arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

Refactor SQL queries

Browse Source
This commit is contained in:
patrick 2025-02-09 17:24:37 +00:00
parent 21535cca63
commit 40175991df
164 changed files with 4202 additions and 4056 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
admin/award_awardcreatedivisional.php
View File

@ -44,19 +44,19 @@ else if (get_value_from_array($_POST, 'award_types_id'))
// first, we can only do this if we dont have any type=divisional awards created yet
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year=?");
$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->num) {
echo error(i18n('%1 Divisional awards already exist. There must not be any divisional awards in order to run this wizard', array($r->num)));
} else {
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$div[$r->id] = $r->division;
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cat[$r->id] = $r->category;
@ -64,8 +64,8 @@ if ($r->num) {
$ckeys = array_keys($cat);
if ($config['filterdivisionbycategory'] == 'yes') {
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
$q->execute([$config['FAIRYEAR']]);
$divcat = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@ -109,44 +109,42 @@ if ($r->num) {
echo i18n('Creating %1 - %2', array($c_category, $d_division)) . '<br />';
$q = $pdo->prepare("INSERT INTO award_awards (sponsors_id,award_types_id,name,criteria,`order`,year) VALUES (
'{$_GET['sponsors_id']}',
'1',
'$c_category - $d_division',
'" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "',
'$ord',
'{$config['FAIRYEAR']}'
)");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards (sponsors_id, award_types_id, name, criteria, `order`, year)
VALUES (?, '1', ?, ?, ?, ?)");
$q->execute([$_GET['sponsors_id'], i18n('Best %1 projects in the %2 division', [$c_category, $d_division]),
$c_category, $ord, $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$award_awards_id = $pdo->lastInsertId();
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES ('$award_awards_id','$c_id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (?,?,?");
$q->execute([$award_awards_id,$c_id,$config['FAIRYEAR']]);
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES ('$award_awards_id','$d_id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
$q->execute([$award_awards_id,$d_id,$config['FAIRYEAR']]);
$ord++;
echo '&nbsp;&nbsp;' . i18n('Prizes: ');
foreach ($prizes AS $prize) {
$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,value,prize,number,`order`,excludefromac,trophystudentkeeper,trophystudentreturn,trophyschoolkeeper,trophyschoolreturn,year) VALUES (
'$award_awards_id',
'{$prize['cash']}',
'{$prize['scholarship']}',
'{$prize['value']}',
'{$prize['prize']}',
'{$prize['number']}',
'{$prize['order']}',
'{$prize['excludefromac']}',
'{$prize['trophystudentkeeper']}',
'{$prize['trophystudentreturn']}',
'{$prize['trophyschoolkeeper']}',
'{$prize['trophyschoolreturn']}',
'{$config['FAIRYEAR']}'
)");
$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id, cash, scholarship, value, prize, number, `order`, excludefromac, trophystudentkeeper, trophystudentreturn, trophyschoolkeeper, trophyschoolreturn, year)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$q->execute([
$award_awards_id,
$prize['cash'],
$prize['scholarship'],
$prize['value'],
$prize['prize'],
$prize['number'],
$prize['order'],
$prize['excludefromac'],
$prize['trophystudentkeeper'],
$prize['trophystudentreturn'],
$prize['trophyschoolkeeper'],
$prize['trophyschoolreturn'],
$config['FAIRYEAR']
]);
$q->execute();
echo $prize['prize'] . ',';
}

86
admin/award_awards.php
View File

@ -33,8 +33,8 @@ $_GET['action'] = $_GET['action'] ?? '';
switch ($_GET['action']) {
case 'awardinfo_load':
$id = intval(get_value_from_array($_GET, 'id'));
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
// json_encode NEEDS UTF8 DATA, but we store it in the database as ISO :(
@ -57,8 +57,8 @@ switch ($_GET['action']) {
if ($id == -1) {
$q = $pdo->prepare("INSERT INTO award_awards (year,self_nominate,schedule_judges)
VALUES ('{$config['FAIRYEAR']}','yes','yes')");
$q->execute();
VALUES (?,'yes','yes')");
$q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId();
happy_('Award Created');
/* Set the award_id in the client */
@ -83,9 +83,9 @@ switch ($_GET['action']) {
criteria='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['criteria'])) . "',
sponsors_id='" . intval($_POST['sponsors_id']) . "' ";
}
$q .= "WHERE id='$id'";
$q .= "WHERE id=?";
$q = $pdo->prepare($q);
$q->execute();
$q->execute([$id]);
print_r($_POST);
echo $q;
show_pdo_errors_if_any($pdo);
@ -97,15 +97,15 @@ switch ($_GET['action']) {
// select the current categories that this award is linked to
$ret = array('categories' => array(), 'divisions' => array());
$q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id=?");
$q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$ret['categories'][] = $r['projectcategories_id'];
}
// select the current categories that this award is linked to
$q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id=?");
$q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$ret['divisions'][] = $r['projectdivisions_id'];
}
@ -122,8 +122,8 @@ switch ($_GET['action']) {
}
// wipe out any old award-category links
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
$q->execute([$id]);
foreach ($_POST['categories'] AS $key => $cat) {
$c = intval($cat);
$q = $pdo->prepare('INSERT INTO award_awards_projectcategories (award_awards_id, projectcategories_id, year)
@ -138,8 +138,8 @@ switch ($_GET['action']) {
// wipe out any old award-divisions links
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
$q->execute([$id]);
// now add the new ones
foreach ($_POST['divisions'] AS $key => $div) {
@ -165,8 +165,8 @@ switch ($_GET['action']) {
continue;
$order++;
$q = $pdo->prepare("UPDATE `award_prizes` SET `order`='$order' WHERE `id`='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE `award_prizes` SET `order`=? WHERE `id`=?");
$q->execute([$order, $id]);
}
// print_r($_GET);
happy_('Order Updated.');
@ -179,8 +179,8 @@ switch ($_GET['action']) {
continue;
$order++;
$q = $pdo->prepare("UPDATE `award_awards` SET `order`='$order' WHERE `id`='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE `award_awards` SET `order`=? WHERE `id`=?");
$q->execute([$order, $id]);
}
happy_('Order updated');
exit;
@ -191,8 +191,8 @@ switch ($_GET['action']) {
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE year='-1' AND award_awards_id='0' ORDER BY `order`");
$q->execute();
} else {
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$id' ORDER BY `order`");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=? ORDER BY `order`");
$q->execute([$id]);
}
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
foreach ($r AS $k => $v) {
@ -205,8 +205,8 @@ switch ($_GET['action']) {
case 'prize_load':
$id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE id=?");
$q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
foreach ($ret AS $k => $v) {
$ret[$k] = iconv('ISO-8859-1', 'UTF-8', $v);
@ -276,8 +276,8 @@ switch ($_GET['action']) {
$id = intval($_GET['id']);
/* Prepare two lists of fair IDs, for which fairs can upload and download this award */
$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id=?");
$q->execute([$id]);
$ul = array();
$dl = array();
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
@ -287,8 +287,8 @@ switch ($_GET['action']) {
$dl[$r['fairs_id']] = true;
}
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([$id]);
$a = $q->fetch(PDO::FETCH_ASSOC);
?>
<h4><?= i18n('Feeder Fairs') ?></h4>
@ -354,16 +354,16 @@ switch ($_GET['action']) {
/* Now save each one */
$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id=?");
$q->execute([$id]);
show_pdo_errors_if_any($pdo);
foreach ($data as $fairs_id => $f) {
$dl = ($f['dl'] == true) ? 'yes' : 'no';
$ul = ($f['ul'] == true) ? 'yes' : 'no';
$q = $pdo->prepare("INSERT INTO fairs_awards_link (award_awards_id,fairs_id,download_award,upload_winners)
VALUES ('$id','$fairs_id','$dl','$ul')");
$q->execute();
VALUES (?,?,?,?)");
$q->execute([$id,$fairs_id,$dl,$ul]);
show_pdo_errors_if_any($pdo);
}
$ident = stripslashes($_POST['identifier']);
@ -371,12 +371,12 @@ switch ($_GET['action']) {
$mat = intval($_POST['additional_materials']);
$w = intval($_POST['register_winners']);
$q = $pdo->prepare("UPDATE award_awards SET external_identifier='$ident',
external_additional_materials='$mat',
external_register_winners='$w',
per_fair='$per_fair'
WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE award_awards SET external_identifier=?,
external_additional_materials=?,
external_register_winners=?,
per_fair=?
WHERE id=?");
$q->execute([[$ident, $mat,$w],$per_fair,$id]);
happy_('Feeder Fair information saved');
exit;
@ -729,8 +729,8 @@ while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
</td></tr>
<tr><td><?= i18n('Type') ?>:</td><td>
<?
$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year='{$config['FAIRYEAR']}' ORDER BY type");
$tq->execute();
$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year=? ORDER BY type");
$tq->execute([$config['FAIRYEAR']]);
echo '<select id="awardinfo_award_types_id" name="award_types_id">';
// only show the "choose a type" option if we are adding,if we are editing, then they must have already chosen one.
echo $firsttype;
@ -1110,14 +1110,14 @@ award_awards
LEFT JOIN sponsors ON sponsors.id = award_awards.sponsors_id
LEFT JOIN award_types ON award_types.id = award_awards.award_types_id
WHERE
award_awards.year='{$config['FAIRYEAR']}'
award_awards.year=?
$where_asi
$where_ati
AND \taward_types.year='{$config['FAIRYEAR']}'
AND \taward_types.year=?
$orderby
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
@ -1147,8 +1147,8 @@ if ($q->rowCount()) {
echo " <td $eh>{$r->type}</td>\n";
echo " <td $eh>{$r->name}</td>\n";
$numq = $pdo->prepare("SELECT SUM(number) AS num FROM award_prizes WHERE award_awards_id='{$r->id}'");
$numq->execute();
$numq = $pdo->prepare("SELECT SUM(number) AS num FROM award_prizes WHERE award_awards_id=?");
$numq->execute([$r->id]);
$numr = $numq->fetch(PDO::FETCH_ASSOC);
if (!$numr['num'])
$numr['num'] = 0;

