute(); + (`username`=? OR `email`=?) + AND `id`!=?"); + $qq->execute([$r['username'],$r['email'],$r['id']]); if ($qq->rowCount() == 0) continue; @@ -93,8 +93,8 @@ function db_update_116_post() } if (count($set)) { $query = join(',', $set); - $stmt = $pdo->prepare("UPDATE `users` SET $query WHERE id={$r['id']}"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE `users` SET ? WHERE id=?"); + $stmt->execute([$query,$r['id']]); echo "Update query: UPDATE `users` SET $query WHERE id={$r['id']}\n"; } @@ -104,13 +104,13 @@ function db_update_116_post() echo "Merged... Deleting duplicate and adjusting volunteer tables...\n"; /* Delete the dupe */ - $stmt = $pdo->prepare("DELETE FROM `users` $where_id"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM `users` ?"); + $stmt->execute([$where_id]); /* Update volunteer linkage */ - $stmt = $pdo->prepare("UPDATE `users_volunteer` SET `users_id`={$r['id']} $where_users_id"); - $stmt->execute(); - $stmt = $pdo->prepare("UPDATE `volunteer_positions_signup` SET `users_id`={$r['id']} $where_users_id"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE `users_volunteer` SET `users_id`=? ?"); + $stmt->execute([$r['id'],$where_users_id]); + $stmt = $pdo->prepare("UPDATE `volunteer_positions_signup` SET `users_id`=? ?"); + $stmt->execute([$r['id'],$where_users_id]); echo "done with this user.\n"; } @@ -120,9 +120,9 @@ function db_update_116_post() $q->execute(); while ($i = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`,`volunteer_active`,`volunteer_complete`) - VALUES ('{$i->id}','yes','{$i->complete}')"); + VALUES (?,'yes',?)"); - $stmt->execute(); + $stmt->execute([$i->id,$i->complete]); } /* Update any remaining volunteer entries */ @@ -130,9 +130,9 @@ function db_update_116_post() $q->execute(); while ($i = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("UPDATE users_volunteer - SET volunteer_complete='{$i->complete}' - WHERE users_id='{$i->id}'"); - $stmt->execute(); + SET volunteer_complete=? + WHERE users_id=?"); + $stmt->execute([$i->complete,$i->id]); show_pdo_errors_if_any($pdo); } @@ -142,8 +142,8 @@ function db_update_116_post() while ($i = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("UPDATE users_committee SET committee_active='yes' - WHERE users_id='{$i->id}'"); - $stmt->execute(); + WHERE users_id=?"); + $stmt->execute([$i->id]); show_pdo_errors_if_any($pdo); } @@ -196,8 +196,8 @@ function db_update_116_post() $updateexclude = array('id', 'uid', 'types', 'username', 'password', 'passwordset', 'oldpassword', 'year', 'created', 'lastlogin', 'firstaid', 'cpr', 'deleted', 'deleteddatetime'); // check if a user already exists with this username - $uq = $pdo->prepare("SELECT * FROM users WHERE (username='" . $j->email . "' OR email='" . $j->email . "') AND year='$j->year'"); - $uq->execute(); + $uq = $pdo->prepare("SELECT * FROM users WHERE (username? OR email=?) AND year=?"); + $uq->execute([$j->email,$j->email,$j->year]); if ($j->email && $ur = $uq->fetch(PDO::FETCH_OBJ)) { $id = $ur->id; echo "Using existing users.id=$id for judges.id=$j->id because email address/year ($j->email/$j->year) matches\n"; @@ -208,9 +208,9 @@ function db_update_116_post() $sqlset .= "`$f`='" . $j->$f . "', "; } } - $sql = "UPDATE users SET $sqlset `types`='{$ur->types},judge',`username`='" . $j->email . "' WHERE id='$id'"; + $sql = "UPDATE users SET ? `types`=?,judge',`username`=? WHERE id=?"; $stmt = $pdo->prepare($sql); - $stmt->execute(); + $stmt->execute([$sqlset,$ur->types,$j->email,$id]); show_pdo_errors_if_any($pdo); echo " Updated user record with judge info, but only merged:\n"; echo " ($sqlset)\n"; @@ -218,14 +218,14 @@ function db_update_116_post() /* Insert the judge */ $fields = '`' . join('`,`', array_keys($u)) . '`'; $vals = "'" . join("','", array_values($u)) . "'"; - $q = $pdo->prepare("INSERT INTO users ($fields) VALUES ($vals)"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO users (?) VALUES (?)"); + $q->execute([$fields,$vals]); $id = $pdo->lastInsertId(); if ($map[$j->id]['uid'] == '') { $map[$j->id]['uid'] = $id; - $q = $pdo->prepare("UPDATE users SET `uid`='$id' WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("UPDATE users SET `uid`=? WHERE id=?"); + $q->execute([$id,$id]); } } @@ -246,8 +246,8 @@ function db_update_116_post() // $j->attending_lunch, /* catprefs */ - $q = $pdo->prepare("SELECT * FROM judges_catpref WHERE judges_id='{$j->id}' AND year='{$j->year}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_catpref WHERE judges_id=? AND year=?"); + $q->execute([$j->id,$j->year]); $catpref = array(); while ($i = $q->fetch(PDO::FETCH_OBJ)) { $catpref[$i->projectcategories_id] = $i->rank; @@ -256,8 +256,8 @@ function db_update_116_post() $uj['cat_prefs'] = serialize($catpref); /* divprefs and subdivision prefs */ - $q = $pdo->prepare("SELECT * FROM judges_expertise WHERE judges_id='{$j->id}' AND year='{$j->year}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_expertise WHERE judges_id=? AND year=?"); + $q->execute([$j->id,$j->year]); $divpref = array(); $divsubpref = array(); while ($i = $q->fetch(PDO::FETCH_OBJ)) { @@ -270,8 +270,8 @@ function db_update_116_post() $uj['divsub_prefs'] = serialize($divsubpref); /* languages */ - $q = $pdo->prepare("SELECT * FROM judges_languages WHERE judges_id='{$j->id}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_languages WHERE judges_id=?"); + $q->execute([$j->id]); $langs = array(); while ($i = $q->fetch(PDO::FETCH_OBJ)) { @@ -291,8 +291,8 @@ function db_update_116_post() 'willing_chair' => 'Willing Chair'); foreach ($qmap as $field => $head) { /* Find the question ID */ - $q = $pdo->prepare("SELECT id FROM questions WHERE year='{$j->year}' AND db_heading='{$head}'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM questions WHERE year=? AND db_heading=?"); + $q->execute([$j->year,$head]); if ($q->rowCount() == 0) { echo "Warning: Question '$head' for judge {$j->id} doesn't exist in year '{$j->year}', cannot copy answer.\n"; continue; @@ -302,10 +302,10 @@ function db_update_116_post() /* Now find the answer */ $q = $pdo->prepare("SELECT * FROM question_answers WHERE - year='{$j->year}' AND - registrations_id='{$j->id}' AND - questions_id='{$i->id}'"); - $q->execute(); + year=? AND + registrations_id=? AND + questions_id=?"); + $q->execute([$j->year,$j->id,$i->id]); show_pdo_errors_if_any($pdo); if ($q->rowCount() == 0) { echo "Warning: Judge {$j->id} did not answer question '$head' in year '{$j->year}', cannot copy answer.\n"; @@ -319,8 +319,8 @@ function db_update_116_post() $fields = '`' . join('`,`', array_keys($uj)) . '`'; $vals = "'" . join("','", array_values($uj)) . "'"; - $q = $pdo->prepare("INSERT INTO users_judge ($fields) VALUES ($vals)"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO users_judge (?) VALUES (?)"); + $q->execute([$fields,$vals]); show_pdo_errors_if_any($pdo); /* @@ -329,24 +329,24 @@ function db_update_116_post() */ /* judges_teams_link */ - $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_id='{$j->id}' AND year='{$j->year}'"); + $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_id=? AND year=?"); - $q->execute(); + $q->execute([$j->id,$j->year]); while ($i = $q->fetch(PDO::FETCH_OBJ)) $jtl[$i->id] = $id; /* judges_specialawards_sel */ - $q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE judges_id='{$j->id}' AND year='{$j->year}'"); + $q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE judges_id=? AND year=?"); - $q->execute(); + $q->execute([$j->id,$j->year]); show_pdo_errors_if_any($pdo); while ($i = $q->fetch(PDO::FETCH_OBJ)) $jsal[$i->id] = $id; /* question_answers */ - $q = $pdo->prepare("SELECT * FROM question_answers WHERE registrations_id='{$j->id}' AND year='{$j->year}'"); + $q = $pdo->prepare("SELECT * FROM question_answers WHERE registrations_id=? AND year=?"); - $q->execute(); + $q->execute([$j->id,$j->year]); show_pdo_errors_if_any($pdo); while ($i = $q->fetch(PDO::FETCH_OBJ)) $qa[$i->id] = $id; @@ -355,21 +355,21 @@ function db_update_116_post() /* Now write back the judge ids */ if (count($jtl)) { foreach ($jtl as $id => $new_id) - $q = $pdo->prepare("UPDATE judges_teams_link SET judges_id='$new_id' WHERE id='$id' "); + $q = $pdo->prepare("UPDATE judges_teams_link SET judges_id=? WHERE id=? "); - $q->execute(); + $q->execute([$new_id,$id]); } if (count($jsal)) { foreach ($jsal as $id => $new_id) - $q = $pdo->prepare("UPDATE judges_specialaward_sel SET judges_id='$new_id' WHERE id='$id' "); + $q = $pdo->prepare("UPDATE judges_specialaward_sel SET judges_id=? WHERE id=? "); - $q->execute(); + $q->execute([$new_id,$id]); } if (count($qa)) { foreach ($qa as $id => $new_id) - $q = $pdo->prepare("UPDATE question_answers SET registrations_id='$new_id' WHERE id='$id' "); + $q = $pdo->prepare("UPDATE question_answers SET registrations_id=? WHERE id=? "); - $q->execute(); + $q->execute([$new_id,$id]); } } ?