use prepare statements for fundraising section where possible

2025-02-07 03:56:33 +00:00 · 2025-02-07 03:56:33 +00:00 · 2a8bb8209f
commit 2a8bb8209f
parent 5776e10151
4 changed files with 22 additions and 25 deletions
--- a/admin/fundraising_campaigns.php
+++ b/admin/fundraising_campaigns.php
@ -465,9 +465,9 @@ case 'managelist':
        print_r($_POST);
        if (is_array($_POST['prospectremovefromlist'])) {
            $uidlist = implode(',', $_POST['prospectremovefromlist']);
-            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN (?)";
+            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN ($uidlist)";
            $stmt = $pdo->prepare($query);
-            $stmt->execute([$campaignid,$uidlist]);
+            $stmt->execute([$campaignid]);
            show_pdo_errors_if_any($pdo);
        }
        // if theres nobody left in the list we need to reset the filter params as well
--- a/admin/fundraising_main.inc.php
+++ b/admin/fundraising_main.inc.php
@ -25,23 +25,24 @@ if ($_GET['action'] == 'fundraisingmain') {
 		$typetotal = 0;
 		$typeprobtotal = 0;
 		$sq = $pdo->prepare("
-            SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+			(SELECT fundraising_donations.id, sponsors.organization AS name, 
-	\t FROM fundraising_donations
+					fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
-	\t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
+			FROM fundraising_donations
-	\t  WHERE (fundraising_donations.fundraising_goal=? ?) 
+			JOIN sponsors ON fundraising_donations.sponsors_id = sponsors.id
-	\t  AND fundraising_donations.fiscalyear=?
+			WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?) 
 			AND fundraising_donations.fiscalyear = ?)
-          UNION
+			UNION
-        SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+			(SELECT fundraising_donations.id, CONCAT(users.firstname, ' ', users.lastname) AS name, 
-	\t FROM fundraising_donations
+					fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
-	\t JOIN users ON fundraising_donations.users_uid=users.uid
+			FROM fundraising_donations
-	\t  WHERE (fundraising_donations.fundraising_goal=? ?) 
+			JOIN users ON fundraising_donations.users_uid = users.uid
-	\t  AND fundraising_donations.fiscalyear=?
+			WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?) 
 			AND fundraising_donations.fiscalyear = ?)
-	\t  ORDER BY status DESC, probability DESC, name
+			ORDER BY status DESC, probability DESC, name");
-            ");
+		$sq->execute([$r->goal, $orsql, $config['FISCALYEAR'], $r->goal, $orsql, $config['FISCALYEAR']]);
 		$sq->execute([$r->goal,$orsql,$config['FISCALYEAR'],$r->goal,$orsql,$config['FISCALYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
 			echo "<tr id=\"sponsorships_$sr->id\" class=\"fundraising{$sr->status}\">";
--- a/admin/fundraising_reports_std.php
+++ b/admin/fundraising_reports_std.php
@ -46,11 +46,11 @@ if ($id && $type) {
 			}
 			$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ";
 			if ($_GET['fundraising_campaigns_id']) {
-				$sql .= " AND id='" . intval($_GET['fundraising_campaigns_id']) . "'";
+				$sql .= " AND id=?";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute([$config['FISCALYEAR']]);
+			$q->execute([$config['FISCALYEAR'],intval($_GET['fundraising_campaigns_id'])]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$rep->heading($r->name);
@ -128,11 +128,11 @@ if ($id && $type) {
 			}
 			$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear=? ";
 			if ($_GET['goal']) {
-				$sql .= " AND goal='" . $_GET['goal'] . "'";
+				$sql .= " AND goal=?";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute([$config['FISCALYEAR']]);
+			$q->execute([$config['FISCALYEAR'],$_GET['goal']]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
--- a/admin/fundraising_sponsorship_handler.inc.php
+++ b/admin/fundraising_sponsorship_handler.inc.php
@ -69,11 +69,7 @@ if ($_POST['action'] == 'sponsorshipadd') {
 		$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES (?,?,?,?,?,?)");
 		$stmt->execute([$sponsors_id,$fundraising_type,$value,$status,$probability,$config['FISCALYEAR']]);
-		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
+		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),?, Created sponsorship: type=?, value=\$?, status=?, probability=?%) ");
 			?,
 			NOW(),
 			?,
 			'" . "Created sponsorship: type=?, value=\$?, status=?, probability=?%") . "')";
 		happy_('Added new sponsorship');
 		$stmt->execute([$sponsors_id,$_SESSION['users_id'],$fundraising_type,$value,$status,$probability]);
 	} else