131
admin/award_download.php
View File

@ -72,8 +72,8 @@ switch (get_value_from_array($_GET, 'action')) {
// get a list of all the existing awards for this external source
$aq = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
$aq->execute();
$aq = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
$aq->execute([$fairs_id,$config['FAIRYEAR']]);
$existingawards = array();
while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
$existingawards[$ar->id] = true;
@ -109,29 +109,29 @@ switch (get_value_from_array($_GET, 'action')) {
}
$tq = $pdo->prepare("SELECT * FROM award_awards WHERE
external_identifier='$identifier' AND
award_source_fairs_id='$fairs_id' AND
year='$year'");
$tq->execute();
external_identifier=? AND
award_source_fairs_id=? AND
year=?");
$tq->execute([$identifier,$fairs_id,$year]);
if ($tq->rowCount() == 0) {
/* Award doesn't exist, create it, then update it with the common code below */
$q = $pdo->prepare("INSERT INTO award_awards (award_types_id,
year, external_identifier,
award_source_fairs_id)
VALUES (2,'{$year}',
'" . $identifier . "',
'$fairs_id')");
$q->execute();
VALUES (2,?,
?,
?)");
$q->execute([$year,$identifier,$fairs_id]);
$award_id = $pdo->lastInsertId();
/* By default make all divs/cats eligible */
foreach ($divs as $id => $d)
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions(award_awards_id,projectdivisions_id,year) VALUES ('$award_id','$id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions(award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
$q->execute([$award_id,$id,$config['FAIRYEAR']]);
foreach ($cats as $id => $c)
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories(award_awards_id,projectcategories_id,year) VALUES ('$award_id','$id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories(award_awards_id,projectcategories_id,year) VALUES (?,?,?)");
$q->execute([$award_id,$id,$config['FAIRYEAR']]);
} else {
echo i18n('Award already exists, updating info') . '<br />';
$awardrecord = $q->fetch(PDO::FETCH_OBJ);
@ -144,14 +144,14 @@ switch (get_value_from_array($_GET, 'action')) {
// check if the sponsor exists, if not, add them
$sponsor_str = $award['sponsor'];
$sponsorq = $pdo->prepare("SELECT * FROM sponsors WHERE organization='$sponsor_str'");
$sponsorq->execute();
$sponsorq = $pdo->prepare("SELECT * FROM sponsors WHERE organization=?");
$sponsorq->execute([$sponsor_str]);
if ($sponsorr = $sponsorq->fetch(PDO::FETCH_OBJ)) {
$sponsor_id = $sponsorr->id;
} else {
$q = $pdo->prepare("INSERT INTO sponsors (organization,year,notes)
VALUES ('$sponsor_str','$year','" . "Imported from external source: $r->name" . "')");
$q->execute();
VALUES (?,?,'" . "Imported from external source: $r->name" . "')");
$q->execute([$sponsor_str,$year]);
show_pdo_errors_if_any($pdo);
$sponsor_id = $pdo->lastInsertId();
}
@ -159,21 +159,33 @@ switch (get_value_from_array($_GET, 'action')) {
$self_nominate = ($award['self_nominate'] == 'yes') ? 'yes' : 'no';
$schedule_judges = ($award['schedule_judges'] == 'yes') ? 'yes' : 'no';
$q = $pdo->prepare("UPDATE award_awards SET
sponsors_id='$sponsor_id',
name='" . $award['name_en'] . "',
criteria='" . $award['criteria_en'] . "',
external_postback='" . $postback . "',
external_register_winners='" . (($award['external_register_winners'] == 1) ? 1 : 0) . "',
external_additional_materials='" . (($award['external_additional_materials'] == 1) ? 1 : 0) . "',
self_nominate='$self_nominate',
schedule_judges='$schedule_judges'
WHERE
id='$award_id'
AND external_identifier='" . $identifier . "'
AND year='$year'
");
$q->execute();
$q = $pdo->prepare("UPDATE award_awards SET
sponsors_id = ?,
name = ?,
criteria = ?,
external_postback = ?,
external_register_winners = ?,
external_additional_materials = ?,
self_nominate = ?,
schedule_judges = ?
WHERE id = ?
AND external_identifier = ?
AND year = ?");
$q->execute([
$sponsor_id,
$award['name_en'],
$award['criteria_en'],
$postback,
($award['external_register_winners'] == 1) ? 1 : 0,
($award['external_additional_materials'] == 1) ? 1 : 0,
$self_nominate,
$schedule_judges,
$award_id,
$identifier,
$year
]);
show_pdo_errors_if_any($pdo);
// update the prizes
@ -185,8 +197,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo i18n('Number of prizes: %1', array(count($prizes))) . '<br />';
/* Get existing prizes */
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$award_id'");
$pq->execute();
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$pq->execute([$award_id]);
$existingprizes = array();
while ($pr = $pq->fetch(PDO::FETCH_ASSOC))
$existingprizes[$pr['prize']] = $pr;
@ -204,8 +216,8 @@ switch (get_value_from_array($_GET, 'action')) {
$p = stripslashes($prize['prize_en']);
$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,prize,year,external_identifier)
VALUES ('$award_id','$p','$year','$p')");
$q->execute();
VALUES (?,?,?,?)");
$q->execute([$award_id,$p,$year,$p]);
$prize_id = $pdo->lastInsertId();
} else {
$ep = $existingprizes[$prize['prize_en']];
@ -218,22 +230,35 @@ switch (get_value_from_array($_GET, 'action')) {
if (!array_key_exists('identifier', $prize))
$prize['identifier'] = $prize['prize_en'];
$q = $pdo->prepare("UPDATE award_prizes SET
cash='" . intval($prize['cash']) . "',
scholarship='" . intval($prize['scholarship']) . "',
value='" . intval($prize['value']) . "',
prize='" . $prize['prize_en'] . "',
number='" . intval($prize['number']) . "',
`order`='" . intval($prize['ord']) . "',
external_identifier='" . stripslashes($prize['identifier']) . "',
trophystudentkeeper='" . intval($prize['trophystudentkeeper']) . "',
trophystudentreturn='" . intval($prize['trophystudentreturn']) . "',
trophyschoolkeeper='" . intval($prize['trophyschoolkeeper ']) . "',
trophyschoolreturn='" . intval($prize['trophyschoolreturn']) . "'
WHERE
id='$prize_id'");
$q->execute();
$q = $pdo->prepare("UPDATE award_prizes SET
cash =?,
scholarship =?,
value =?,
prize =?,
number =?,
`order` =?,
external_identifier =?,
trophystudentkeeper =?,
trophystudentreturn =?,
trophyschoolkeeper =?,
trophyschoolreturn =?
WHERE id =?");
$q->execute([
intval($prize['cash']),
intval($prize['scholarship']),
intval($prize['value']),
$prize['prize_en'],
intval($prize['number']),
intval($prize['ord']),
stripslashes($prize['identifier']),
intval($prize['trophystudentkeeper']),
intval($prize['trophystudentreturn']),
intval($prize['trophyschoolkeeper']),
intval($prize['trophyschoolreturn']),
$prize_id
]);
show_pdo_errors_if_any($pdo);
// FIXME: update the translations