> diff --git a/db/db.update.117.php b/db/db.update.117.php index 8af6e8d7..805c9dd8 100644 --- a/db/db.update.117.php +++ b/db/db.update.117.php @@ -9,20 +9,20 @@ function db_update_117_post() 'willing_chair' => 'Willing Chair'); foreach ($qmap as $field => $head) { - $q = $pdo->prepare("SELECT id FROM questions WHERE db_heading='{$head}'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM questions WHERE db_heading=?"); + $q->execute([$head]); while ($i = $q->fetch(PDO::FETCH_OBJ)) { $id = $i->id; /* Drop all answers for this question */ $stmt = $pdo->prepare("DELETE FROM question_answers - WHERE questions_id='$id'"); - $stmt->execute(); + WHERE questions_id=?"); + $stmt->execute([$id]); } /* Now dump the question itself */ $stmt = $pdo->prepare("DELETE FROM questions - WHERE id='$id'"); - $stmt->execute(); + WHERE id=?"); + $stmt->execute([$id]); } } diff --git a/db/db.update.118.php b/db/db.update.118.php index 442d2544..cee9765b 100644 --- a/db/db.update.118.php +++ b/db/db.update.118.php @@ -23,8 +23,8 @@ function db_update_118_post() $active = 'yes'; } // see if a user exists with this email - $uq = $pdo->prepare("SELECT * FROM users WHERE (username='" . $r->email . "' OR email='" . $r->email . "') ORDER BY year DESC LIMIT 1"); // AND year='$r->year'"); - $uq->execute(); + $uq = $pdo->prepare("SELECT * FROM users WHERE (username=? OR email=?) ORDER BY year DESC LIMIT 1"); // AND year='$r->year'"); + $uq->execute([ $r->email,$r->email]); if ($r->email && $ur = $uq->fetch(PDO::FETCH_OBJ)) { $user_id = $ur->id; echo "Using existing users.id=$user_id for award_contacts.id=$r->id because email address ($r->email) matches\n"; @@ -37,9 +37,9 @@ function db_update_118_post() $sqlset .= "`$f`='" . $r->$f . "', "; } } - $sql = "UPDATE users SET $sqlset `types`='{$ur->types},sponsor' WHERE id='$user_id'"; + $sql = "UPDATE users SET ? `types`=?,sponsor' WHERE id=?"; $stmt = $pdo->prepare($sql); - $stmt->execute(); + $stmt->execute([$sqlset,$ur->types,$user_id]); show_pdo_errors_if_any($pdo); echo " Updated user record\n"; } else { @@ -70,8 +70,8 @@ function db_update_118_post() $user_id = $pdo->lastInsertId(); // and link it to themselves as a starting record - $stmt = $pdo->prepare("UPDATE users SET uid='$user_id' WHERE id='$user_id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?"); + $stmt->execute([$user_id,$user_id]); echo "Creating new users.id=$user_id for award_contacts.id=$r->id\n"; } diff --git a/db/db.update.122.php b/db/db.update.122.php index 91ab2eb0..b693f010 100644 --- a/db/db.update.122.php +++ b/db/db.update.122.php @@ -4,8 +4,8 @@ function db_update_122_post() { global $config, $pdo; $year = $config['FAIRYEAR']; - $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=?"); + $q->execute([$year]); $round = array(); while ($r = $q->fetch(PDO::FETCH_ASSOC)) { $type = $r['type']; @@ -27,21 +27,21 @@ function db_update_122_post() foreach ($round as $type => $d) { $stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,type,date,starttime,endtime,year) - VALUES ('0','$type','{$d['date']}','{$d['starttime']}','{$d['endtime']}','$year')"); - $stmt->execute(); + VALUES ('0',?,?,?,?,?)"); + $stmt->execute([$type,$d['date'],$d['starttime'],$d['endtime'],$year]); $round_id = $pdo->lastInsertId(); $stmt = $pdo->prepare("UPDATE judges_timeslots SET - round_id='$round_id', type='timeslot' + round_id=?, type='timeslot' - WHERE type='$type' AND year='$year'"); - $stmt->execute(); + WHERE type=? AND year=?"); + $stmt->execute([$round_id,$type,$year]); /* Undo