From 2a8bb8209f33c0d7eaba97fd65a24fd41b35a50c Mon Sep 17 00:00:00 2001
From: Muad Sakah <muadsakah@yahoo.com>
Date: Fri, 7 Feb 2025 03:56:33 +0000
Subject: [PATCH] use prepare statements for fundraising section where possible
---
admin/fundraising_campaigns.php | 4 +--
admin/fundraising_main.inc.php | 29 ++++++++++---------
admin/fundraising_reports_std.php | 8 ++---
admin/fundraising_sponsorship_handler.inc.php | 6 +---
4 files changed, 22 insertions(+), 25 deletions(-)
diff --git a/admin/fundraising_campaigns.php b/admin/fundraising_campaigns.php
index 12bcf00b..86e4a3d5 100644
--- a/admin/fundraising_campaigns.php
+++ b/admin/fundraising_campaigns.php
@@ -465,9 +465,9 @@ case 'managelist':
print_r($_POST);
if (is_array($_POST['prospectremovefromlist'])) {
$uidlist = implode(',', $_POST['prospectremovefromlist']);
- $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN (?)";
+ $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN ($uidlist)";
$stmt = $pdo->prepare($query);
- $stmt->execute([$campaignid,$uidlist]);
+ $stmt->execute([$campaignid]);
show_pdo_errors_if_any($pdo);
}
// if theres nobody left in the list we need to reset the filter params as well
diff --git a/admin/fundraising_main.inc.php b/admin/fundraising_main.inc.php
index 47f93c10..f7f74535 100644
--- a/admin/fundraising_main.inc.php
+++ b/admin/fundraising_main.inc.php
@@ -25,23 +25,24 @@ if ($_GET['action'] == 'fundraisingmain') {
$typetotal = 0;
$typeprobtotal = 0;
$sq = $pdo->prepare("
- SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
- \t FROM fundraising_donations
- \t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
- \t WHERE (fundraising_donations.fundraising_goal=? ?)
- \t AND fundraising_donations.fiscalyear=?
+ (SELECT fundraising_donations.id, sponsors.organization AS name,
+ fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+ FROM fundraising_donations
+ JOIN sponsors ON fundraising_donations.sponsors_id = sponsors.id
+ WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?)
+ AND fundraising_donations.fiscalyear = ?)
- UNION
+ UNION
- SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
- \t FROM fundraising_donations
- \t JOIN users ON fundraising_donations.users_uid=users.uid
- \t WHERE (fundraising_donations.fundraising_goal=? ?)
- \t AND fundraising_donations.fiscalyear=?
+ (SELECT fundraising_donations.id, CONCAT(users.firstname, ' ', users.lastname) AS name,
+ fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+ FROM fundraising_donations
+ JOIN users ON fundraising_donations.users_uid = users.uid
+ WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?)
+ AND fundraising_donations.fiscalyear = ?)
- \t ORDER BY status DESC, probability DESC, name
- ");
- $sq->execute([$r->goal,$orsql,$config['FISCALYEAR'],$r->goal,$orsql,$config['FISCALYEAR']]);
+ ORDER BY status DESC, probability DESC, name");
+ $sq->execute([$r->goal, $orsql, $config['FISCALYEAR'], $r->goal, $orsql, $config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
echo "<tr id=\"sponsorships_$sr->id\" class=\"fundraising{$sr->status}\">";
diff --git a/admin/fundraising_reports_std.php b/admin/fundraising_reports_std.php
index fc13f0a8..e738050c 100644
--- a/admin/fundraising_reports_std.php
+++ b/admin/fundraising_reports_std.php
@@ -46,11 +46,11 @@ if ($id && $type) {
}
$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ";
if ($_GET['fundraising_campaigns_id']) {
- $sql .= " AND id='" . intval($_GET['fundraising_campaigns_id']) . "'";
+ $sql .= " AND id=?";
}
$sql .= ' ORDER BY name';
$q = $pdo->prepare($sql);
- $q->execute([$config['FISCALYEAR']]);
+ $q->execute([$config['FISCALYEAR'],intval($_GET['fundraising_campaigns_id'])]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$rep->heading($r->name);
@@ -128,11 +128,11 @@ if ($id && $type) {
}
$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear=? ";
if ($_GET['goal']) {
- $sql .= " AND goal='" . $_GET['goal'] . "'";
+ $sql .= " AND goal=?";
}
$sql .= ' ORDER BY name';
$q = $pdo->prepare($sql);
- $q->execute([$config['FISCALYEAR']]);
+ $q->execute([$config['FISCALYEAR'],$_GET['goal']]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/fundraising_sponsorship_handler.inc.php b/admin/fundraising_sponsorship_handler.inc.php
index 83455364..a1a391cb 100644
--- a/admin/fundraising_sponsorship_handler.inc.php
+++ b/admin/fundraising_sponsorship_handler.inc.php
@@ -69,11 +69,7 @@ if ($_POST['action'] == 'sponsorshipadd') {
$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES (?,?,?,?,?,?)");
$stmt->execute([$sponsors_id,$fundraising_type,$value,$status,$probability,$config['FISCALYEAR']]);
- $stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
- ?,
- NOW(),
- ?,
- '" . "Created sponsorship: type=?, value=\$?, status=?, probability=?%") . "')";
+ $stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),?, Created sponsorship: type=?, value=\$?, status=?, probability=?%) ");
happy_('Added new sponsorship');
$stmt->execute([$sponsors_id,$_SESSION['users_id'],$fundraising_type,$value,$status,$probability]);
} else