93
admin/award_upload.php
View File

@ -69,7 +69,8 @@ function get_winners($awardid, $fairs_id)
if ($awardid == -1) {
/* Get all for this fair */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
$q->execute([$fairs_id,$config['FAIRYEAR']]);
if ($q->rowCount() == 0) {
error_("Can't find award id $awardid");
return false;
@ -80,8 +81,8 @@ function get_winners($awardid, $fairs_id)
} else {
/* Get the award */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$awardid' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=? AND year=?");
$q->execute([$awardid,$config['FAIRYEAR']]);
if ($q->rowCount() != 1) {
error_("Can't find award id $awardid");
return false;
@ -92,8 +93,8 @@ function get_winners($awardid, $fairs_id)
/* Get the fair for the div/cat mappings */
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$award['award_source_fairs_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$award['award_source_fairs_id']]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$catmap = unserialize($fair['catmap']);
@ -113,8 +114,8 @@ function get_winners($awardid, $fairs_id)
/* Get the prizes */
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$award['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award['id']]);
while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
$pid = $prize['id'];
@ -122,24 +123,24 @@ function get_winners($awardid, $fairs_id)
LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
awards_prizes_id='$pid' AND
winners.year='{$config['FAIRYEAR']}'");
$wq->execute();
awards_prizes_id=? AND
winners.year=?");
$wq->execute([$pid,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Get all projects assigned to this prize */
$prizewinners = array();
while ($project = $wq->fetch(PDO::FETCH_ASSOC)) {
/* Get the students */
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='{$project['registrations_id']}'
AND year='{$config['FAIRYEAR']}'");
$sq->execute();
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id=?
AND year=?");
$sq->execute([$project['registrations_id'],$config['FAIRYEAR']]);
$students = array();
while ($s = $sq->fetch(PDO::FETCH_ASSOC)) {
/* Get the student's school */
$schoolq = $pdo->prepare("SELECT * FROM schools WHERE id='{$s['schools_id']}'");
$schoolq->execute();
$schoolq = $pdo->prepare("SELECT * FROM schools WHERE id=?");
$schoolq->execute([$s['schools_id']]);
$schoolr = $schoolq->fetch(PDO::FETCH_ASSOC);
$school = array('xml_type' => 'school'); /* for ysc compatability */
foreach ($school_fields as $k => $v)
@ -191,8 +192,8 @@ function count_winners($awardid, $fairs_id)
if ($awardid == -1) {
/* Get all for this fair */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
$q->execute([$fairs_id,$config['FAIRYEAR']]);
if ($q->rowCount() == 0) {
error_("Can't find award id $awardid");
return 0;
@ -203,8 +204,8 @@ function count_winners($awardid, $fairs_id)
} else {
/* Get the award */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$awardid' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=? AND year=?");
$q->execute([$awardid,$config['FAIRYEAR']]);
if ($q->rowcount() != 1) {
error_("Can't find award id $awardid");
return 0;
@ -216,8 +217,8 @@ function count_winners($awardid, $fairs_id)
foreach ($awards as $award) {
/* Get the prizes */
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$award['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award['id']]);
while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
$pid = $prize['id'];
@ -225,9 +226,9 @@ function count_winners($awardid, $fairs_id)
LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
awards_prizes_id='$pid' AND
winners.year='{$config['FAIRYEAR']}'");
$wq->execute();
awards_prizes_id=? AND
winners.year=?");
$wq->execute([$pid,$config['FAIRYEAR']]);
$wc = $wq->fetch(PDO::FETCH_ASSOC);
$count += $wc['C'];
}
@ -239,8 +240,8 @@ function load_server_cats_divs($fairs_id)
{
global $config, $pdo;
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$req = array('get_categories' => array('year' => $config['FAIRYEAR']),
@ -254,8 +255,8 @@ function load_server_cats_divs($fairs_id)
$catmap = array();
/* Load ours */
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
foreach ($data['categories'] as $id => $c) {
if ($c['mingrade'] == $r->mingrade) {
@ -270,8 +271,8 @@ function load_server_cats_divs($fairs_id)
} else {
$ret['divmap'] = array();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$lowest = 999;
$lowest_id = 0;
@ -300,8 +301,8 @@ switch (get_value_from_array($_GET, 'action')) {
/* Get the fair */
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
echo '<br />';
@ -393,8 +394,8 @@ switch (get_value_from_array($_GET, 'action')) {
list($c, $d, $cm, $dm) = load_server_cats_divs($fairs_id);
$divs = projectdivisions_load();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
?> <h4><?= i18n('Division Mapping') ?></h4>
@ -439,9 +440,9 @@ switch (get_value_from_array($_GET, 'action')) {
$catmap = serialize($cat);
$divmap = serialize($div);
$q = $pdo->prepare("UPDATE fairs SET catmap='$catmap',divmap='$divmap' WHERE id='$fairs_id'");
$q = $pdo->prepare("UPDATE fairs SET catmap=?,divmap=? WHERE id=?");
$q->execute();
$q->execute([$catmap,$divmap,$fairs_id]);
show_pdo_errors_if_any($pdo);
happy_('Category/Division mapping information saved');
@ -450,12 +451,12 @@ switch (get_value_from_array($_GET, 'action')) {
case 'additional_materials':
$award_awards_id = intval($_GET['award_awards_id']);
$q = $pdo->prepare("SELECT award_source_fairs_id,external_identifier FROM award_awards WHERE id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("SELECT award_source_fairs_id,external_identifier FROM award_awards WHERE id=?");
$q->execute([$award_awards_id]);
$a = $q->fetch(PDO::FETCH_ASSOC);
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$a['award_source_fairs_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$a['award_source_fairs_id']]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$req = array('award_additional_materials' => array(
'year' => $config['FAIRYEAR'],
@ -474,8 +475,8 @@ switch (get_value_from_array($_GET, 'action')) {
$winners = get_winners($award_awards_id, $fairs_id);
$divs = projectdivisions_load();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
echo i18n("The following list of winning projects/students will be sent to: <b>%1</b>. Use the 'Edit Default Division Assignments' button to change the default mappings for divisions. You can over-ride any division assignment by changing it in the list below. Category assignments are done automatically based on grade. When you are happy with the list below, click the 'Upload Winners' button.", array($fair['name']));
@ -702,10 +703,10 @@ if (!function_exists('curl_init')) {
$q = $pdo->prepare("SELECT fairs.id, fairs.name, fairs.type, COUNT(award_awards.id) as AWARD_COUNT FROM fairs
LEFT JOIN award_awards ON award_awards.award_source_fairs_id=fairs.id
WHERE award_awards.award_source_fairs_id IS NOT NULL
AND award_awards.year='{$config['FAIRYEAR']}'
AND award_awards.year=?
GROUP BY fairs.id
ORDER BY fairs.name ");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
?>
@ -747,9 +748,9 @@ $q = $pdo->prepare("SELECT award_awards.id, award_awards.name AS awardname,
FROM award_awards
LEFT JOIN fairs ON fairs.id=award_awards.award_source_fairs_id
WHERE award_awards.award_source_fairs_id IS NOT NULL
AND award_awards.year='{$config['FAIRYEAR']}'
AND award_awards.year=?
ORDER BY fairs.name, award_awards.name");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
?>

28
admin/awards.inc.php
View File

@ -27,8 +27,8 @@ function award_delete($award_awards_id)
{
/* Delete all winners attached to this award */
$q = $pdo->prepare("SELECT id FROM award_prizes WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
while (($p = $q->fetch(PDO::FETCH_ASSOC))) {
$q = $pdo->prepare();
@ -40,26 +40,26 @@ function award_delete($award_awards_id)
/* Delete the award */
$q = $pdo->prepare("DELETE FROM award_prizes WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
$q = $pdo->prepare("DELETE FROM award_awards WHERE id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards WHERE id=?");
$q->execute([$award_awards_id]);
}
function award_prize_delete($award_prizes_id)
{
$q = $pdo->prepare("DELETE FROM winners WHERE award_prizes_id='$award_prizes_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM winners WHERE award_prizes_id=?");
$q->execute([$award_prizes_id]);
$q = $pdo->prepare("DELETE FROM award_prizes WHERE id='$award_prizes_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_prizes WHERE id=?");
$q->execute([$award_prizes_id]);
}
?>

30
admin/cms.php
View File

@ -71,14 +71,14 @@ if (get_value_from_array($_POST, 'action') == 'save') {
$text = stripslashes(get_value_from_array($_POST, $textname, ''));
$q = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,title,showlogo) VALUES (
'" . $filename . "',
'$insertdt',
'$lang',
'" . $text . "',
'" . get_value_from_array($_POST, $titlename, '') . "',
'" . get_value_from_array($_POST, $showlogoname, '') . "'
?,
?,
?,
?,
?,
?
)");
$q->execute();
$q->execute([$filename,$insertdt,$lang,$text,get_value_from_array($_POST, $titlename, ''),get_value_from_array($_POST, $showlogoname, '')]);
if ($pdo->errorInfo()) {
echo error(i18n('An error occurred saving %1 in %2', array($filename, $langname)));
$err = true;
@ -103,8 +103,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
echo '<table class="tableview" width="100%">';
echo '<tr><th colspan="2">';
$q = $pdo->prepare("SELECT * FROM cms WHERE filename='" . get_value_from_array($_GET, 'filename', '') . "' AND lang='$lang' ORDER BY dt DESC LIMIT 1");
$q->execute();
$q = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? ORDER BY dt DESC LIMIT 1");
$q->execute([get_value_from_array($_GET, 'filename', ''),$lang]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
if ($r->dt == '0000-00-00 00:00:00' || !$r->dt)
$dt = 'Never';
@ -112,8 +112,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
$dt = $r->dt;
echo '<b>' . htmlspecialchars($_GET['filename']) . " - $langname</b> &nbsp;&nbsp; " . i18n('Last updated') . ": $dt<br />";
if ($_GET['dt']) {
$q2 = $pdo->prepare("SELECT * FROM cms WHERE filename='" . $_GET['filename'] . "' AND lang='$lang' AND dt<='" . $_GET['dt'] . "' ORDER BY dt DESC LIMIT 1");
$q2->execute();
$q2 = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? AND dt<=? ORDER BY dt DESC LIMIT 1");
$q2->execute([$_GET['filename'], $lang, $_GET['dt']]);
$r2 = $q2->fetch(PDO::FETCH_OBJ);
if ($r2->dt != $r->dt) {
echo "Displaying historical file. Date: $r->dt";
@ -163,8 +163,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
echo '<tr><th>' . i18n('File History') . "</th></tr>\n";
$q = $pdo->prepare("SELECT DISTINCT(dt) FROM cms WHERE filename='" . get_value_from_array($_GET, 'filename', '') . "' ORDER BY dt DESC LIMIT $historylimit");
$q->execute();
$q = $pdo->prepare("SELECT DISTINCT(dt) FROM cms WHERE filename=? ORDER BY dt DESC LIMIT ?");
$q->execute([get_value_from_array($_GET, 'filename', ''),$historylimit]);
$first = true;
if ($q->rowCount()) {
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -207,8 +207,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
echo '<tr><th>' . i18n('Filename') . '</th><th>' . i18n('Last Update') . '</th></tr>';
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
echo '<tr><td><a href="cms.php?filename=' . rawurlencode($r->filename) . "\">/web/$r->filename</a></td>";
$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename='" . $r->filename . "' ORDER BY dt DESC LIMIT 1");
$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename=? ORDER BY dt DESC LIMIT 1");
$q->execute($r->filename);
$r2 = $q2->fetch(PDO::FETCH_OBJ);
if ($r2->dt == '0000-00-00 00:00:00')
$dt = 'Never';