the set we just did to the round we just inserted */ $stmt = $pdo->prepare("UPDATE judges_timeslots SET - round_id='0',type='$type' + round_id='0',type=? - WHERE id='$round_id'"); - $stmt->execute(); + WHERE id=?"); + $stmt->execute([$type,$round_id]); } } diff --git a/db/db.update.129.php b/db/db.update.129.php index 9b5ba962..ac3dbe32 100644 --- a/db/db.update.129.php +++ b/db/db.update.129.php @@ -26,9 +26,9 @@ function db_update_129_pre() $stmt = $pdo->prepare("INSERT INTO fairs (`id`,`name`,`abbrv`,`type`, `url`,`website`,`username`,`password`,`enable_stats`, `enable_awards`,`enable_winners`) VALUES ( - '', '$name', '', 'ysf', '$url', '$web', - '$username','$password','no','$en','$en')"); - $stmt->execute(); + '',?, '', 'ysf',?,?, + ?,?,'no',?,?)"); + $stmt->execute([$name,$url,$web,$username,$password,$en,$en]); /* Link the fair to the user */ $u['fairs_id'] = $pdo->lastInsertId(); @@ -48,9 +48,9 @@ function db_update_129_pre() if (!in_array($old_id, $keys)) continue; - $qq = $pdo->prepare("UPDATE award_awards SET award_sources_id='{$source_map[$old_id]}' - WHERE id='{$r['id']}'"); - $qq->execute(); + $qq = $pdo->prepare("UPDATE award_awards SET award_sources_id=? + WHERE id=?"); + $qq->execute([$source_map[$old_id],$r['id']]); } } diff --git a/db/db.update.129.user.inc.php b/db/db.update.129.user.inc.php index 4027c0b0..37ca6271 100644 --- a/db/db.update.129.user.inc.php +++ b/db/db.update.129.user.inc.php @@ -240,8 +240,8 @@ function db129_user_set_password($id, $password = NULL) /* pass $u by reference so we can update it */ $save_old = false; if ($password == NULL) { - $q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?"); + $q->execute([$id]); $u = $q->fetch(PDO::FETCH_ASSOC); /* Generate a new password */ $password = db129_user_generate_password(12); @@ -260,9 +260,9 @@ function db129_user_set_password($id, $password = NULL) $set = ($save_old == true) ? 'oldpassword=password, ' : ''; $set .= "password='$p', passwordset=$save_set "; - $query = "UPDATE users SET $set WHERE id='$id'"; + $query = "UPDATE users SET ? WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$set,$id]); show_pdo_errors_if_any($pdo); return $password; diff --git a/db/db.update.81.php b/db/db.update.81.php index c874b63b..d6f11851 100644 --- a/db/db.update.81.php +++ b/db/db.update.81.php @@ -5,8 +5,8 @@ function db_update_81_post() $q->execute(); while ($i = $q->fetch(PDO::FETCH_OBJ)) { $asid = $i->award_sponsors_id; - $stmt = $pdo->prepare("UPDATE award_contacts SET `primary`='yes' WHERE award_sponsors_id='$asid' LIMIT 1"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE award_contacts SET `primary`='yes' WHERE award_sponsors_id=? LIMIT 1"); + $stmt->execute([$asid]); } } ?> diff --git a/db/db.update.87.php b/db/db.update.87.php index 2c042f58..2174834f 100644 --- a/db/db.update.87.php +++ b/db/db.update.87.php @@ -40,10 +40,10 @@ function db_update_87_post() } } if ($newval != false) { - $query = "UPDATE users SET passwordset=$newval WHERE id='$id'"; + $query = "UPDATE users SET passwordset=? WHERE id=?"; echo "$query\n"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$newval,$id]); } } } diff --git a/db/db_update.php b/db/db_update.php index 59dddd9e..11848978 100644 --- a/db/db_update.php +++ b/db/db_update.php @@ -38,8 +38,8 @@ $r = $q->fetch(PDO::FETCH_OBJ); $config = array('FAIRYEAR' => $r->val); /* Load config just in case there's a PHP script that wants it */ -$q = $pdo->prepare("SELECT * FROM config WHERE year='{$config['FAIRYEAR']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM config WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $config[$r->var] = $r->val; @@ -129,8 +129,8 @@ if ($dbcodeversion && $dbdbversion) { } echo "\nAll done - updating new DB version to $dbcodeversion\n"; - $stmt = $pdo->prepare("UPDATE config SET val='$dbcodeversion' WHERE var='DBVERSION' AND year='0'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='DBVERSION' AND year='0'"); + $stmt->execute([$dbcodeversion]); } } else { echo "ERROR: dbcodeversion and dbdbversion are not defined\n";
' . i18n('Actions') . '
" . format_date($r->date) . '
'; echo '