34
admin/committees.php
View File

@ -127,8 +127,8 @@ global $uid;
if (get_value_from_array($_POST, 'addcommittee')) {
// add a new committee
// re-order the committees
$q = $pdo->prepare("INSERT INTO committees (name) VALUES ('" . $_POST['addcommittee'] . "')");
$q->execute();
$q = $pdo->prepare("INSERT INTO committees (name) VALUES (?)");
$q->execute([$_POST['addcommittee']]);
echo happy(i18n('Committee successfully added'));
}
@ -143,8 +143,8 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
while (get_value_from_array($ids, $x)) {
$cid = intval($ids[$x]);
$q = $pdo->prepare("UPDATE committees SET ord='" . intval($ords[$x]) . "' WHERE id='$cid'");
$q->execute();
$q = $pdo->prepare("UPDATE committees SET ord=? WHERE id=?");
$q->execute([intval($ords[$x]),$cid]);
$x++;
$ctitle = $titles[$cid];
@ -163,9 +163,9 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
$t = stripslashes($title);
$u = intval($uid);
$q = $pdo->prepare("UPDATE committees_link SET title='$t', ord='$o'
WHERE committees_id='$cid' AND users_uid='$u'");
$q->execute();
$q = $pdo->prepare("UPDATE committees_link SET title=?, ord=?
WHERE committees_id=? AND users_uid=?");
$q->execute([$t,$o,$cid,$u]);
}
}
echo happy(i18n('Committees successfully saved'));
@ -174,12 +174,12 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
if (get_value_from_array($_POST, 'action') == 'assign') {
if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST, 'users_uid')) {
$cid = intval($_POST['committees_id']);
$q = $pdo->prepare("SELECT * FROM committees_link WHERE committees_id='$cid' AND users_uid='$uid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM committees_link WHERE committees_id=? AND users_uid=?");
$q->execute([$cid,$uid]);
if (!$q->rowCount()) {
$q = $pdo->prepare("INSERT INTO committees_link (committees_id,users_uid) VALUES ('$cid','$uid')");
$q->execute();
$q = $pdo->prepare("INSERT INTO committees_link (committees_id,users_uid) VALUES (?,?)");
$q->execute([$cid,$uid]);
echo happy(i18n('Successfully added member to committee'));
} else
echo error(i18n('That member already exists in that committee'));
@ -190,8 +190,8 @@ if (get_value_from_array($_POST, 'action') == 'assign') {
if (get_value_from_array($_GET, 'deletecommittee')) {
$del = intval($_GET['deletecommittee']);
$q = $pdo->prepare("DELETE FROM committees WHERE id='$del'");
$q->execute();
$q = $pdo->prepare("DELETE FROM committees WHERE id=?");
$q->execute([$del]);
echo happy(i18n('Committee removed'));
}
@ -206,8 +206,8 @@ if (get_value_from_array($_GET, 'unlinkmember') && get_value_from_array($_GET, '
$com = intval($_GET['unlinkcommittee']);
// unlink the member from the committee
$q = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='$mem' AND committees_id='$com'");
$q->execute();
$q = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=? AND committees_id=?");
$q->execute([$mem,$com]);
echo happy(i18n('Committee member unlinked from committee'));
}
@ -313,11 +313,11 @@ if ($q->rowCount()) {
users.lastname
FROM committees_link
JOIN users ON users.uid = committees_link.users_uid
WHERE committees_id='{$r->id}'
WHERE committees_id=?
GROUP BY users.uid
ORDER BY ord,
users.lastname ");
$q2->execute();
$q2->execute([$r->id]);
if ($q2->rowCount() == 0) {
echo '&nbsp; &nbsp;';

194
admin/communication.php
View File

@ -46,8 +46,8 @@ function launchQueue()
switch (get_value_from_array($_GET, 'action')) {
case 'dialog_choose_load':
$emails_id = intval($_GET['emails_id']);
$q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute([$emails_id]);
$e = $q->fetch(PDO::FETCH_ASSOC);
?>
<table class="editor">
@ -70,8 +70,8 @@ case 'dialog_choose':
<option value="-1">-- <?= i18n('Choose a Communication') ?> --</option>
<?
$type = $pdo->quote($_GET['type']);
$q = $pdo->prepare("SELECT * FROM emails WHERE type='$type'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE type=?");
$q->execute([$type]);
while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
echo "<option value=\"{$e['id']}\">{$e['name']}</option>";
}
@ -173,8 +173,8 @@ case 'email_save':
if ($id == 0) {
if ($key && $name) {
$q = $pdo->prepare("INSERT INTO emails(type,val) VALUES('$type','$key')");
$q->execute();
$q = $pdo->prepare("INSERT INTO emails(type,val) VALUES(?,?)");
$q->execute([$type,$key]);
show_pdo_errors_if_any($pdo);
$id = lastInsertId();
} else {
@ -188,15 +188,15 @@ case 'email_save':
$body = getTextFromHtml($bodyhtml);
$q = $pdo->prepare("UPDATE emails SET
name='$name',
description='$description',
`from`='$from',
subject='$subject',
body='$body',
bodyhtml='$bodyhtml',
fundraising_campaigns_id=$fcstr
WHERE id='$id'");
$q->execute();
name=?,
description=?,
`from`=?,
subject=?,
body=?,
bodyhtml=?,
fundraising_campaigns_id=?
WHERE id=?");
$q->execute([$name,$description,$from,$subject,$body,$bodyhtml,$fcstr,$id]);
show_pdo_errors_if_any($pdo);
happy_('Email Saved');
exit;
@ -215,8 +215,8 @@ case 'dialog_edit':
if (array_key_exists('fundraising_campaigns_id', $_GET)) {
$fcid = intval($_GET['fundraising_campaigns_id']);
$type = 'fundraising';
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$q->execute([$fcid]);
$fc = $q->fetch(PDO::FETCH_OBJ);
$name = i18n('%1 communication for %2', array(ucfirst($key), $fc->name));
} else {
@ -227,8 +227,8 @@ case 'dialog_edit':
$from = $_SESSION['name'] . ' <' . $_SESSION['email'] . '>';
}
if ($id) {
$q = $pdo->prepare("SELECT * FROM emails WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute([$id]);
if ($q->rowCount() != 1) {
echo 'Ambiguous edit';
exit;
@ -408,20 +408,20 @@ case 'dialog_send':
$fcid = intval($_GET['fundraising_campaigns_id']);
$emailid = intval($_GET['emails_id']);
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
$fcq->execute();
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$fcq->execute([$fcid]);
$fc = $fcq->fetch(PDO::FETCH_OBJ);
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
$emailq->execute();
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$emailq->execute([$emailid]);
$email = $email->fetch(PDO::FETCH_OBJ);
?>
<form id="send">
<table style="width:100%">
<?
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute([$fcid]);
$r = $q->fetch(PDO::FETCH_OBJ);
$numrecipients = $r->num;
@ -513,8 +513,8 @@ case 'dialog_sender':
$u = user_load_by_uid(intval($_GET['uid']));
if ($_GET['template']) {
$emailq = $pdo->prepare("SELECT * FROM emails WHERE `val`='" . $_GET['template'] . "'");
$emailq->execute();
$emailq = $pdo->prepare("SELECT * FROM emails WHERE `val`=?");
$emailq->execute([$_GET['template']]);
$e = $emailq->fetch(PDO::FETCH_ASSOC);
} else
$e = null;
@ -657,11 +657,11 @@ case 'dialog_sender':
case 'cancel':
if ($_GET['cancel']) {
$q = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='" . intval($_GET['cancel']) . "'");
$q->execute();
$q = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
$q->execute([intval($_GET['cancel'])]);
$q = $pdo->prepare("UPDATE emailqueue_recipients SET result='cancelled' WHERE emailqueue_id='" . intval($_GET['cancel']) . "' AND sent IS NULL AND result IS NULL");
$q->execute();
$q = $pdo->prepare("UPDATE emailqueue_recipients SET result='cancelled' WHERE emailqueue_id=? AND sent IS NULL AND result IS NULL");
$q->execute([intval($_GET['cancel'])]);
echo 'ok';
}
exit;
@ -686,36 +686,37 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
$fcid = intval($_POST['fundraising_campaigns_id']);
$emailid = intval($_POST['emails_id']);
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
$fcq->execute();
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$fcq->execute([$fcid]);
$fc = $fcq->fetch(PDO::FETCH_OBJ);
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
$emailq->execute();
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$emailq->execute([$emailid]);
$email = $emailq->fetch(PDO::FETCH_OBJ);
$recipq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
WHERE fundraising_campaigns_id='$fcid'");
$recipq->execute();
WHERE fundraising_campaigns_id=?");
$recipq->execute([$fcid]);
show_pdo_errors_if_any($pdo);
$numtotal = $recipq->rowCount();
$q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES (
'" . $email->val . "',
'" . $email->name . "',
'" . $_SESSION['users_uid'] . "',
'" . $email->from . "',
'" . $email->subject . "',
'" . $email->body . "',
'" . $email->bodyhtml . "',
'" . $email->type . "',
$fcid,
NOW(),
NULL,
$numtotal,
0)");
$q->execute();
$q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NULL, ?, 0)");
$q->execute([
$email->val,
$email->name,
$_SESSION['users_uid'],
$email->from,
$email->subject,
$email->body,
$email->bodyhtml,
$email->type,
$fcid,
$numtotal
]);
$emailqueueid = $pdo->lastInsertId();
show_pdo_errors_if_any($pdo);
@ -727,8 +728,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
// we only send school access codes to science heads or principals
$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'");
$acq->execute();
$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=? AND `year`=?");
$acq->execute([$u['uid'],$config['FAIRYEAR']]);
$acr = $acq->fetch(PDO::FETCH_OBJ);
$accesscode = $acr->accesscode;
@ -746,17 +747,19 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
);
if ($u['email'] && $u['email'][0] != '*') {
$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES (
'$emailqueueid',
'" . $pdo->quote($u['email']) . "',
'" . $pdo->quote($u['name']) . "',
'" . $pdo->quote(json_encode($replacements) . "',
NULL)"));
$q->execute();
$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)");
$q->execute([
$emailqueueid,
$u['email'],
$u['name'],
json_encode($replacements)
]);
show_pdo_errors_if_any($pdo);
}
$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'");
$q->execute();
$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
$q->execute([$emailid]);
}
echo 'ok';
launchQueue();
@ -786,16 +789,16 @@ echo '<br />';
<?
if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete')) {
$q = $pdo->prepare("DELETE FROM emails WHERE id='" . $_GET['delete'] . "' AND `type`='user'");
$q->execute();
$q = $pdo->prepare("DELETE FROM emails WHERE id=? AND `type`='user'");
$q->execute([$_GET['delete']]);
echo happy('Email successfully deleted');
}
if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GET, 'send')) {
show_pdo_errors_if_any($pdo);
$q = $pdo->prepare("SELECT * FROM emails WHERE id='" . $_GET['send'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute($_GET['send']);
$r = $q->fetch(PDO::FETCH_OBJ);
@ -859,8 +862,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
// echo $str;
} else if (get_value_from_array($_POST, 'action') == 'reallysend' && get_value_from_array($_POST, 'reallysend') && get_value_from_array($_POST, 'to')) {
$emailid = intval($_POST['reallysend']);
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
$emailq->execute();
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$emailq->execute([$emailid]);
$email = $emailq->fetch(PDO::FETCH_OBJ);
$to = $_POST['to'];
@ -870,21 +873,20 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
}
$numtotal = $recipq->rowCount();
$q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES (
'" . $pdo->quote($email->val) . "',
'" . $pdo->quote($email->name) . "',
'" . $pdo->quote($_SESSION['users_uid']) . "',
'" . $pdo->quote($email->from) . "',
'" . $pdo->quote($email->subject) . "',
'" . $pdo->quote($email->body) . "',
'" . $pdo->quote($email->bodyhtml) . "',
'" . $pdo->quote($email->type) . "',
NULL,
NOW(),
NULL,
$numtotal,
0)");
$q->execute();
$q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) VALUES (?, ?, ?, ?, ?, ?, ?, ?, NULL, NOW(), NULL, ?, 0)");
$q->execute([
$email->val,
$email->name,
$_SESSION['users_uid'],
$email->from,
$email->subject,
$email->body,
$email->bodyhtml,
$email->type,
$numtotal
]);
$emailqueueid = lastInsertId();
show_pdo_errors_if_any($pdo);
@ -915,8 +917,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
}
if ($u) {
// we only send school access codes to science heads or principals
$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'");
$acq->execute();
$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=?) AND `year`=?");
$acq->execute([$u['uid'],$u['uid'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$acr = $acq->fetch(PDO::FETCH_OBJ);
$accesscode = $acr->accesscode;
@ -939,18 +941,20 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
}
if ($toemail) {
$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES (
'$emailqueueid',
'" . $toemail . "',
'" . $toname . "',
'" . json_encode($replacements) . "',
NULL)");
$q->execute();
$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)");
$q->execute([
$emailqueueid,
$toemail,
$toname,
json_encode($replacements)
]);
show_pdo_errors_if_any($pdo);
}
$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'");
$q->execute();
$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
$q->execute([$emailid]);
}
launchQueue();
echo '<br />';

4
admin/documentdownloader.php
View File

@ -25,8 +25,8 @@
require ('../common.inc.php');
require_once ('../user.inc.php');
user_auth_required('committee', 'admin');
$q = $pdo->prepare("SELECT * FROM documents WHERE id='" . $_GET['id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM documents WHERE id=?");
$q->execute([$_GET['id']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
header('Content-type: ' . trim(exec("file -bi ../data/documents/$r->filename")));
header('Content-disposition: inline; filename="' . $r->filename . '"');

8
admin/donations.php
View File

@ -143,15 +143,15 @@ function refresh_fundraising_table() {
<?
// first, insert any defaults
$q = $pdo->prepare("SELECT * FROM fundraising WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
if (!$q->rowCount()) {
$q = $pdo->prepare("SELECT * FROM fundraising WHERE year='-1'");
$q->execute();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES ('$r->type','" . $r->name . "','" . $r->description . "','$r->system','$r->goal','" . $config['FAIRYEAR'] . "')");
$q->execute();
$q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES (?,?,?,?,?,?)");
$q->execute([$r->type,$r->name,$r->description,$r->system,$r->goal,$config['FAIRYEAR']]);
}
}

173
admin/donors.php
View File

@ -32,8 +32,8 @@ global $pdo;
switch (get_value_from_array($_GET, 'action')) {
case 'organizationinfo_load':
$id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
echo json_encode($ret);
exit;
@ -43,8 +43,8 @@ switch (get_value_from_array($_GET, 'action')) {
$id = intval($_POST['sponsor_id']);
if ($id == -1) {
echo "INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')";
$q = $pdo->prepare("INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')");
$q->execute();
$q = $pdo->prepare("INSERT INTO sponsors (year) VALUES (?)");
$q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId();
echo json_encode(array('id' => $id));
save_activityinfo('Created donor/sponsor', $id, $_SESSION['users_uid'], 'System');
@ -54,26 +54,31 @@ switch (get_value_from_array($_GET, 'action')) {
if ($id) {
$exec = 'UPDATE sponsors SET '
. "donortype='" . stripslashes($_POST['donortype']) . "', "
. "organization='" . stripslashes($_POST['organization']) . "', "
. "address='" . stripslashes($_POST['address']) . "', "
. "address2='" . stripslashes($_POST['address2']) . "', "
. "city='" . stripslashes($_POST['city']) . "', "
. "province_code='" . stripslashes($_POST['province_code']) . "', "
. "postalcode='" . stripslashes($_POST['postalcode']) . "', "
. "phone='" . stripslashes($_POST['phone']) . "', "
. "tollfree='" . stripslashes($_POST['tollfree']) . "', "
. "fax='" . stripslashes($_POST['fax']) . "', "
. "email='" . stripslashes($_POST['email']) . "', "
. "website='" . stripslashes($_POST['website']) . "', "
. "notes='" . stripslashes($_POST['notes']) . "', "
. "donationpolicyurl='" . stripslashes($_POST['donationpolicyurl']) . "', "
. "fundingselectiondate='" . stripslashes($_POST['fundingselectiondate']) . "', "
. "proposalsubmissiondate='" . stripslashes($_POST['proposalsubmissiondate']) . "', "
. "waiveraccepted='" . stripslashes($_POST['waiveraccepted']) . "' "
. "WHERE id='$id'";
. "donortype=?, "
. "organization=?, "
. "address=?, "
. "address2=?, "
. "city=?, "
. "province_code=?, "
. "postalcode=?, "
. "phone=?, "
. "tollfree=?, "
. "fax=?, "
. "email=?, "
. "website=?, "
. "notes=?, "
. "donationpolicyurl=?, "
. "fundingselectiondate=?, "
. "proposalsubmissiondate=?, "
. "waiveraccepted=? "
. "WHERE id=?";
$q = $pdo->prepare($exec);
$q->execute();
$q->execute([stripslashes($_POST['donortype']),stripslashes($_POST['organization']),stripslashes($_POST['address']),
stripslashes($_POST['address2']),stripslashes($_POST['city']),stripslashes($_POST['province_code']),
stripslashes($_POST['postalcode']),stripslashes($_POST['phone']),stripslashes($_POST['tollfree']),
stripslashes($_POST['fax']),stripslashes($_POST['email']),stripslashes($_POST['website']),
stripslashes($_POST['notes']),stripslashes($_POST['donationpolicyurl']),stripslashes($_POST['fundingselectiondate']),
stripslashes($_POST['proposalsubmissiondate']),stripslashes($_POST['waiveraccepted']),$id]);
echo $q->errorInfo();
// FIXME accept the logo
@ -93,8 +98,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo "<table cellspacing=3 cellpadding=3>\n";
// LAST DONATION
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id='$id' ORDER BY datereceived DESC LIMIT 1");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id=? ORDER BY datereceived DESC LIMIT 1");
$q->execute([$id]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$lastdonation = i18n('%1 on %2', array(format_money($r->value, false), format_date($r->datereceived)), array('Donation amount', 'Donation date'));
else
@ -102,11 +107,11 @@ switch (get_value_from_array($_GET, 'action')) {
// TOTAL THIS YEAR
$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations
WHERE sponsors_id='$id'
WHERE sponsors_id=?
AND status='received'
AND fiscalyear={$config['FISCALYEAR']}
AND fiscalyear=?
");
$q->execute();
$q->execute([$id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$totalthisyear = format_money($r->total, false);
else
@ -115,11 +120,11 @@ switch (get_value_from_array($_GET, 'action')) {
// TOTAL LAST YEAR
$lastyear = $config['FISCALYEAR'] - 1;
$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations
WHERE sponsors_id='$id'
WHERE sponsors_id=?
AND status='received'
AND fiscalyear=$lastyear
AND fiscalyear=?
");
$q->execute();
$q->execute([$id,$lastyear]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$totallastyear = format_money($r->total, false);
@ -139,11 +144,11 @@ switch (get_value_from_array($_GET, 'action')) {
fundraising_campaigns.name AS campaignname
FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
WHERE sponsors_id='$id'
WHERE sponsors_id=?
AND status='received'
AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
AND fundraising_donations.fiscalyear=?
ORDER BY datereceived DESC");
$q->execute();
$q->execute([$id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
@ -193,10 +198,10 @@ switch (get_value_from_array($_GET, 'action')) {
fundraising_campaigns.name AS campaignname
FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
WHERE sponsors_id='$id'
WHERE sponsors_id=?
AND status='received'
ORDER BY datereceived DESC");
$q->execute();
$q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<tr>\n";
@ -228,13 +233,13 @@ switch (get_value_from_array($_GET, 'action')) {
FROM users
LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
WHERE
sponsors_id='$id'
sponsors_id=?
AND types LIKE '%sponsor%'
GROUP BY uid
HAVING deleted='no'
ORDER BY users_sponsor.primary DESC,lastname,firstname
");
$query->execute();
$query->execute([$id]);
show_pdo_errors_if_any($pdo);
$uids = array();
while ($r = $query->fetch(PDO::FETCH_OBJ)) {
@ -242,9 +247,9 @@ switch (get_value_from_array($_GET, 'action')) {
}
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns
WHERE fiscalyear='{$config['FISCALYEAR']}'
WHERE fiscalyear=?
ORDER BY name");
$q->execute();
$q->execute([$config['FISCALYEAR']]);
$str = '';
echo '<select id="fundraising_campaign_id" name="fundraising_campaigns_id" onchange="campaignchange()">';
echo '<option value="">' . i18n('Choose an appeal') . "</option>\n";
@ -255,10 +260,10 @@ switch (get_value_from_array($_GET, 'action')) {
if (count($uids)) {
$tq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
WHERE fundraising_campaigns_id='$r->id'
WHERE fundraising_campaigns_id=?
AND users_uid IN (" . implode(',', $uids) . ')
');
$tq->execute();
$tq->execute([$r->id]);
if ($tq->rowCount()) {
$incampaign = i18n('*In Appeal*') . ': ';
} else
@ -284,8 +289,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo '<option value="">' . i18n('Choose a purpose') . "</option>\n";
// FIXME: only show campaigns that they were included as part of
// we need a campaigns_users_link or campaigns_sponsors_link or something
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
$q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<option value=\"$r->goal\">$r->name</option>\n";
}
@ -365,8 +370,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'newcontactsearch':
if ($_POST['email'])
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email='" . trim($_POST['email']) . "' GROUP BY uid HAVING deleted='no'");
$q->execute();
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email=? GROUP BY uid HAVING deleted='no'");
$q->execute([trim($_POST['email'])]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo i18n('There is an exact email address match for %1', array($_POST['email']));
echo '<ul>';
@ -393,7 +398,7 @@ switch (get_value_from_array($_GET, 'action')) {
if ($_POST['email'])
$searchstr .= " AND email LIKE '%" . $_POST['email'] . "%'";
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE $searchstr GROUP BY uid HAVING deleted='no'");
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE '$searchstr' GROUP BY uid HAVING deleted='no'");
$q->execute();
$num = $q->rowCount();
if ($num == 0) {
@ -422,18 +427,18 @@ switch (get_value_from_array($_GET, 'action')) {
if ($goal && $value && $supporttype) {
$q = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_goal,fundraising_campaigns_id,value,status,probability,fiscalyear,thanked,datereceived,supporttype) VALUES (
'$sponsorid',
'" . $goal . "',
'$campaignid',
'$value',
?,
?,
?,
?,
'received',
'100',
'{$config['FISCALYEAR']}',
?,
'no',
'" . $datereceived . "',
'" . $supporttype . "'
?,
?
)");
$q->execute();
$q->execute([$sponsorid,$goal,$campaignid,$value,$config['FISCALYEAR'],$datereceived,$supporttype]);
$id = $pdo->lastInsertId();
$logStr = getDonationString($id);
save_activityinfo("Added donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System');
@ -453,8 +458,8 @@ switch (get_value_from_array($_GET, 'action')) {
if ($logStr = getDonationString($id)) {
save_activityinfo("Removed donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System');
happy_('Donation/sponsorship removed');
$q = $pdo->prepare("DELETE FROM fundraising_donations WHERE id='$id' AND sponsors_id='$sponsorid'");
$q->execute();
$q = $pdo->prepare("DELETE FROM fundraising_donations WHERE id=? AND sponsors_id=?");
$q->execute([$id,$sponsorid]);
show_pdo_errors_if_any($pdo);
} else {
error_('Invalid donation/sponsorship to remove');
@ -474,8 +479,8 @@ function delete_contact()
global $pdo;
if (array_key_exists('userid', $_POST)) {
$uid = $_POST['userid'];
$data = $pdo->prepare("SELECT CONCAT_WS(' ', users.firstname, users.lastname) AS name FROM users WHERE id=" . $uid);
$data->execute();
$data = $pdo->prepare("SELECT CONCAT_WS(' ', users.firstname, users.lastname) AS name FROM users WHERE id=?");
$data->execute([$uid]);
$namedata = $data->fetch();
$name = trim($namedata['name']);
user_delete($uid, 'sponsor');
@ -514,8 +519,8 @@ function save_contact()
// load or create the user, according to the situation
if ($_POST['recordtype'] == 'new') {
if ($_POST['email']) {
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email='" . trim($_POST['email']) . "' GROUP BY uid HAVING deleted='no'");
$q->execute();
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email=? GROUP BY uid HAVING deleted='no'");
$q->execute([trim($_POST['email'])]);
if ($q->rowCount()) {
error_('A user with that email address already exists');
exit;
@ -544,12 +549,12 @@ function save_contact()
FROM users_sponsor, users
WHERE
users_sponsor.users_id=users.id
AND sponsors_id='$sponsor_id'
AND sponsors_id=?
AND `primary`='yes'
AND year='" . $config['FAIRYEAR'] . "'
AND users_id!='$id'";
AND year=?
AND users_id!=?";
$q = $pdo->prepare($query);
$q->execute();
$q->execute([$sponsor_id,$config['FAIRYEAR'],$id]);
if ($q->rowCount() == 0) {
/* This has to be the primary since there isn't one already */
$p = 'yes';
@ -557,8 +562,8 @@ function save_contact()
} else {
/* Unset all other primaries */
$q = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
WHERE sponsors_id='$sponsor_id' AND users_id != '$id'");
$q->execute();
WHERE sponsors_id=? AND users_id !=?");
$q->execute([$sponsor_id,$id]);
}
// we now know whether or not they're the primary user. Update them with that,
@ -624,13 +629,13 @@ function draw_contactsinfo_form($contact = null)
// loop through each contact and draw a form with their data in it.
$query = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
WHERE
sponsors_id='" . $sponsor_id . "'
sponsors_id=?
AND types LIKE '%sponsor%'
GROUP BY uid
HAVING deleted='no'
ORDER BY users_sponsor.primary DESC,lastname,firstname
");
$query->execute();
$query->execute([$sponsor_id]);
show_pdo_errors_if_any($pdo);
while ($contact = $query->fetch()) {
@ -665,8 +670,8 @@ function draw_contact_form($sponsor_id, $contact = null)
global $salutations, $config, $pdo;
// grab the sponsor details, so we can do diff things for individual vs organization
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$sponsor_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$q->execute([$sponsor_id]);
$sponsor = $q->fetch(PDO::FETCH_OBJ);
if ($contact != null) {
@ -816,8 +821,8 @@ function draw_activityinfo_form()
</td>
<td align="center">
<?php
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name");
$q->execute([$config['FISCALYEAR']]);
echo '<select name="fundraising_campaigns_id">';
echo '<option value="">' . i18n('Choose Appeal') . "</option>\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -838,10 +843,10 @@ function draw_activityinfo_form()
\t FROM fundraising_donor_logs AS fdl
\t LEFT JOIN users ON fdl.users_id=users.id
\t LEFT JOIN fundraising_campaigns ON fdl.fundraising_campaigns_id=fundraising_campaigns.id
\t WHERE sponsors_id=" . $sponsorid . ' ORDER BY dt DESC';
\t WHERE sponsors_id=? ORDER BY dt DESC";
// echo "<tr><td colspan=\"3\">" . $query . "</td></tr>";
$q = $pdo->prepare($query);
$q->execute();
$q->execute([$sponsorid ]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
while ($r = $q->fetch()) {
@ -872,14 +877,14 @@ function save_activityinfo($comment, $donorId, $userId, $type, $campaign_id = nu
$cid = 'NULL';
$query = "INSERT INTO fundraising_donor_logs (sponsors_id, dt, users_id, log, `type`, fundraising_campaigns_id)
VALUES ($donorId,
VALUES (?,
NOW(),
$userId,
'" . $comment . "',
'" . $type . "',
$cid)";
?,
?,
?,
?)";
$q = $pdo->prepare($query);
$q->execute();
$q->execute([$donorId,$userId,$comment,$type,$cid]);
show_pdo_errors_if_any($pdo);
}
@ -890,10 +895,10 @@ function getDonationString($id)
fundraising_campaigns.name AS campaignname
FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
WHERE fundraising_donations.id='$id'
AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
WHERE fundraising_donations.id=?
AND fundraising_donations.fiscalyear=?
");
$q->execute();
$q->execute([$id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$str = '';
if ($r = $q->fetch(PDO::FETCH_OBJ)) {

8
admin/donors_search.php
View File

@ -52,12 +52,12 @@ $lastyear = $config['FISCALYEAR'] - 1;
$rows = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='$r->id' AND status='received' AND fiscalyear='$thisyear'");
$cq->execute();
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
$cq->execute([$r->id,$thisyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ);
$thisyeartotal = $cr->total;
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='$r->id' AND status='received' AND fiscalyear='$lastyear'");
$cq->execute();
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
$cq->execute([$r->id,$lastyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ);
$lastyeartotal = $cr->total;
if ($lastyeartotal)

24
admin/exhibithall_sa.php
View File

@ -236,8 +236,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
TRACE("Loading Project Age Categories...\n");
$cat = array();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$catshort[$r->id] = $r->category_shortform;
$cat[$r->id] = $r->category;
@ -248,13 +248,13 @@ TRACE("Loading Projects...\n");
$projects = array();
$q = $pdo->prepare("SELECT projects.* FROM projects, registrations
WHERE
projects.year='{$config['FAIRYEAR']}'
projects.year=?
AND registrations.id = projects.registrations_id
" . getJudgingEligibilityCode());
$q->execute();
$q->execute([$config['FAIRYEAR']]);
while ($p = $q->fetch(PDO::FETCH_OBJ)) {
$qq = $pdo->prepare("SELECT grade,schools_id FROM students WHERE registrations_id='{$p->registrations_id}'");
$qq->execute();
$qq = $pdo->prepare("SELECT grade,schools_id FROM students WHERE registrations_id=?");
$qq->execute([$p->registrations_id]);
$num_students = $qq->rowCouunt();
$grade = 0;
$schools_id = 0;
@ -286,8 +286,8 @@ if ($action == 'pn') {
$n = sprintf('%03d', $p['floornumber']);
$pn = "$c $n $d";
TRACE("Project {$p['projects_id']} at loc {$p['floornumber']}: $pn\n");
$q = $pdo->prepare("UPDATE projects SET projectnumber='$pn' WHERE id='{$p['projects_id']}'");
$q->execute();
$q = $pdo->prepare("UPDATE projects SET projectnumber=? WHERE id=?");
$q->execute([$pn,$p['projects_id']]);
}
TRACE("Done.\n");
exit;
@ -629,12 +629,12 @@ for ($x = 0; $x < $a->num_buckets; $x++) {
print_r($projects);
/* Assign floor numbers */
$q = $pdo->prepare("UPDATE projects SET floornumber=0 WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("UPDATE projects SET floornumber=0 WHERE year=?");
$q->execute($config['FAIRYEAR']);
foreach ($projects as $pid => $p) {
$q = $pdo->prepare("UPDATE projects SET floornumber='{$p['floornumber']}' WHERE id='$pid'");
$q->execute();
$q = $pdo->prepare("UPDATE projects SET floornumber=? WHERE id=?");
$q->execute([$p['floornumber'],$pid]);
TRACE("Project $pid => Floor number {$p['floornumber']}\n");
}

18
admin/export_checkin.php
View File

@ -28,8 +28,8 @@ require_once ('../user.inc.php');
user_auth_required('committee', 'admin');
require ('../lpdf.php');
$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $_GET['cat'] . "'");
$catq->execute();
$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? AND id=?");
$catq->execute([$config['FAIRYEAR'],$_GET['cat']]);
if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
$pdf = new lpdf(i18n($config['fairname']),
i18n('Checkin List') . ' - ' . i18n($catr->category),
@ -47,13 +47,13 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
registrations
left outer join projects on projects.registrations_id=registrations.id
WHERE
registrations.year='" . $config['FAIRYEAR'] . "'
registrations.year=?
AND ( registrations.status='complete' OR registrations.status='paymentpending' )
AND projects.projectcategories_id='$catr->id'
AND projects.projectcategories_id=?
ORDER BY
projects.title
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$catr->id]);
show_pdo_errors_if_any($pdo);
$table = array();
@ -69,8 +69,8 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
$table['dataalign'] = array('left', 'left', 'left', 'center');
}
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divq = $pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $r->projectdivisions_id . "'");
$divq->execute();
$divq = $pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year=? AND id=?");
$divq->execute([$config['FAIRYEAR'],$r->projectdivisions_id]);
$divr = $divq->fetch(PDO::FETCH_OBJ);
$sq = $pdo->prepare("SELECT students.firstname,
@ -78,9 +78,9 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
FROM
students
WHERE
students.registrations_id='$r->reg_id'
students.registrations_id=?
");
$sq->execute();
$sq->execute([$r->reg_id]);
$students = '';
$studnum = 0;

36
admin/fair_stats.php
View File

@ -96,8 +96,8 @@ else
$fairs_id = -1;
if ($fairs_id != -1) {
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
}
@ -225,8 +225,8 @@ if (is_array(get_value_from_array($data, 'stats'))) {
/* And now, overwrite all the stuff we pulled down with stats we can compute */
// number of schools
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year=?");
$q->execute([$year]);
$r = $q->fetch(PDO::FETCH_OBJ);
$stats['schools_total'] = $r->num;
@ -235,10 +235,10 @@ $q = $pdo->prepare("SELECT DISTINCT(students.schools_id) AS sid, schools.*
\t\t \tFROM students
LEFT JOIN registrations ON students.registrations_id=registrations.id
LEFT JOIN schools ON students.schools_id=schools.id
WHERE students.year='$year'
AND registrations.year='$year'
WHERE students.year=?
AND registrations.year=?
AND (registrations.status='complete' OR registrations.status='paymentpending')");
$q->execute();
$q->execute([$year,$year]);
$stats['schools_active'] = $q->rowCount();
$stats['schools_public'] = 0;
$stats['schools_private'] = 0;
@ -262,10 +262,10 @@ $q = $pdo->prepare("SELECT students.*,schools.*
\t \t\tFROM students
LEFT JOIN registrations ON students.registrations_id=registrations.id
LEFT JOIN schools on students.schools_id=schools.id
WHERE students.year='$year'
AND registrations.year='$year'
WHERE students.year=?
AND registrations.year=?
AND (registrations.status='complete' OR registrations.status='paymentpending')");
$q->execute();
$q->execute([$year,$year]);
show_pdo_errors_if_any($pdo);
$stats['students_total'] = $q->rowCount();
$stats['students_public'] = 0;
@ -304,12 +304,12 @@ foreach ($unknown as $g => $a) {
$q = $pdo->prepare("SELECT MAX(students.grade) AS grade FROM students
\t \t\tLEFT JOIN registrations ON students.registrations_id=registrations.id
LEFT JOIN projects ON projects.registrations_id=registrations.id
WHERE students.year='$year'
AND registrations.year='$year'
AND projects.year='$year'
WHERE students.year=?
AND registrations.year=?
AND projects.year=?
AND (registrations.status='complete' OR registrations.status='paymentpending')
GROUP BY projects.id");
$q->execute();
$q->execute([$year,$year,$year]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$stats["projects_{$grademap[$r['grade']]}"]++;
@ -318,20 +318,20 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM users
\t\t\t\tLEFT JOIN users_committee ON users_committee.users_id=users.id
\t \t\tWHERE types LIKE '%committee%'
AND year='$year'
AND year=?
AND users_committee.committee_active='yes'
AND deleted='no'");
$q->execute();
$q->execute([$year]);
$r = $q->fetch(PDO::FETCH_OBJ);
$stats['committee_members'] = $r->num;
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM users LEFT JOIN users_judge ON users_judge.users_id=users.id
\t\t\t\t\tWHERE users.year='$year'
\t\t\t\t\tWHERE users.year=?
AND users.types LIKE '%judge%'
AND users.deleted='no'
AND users_judge.judge_complete='yes'
AND users_judge.judge_active='yes'");
$q->execute();
$q->execute([$year]);
$r = $q->fetch(PDO::FETCH_OBJ);
$stats['judges'] = $r->num;

8
admin/fair_stats_select.php
View File

@ -52,8 +52,8 @@
}
}
$s = join(',', $_POST['stats']);
$q = $pdo->prepare("UPDATE fairs SET gather_stats='$s' WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE fairs SET gather_stats=? WHERE id=?");
$q->execute([$s,$id]);
show_pdo_errors_if_any($pdo);
echo "UPDATE fairs SET gather_stats='$s' WHERE id='$id'";
happy_("Saved");
@ -63,8 +63,8 @@
/* Load the user we're editting */
$u = user_load($_SESSION['embed_edit_id']);
/* Load the fair attached to the user */
$q = $pdo->prepare("SELECT * FROM fairs WHERE id={$u['fairs_id']}");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$u['fairs_id']]);
$f = $q->fetch(PDO::FETCH_ASSOC);
?>

40
admin/fundraising.php
View File

@ -32,8 +32,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
<h3><?= i18n('Fundraising Purposes and Progress Year to Date') ?></h3>
<?
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY deadline");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY deadline");
$q->execute([$config['FISCALYEAR']]);
?>
<table class="tableview">
<thead>
@ -48,8 +48,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
<?
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
// lookup all donations made towards this goal
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
$recq->execute();
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=? AND status='received'");
$recq->execute([$r->goal,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$recr = $recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received;
@ -84,15 +84,15 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
</tr>
</thead>
<?
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
$q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'");
$goalq->execute();
$goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
$goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
$goalr = $goalq->fetch(PDO::FETCH_OBJ);
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
$recq->execute();
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
$recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$recr = $recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received;
@ -133,10 +133,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
\tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth
FROM fundraising_donations
WHERE thanked='no' AND status='received'
AND fiscalyear='{$config['FISCALYEAR']}'
AND fiscalyear=?
ORDER BY datereceived
");
$q->execute();
$q->execute([$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
@ -149,8 +149,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
echo "</tr></thead>\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'");
$dq->execute();
$dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?");
$dq->execute([$r->sponsors_id]);
$dr = $dq->fetch(PDO::FETCH_OBJ);
if ($r->twomonth)
$s = 'style="background-color: ' . colour_to_percent(0) . ';"';
@ -190,10 +190,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
\tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth
FROM fundraising_donations
WHERE (receiptrequired='yes' AND receiptsent='no') AND status='received'
AND fiscalyear='{$config['FISCALYEAR']}'
AND fiscalyear=?
ORDER BY datereceived
");
$q->execute();
$q->execute([$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
echo '<table class="tableview">';
@ -204,8 +204,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
echo "</tr>\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'");
$dq->execute();
$dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?");
$dq->execute([$r->sponsors_id]);
$dr = $dq->fetch(PDO::FETCH_OBJ);
if ($r->twomonth)
$s = 'style="background-color: ' . colour_to_percent(0) . ';"';
@ -280,8 +280,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
exit;
} else if (get_value_from_array($_POST, 'thanked')) {
foreach ($_POST['thanked'] AS $t) {
$stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id='$t'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id=?");
$stmt->execute([$t]);
}
}

110
admin/fundraising_campaigns.php
View File

@ -35,8 +35,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'modify':
echo "<div id=\"campaignaccordion\" style=\"width: 780px;\">\n";
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name");
$q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<h3><a href="#">' . htmlspecialchars($r->name) . "</a></h3>\n";
echo "<div id=\"campaign_{$r->id}\">\n";
@ -92,14 +92,14 @@ case 'managelist':
</tr>
</thead>
<?
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
$q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'");
$goalq->execute();
$goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
$goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
$goalr = $goalq->fetch(PDO::FETCH_OBJ);
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
$recq->execute();
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
$recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$recr = $recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received;
@ -139,8 +139,8 @@ case 'managelist':
exit;
}
$id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$q->execute([$id]);
$campaign = $q->fetch(PDO::FETCH_OBJ);
echo "<h3>$campaign->name</h3>\n";
?>
@ -171,12 +171,12 @@ case 'managelist':
case 'manage_tab_overview':
$campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goalr = getGoal($r->fundraising_goal);
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
$recq->execute();
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
$recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$recr = recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received;
@ -209,8 +209,8 @@ case 'managelist':
case 'manage_tab_donations':
$campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($campaign = $q->fetch(PDO::FETCH_OBJ)) {
echo '<table class="tableview">';
echo '<thead>';
@ -227,8 +227,8 @@ case 'managelist':
\t\t\tAND status='received' ORDER BY datereceived DESC");
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goal = getGoal($r->fundraising_goal);
$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$r->sponsors_id}'");
$sq->execute();
$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$sq->execute([$r->sponsors_id]);
$sponsor = $sq->fetch(PDO::FETCH_OBJ);
echo '<tr><td>' . format_date($r->datereceived) . "</td>\n";
echo ' <td>' . $sponsor->organization . "</td>\n";
@ -258,8 +258,8 @@ case 'managelist':
'mentor' => 'Mentor (not implemented)',
);
$campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute([$campaign_id,$config['FISCALYEAR']]);
$campaign = $q->fetch(PDO::FETCH_OBJ);
if ($campaign->filterparameters) {
echo '<h4>' . i18n('User List') . "</h4>\n";
@ -307,8 +307,8 @@ case 'managelist':
echo '<br />';
echo "<form id=\"prospectremoveform\" onsubmit=\"return removeselectedprospects()\">\n";
echo "<input type=\"hidden\" name=\"fundraising_campaigns_id\" value=\"$campaign_id\" />\n";
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaign_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute([$campaign_id]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$u = user_load_by_uid($r->users_uid);
// hopefully this never returns false, but who knows..
@ -359,8 +359,8 @@ case 'managelist':
</td></tr>
<tr><td><?= i18n('Donation Level') ?>:</td><td>
<?
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY min");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY min");
$q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<label><input onchange=\"return prospect_search()\" disabled=\"disabled\" type=\"checkbox\" name=\"donationlevel[]\" value=\"$r->level\" >" . i18n($r->level) . ' (' . format_money($r->min, false) . ' - ' . format_money($r->max, false) . ")</label><br />\n";
}
@ -408,8 +408,8 @@ case 'managelist':
case 'manage_tab_communications':
$campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
}
$communications = array('initial' => 'Initial Communication',
@ -418,8 +418,8 @@ case 'managelist':
foreach ($communications as $key => $name) {
echo '<h4>' . i18n($name) . "</h4>\n";
// check if they have one in the emails database
$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$campaign_id' AND val='$key'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
$q->execute([$campaign_id,$key]);
if ($email = $q->fetch(PDO::FETCH_OBJ)) {
echo '<div style="float: right; margin-right: 15px;">';
echo "<a title=\"Edit\" href=\"#\" onclick=\"return opencommunicationeditor(null,$email->id,$campaign_id)\"><img src=\"" . $config['SFIABDIRECTORY'] . '/images/16/edit.' . $config['icon_extension'] . '" border=0></a>';
@ -465,18 +465,18 @@ case 'managelist':
print_r($_POST);
if (is_array($_POST['prospectremovefromlist'])) {
$uidlist = implode(',', $_POST['prospectremovefromlist']);
$query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid' AND users_uid IN ($uidlist)";
$query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN ($uidlist)";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([$campaignid]);
show_pdo_errors_if_any($pdo);
}
// if theres nobody left in the list we need to reset the filter params as well
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute([$campaignid]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->num == 0) {
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
$stmt->execute([$campaignid]);
}
happy_('Selected users removed from list');
@ -485,10 +485,10 @@ case 'managelist':
case 'prospect_removeall':
$campaignid = intval($_POST['fundraising_campaigns_id']);
$stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$stmt->execute([$campaignid]);
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
$stmt->execute([$campaignid]);
happy_('All users removed from list');
exit;
break;
@ -496,14 +496,14 @@ case 'managelist':
case 'communication_remove':
$emails_id = $_POST['id'];
// check if its been sent, if so, it cannot be deleted, sorry!
$q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute([$emails_id]);
$e = $q->fetch(PDO::FETCH_OBJ);
if ($e->lastsent) {
error_('Cannot remove an email that has already been sent');
} else {
$stmt = $pdo->prepare("DELETE FROM emails WHERE id='$emails_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM emails WHERE id=?");
$stmt->execute([$emails_id]);
happy_('Communicaton removed');
}
@ -523,10 +523,10 @@ function save_campaign_info()
$startdate = $_POST['startdate'];
if (!$_GET['id']) {
$query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES ('" . stripslashes($_POST['name']) . "','{$config['FISCALYEAR']}')";
$query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES (?,?)";
echo $query;
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([stripslashes($_POST['name']),$config['FISCALYEAR']]);
$id = $pdo->lastInsertId();
happy_('Appeal Created');
} else {
@ -534,15 +534,15 @@ function save_campaign_info()
happy_('Appeal Saved');
}
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET
name='" . stripslashes($_POST['name']) . "',
`type`='" . $_POST['type'] . "',
startdate='" . $startdate . "',
followupdate='" . $_POST['followupdate'] . "',
enddate='" . $_POST['enddate'] . "',
target='" . $_POST['target'] . "',
fundraising_goal='" . $_POST['fundraising_goal'] . "'
WHERE id='$id'");
$stmt->execute();
name=?,
`type`=?,
startdate=?,
followupdate=?,
enddate=?,
target=?,
fundraising_goal=?
WHERE id=?");
$stmt->execute([stripslashes($_POST['name']),$_POST['type'],$startdate,$_POST['followupdate'],$_POST['enddate'],$_POST['target'],$_POST['fundraising_goal'],$id]);
}
send_header('Appeal Management',
@ -800,8 +800,8 @@ function display_campaign_form($r = null)
<td><?= i18n('Target') ?></td><td>$<input type="text" id="target" name="target" size="10" value="<?= get_value_property_or_default($r, 'target') ?>" /></td>
<td><?= i18n('Default Purpose') ?></td><td colspan="3">
<?
$fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
$fgq->execute();
$fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
$fgq->execute([$config['FISCALYEAR']]);
echo '<select name="fundraising_goal">';
echo '<option value="">' . i18n('Choose Default Purpose') . "</option>\n";
while ($fgr = $fgq->fetch(PDO::FETCH_OBJ)) {

24
admin/fundraising_campaigns_prospecting.php
View File

@ -140,8 +140,8 @@ $thisyearlist = $userslist;
foreach ($neverlist AS $uid => $u) {
if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=?");
$q->execute([$u['sponsors_id']]);
if ($q->rowCount()) {
// echo "removing $uid because they have donated in the past <br />";
unset($neverlist[$uid]);
@ -155,8 +155,8 @@ foreach ($neverlist AS $uid => $u) {
foreach ($pastlist AS $uid => $u) {
if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=?");
$q->execute([$u['sponsors_id']]);
if (!$q->rowCount()) {
// echo "removing $uid because they have NOT donated in the past <br />";
unset($pastlist[$uid]);
@ -171,8 +171,8 @@ $lastyear = $config['FISCALYEAR'] - 1;
foreach ($lastyearlist AS $uid => $u) {
if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='$lastyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=? AND fiscalyear=?");
$q->execute([$u['sponsors_id'],$lastyear]);
if (!$q->rowCount()) {
// echo "removing $uid because they have NOT donated last year <br />";
unset($lastyearlist[$uid]);
@ -185,8 +185,8 @@ foreach ($lastyearlist AS $uid => $u) {
foreach ($thisyearlist AS $uid => $u) {
if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execcute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=? AND fiscalyear=?");
$q->execute([$u['sponsors_id'],$config['FISCALYEAR']]);
if (!$q->rowCount()) {
// echo "removing $uid because they have NOT donated this year <br />";
unset($thisyearlist[$uid]);
@ -216,12 +216,12 @@ if ($_GET['generatelist']) {
$campaignid = $_POST['fundraising_campaigns_id'];
$params = serialize($_POST);
echo "params=$params";
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters='{$params}' WHERE id='$campaignid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=? WHERE id=?");
$stmt->execute([$params,$campaignid]);
$uids = array_keys($userslist);
foreach ($uids AS $u) {
$stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES ('$campaignid','$u')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES (?,?)");
$stmt->execute([$campaignid,$u]);
}
echo 'List created';

4
admin/fundraising_common.inc.php
View File

@ -5,8 +5,8 @@ $salutations = array('Mr.', 'Mrs.', 'Ms', 'Dr.', 'Professor');
function getGoal($goal)
{
global $config, $pdo;
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}' LIMIT 1");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=? LIMIT 1");
$q->execute([$goal,$config['FISCALYEAR']]);
return $q->fetch(PDO::FETCH_OBJ);
}

28
admin/fundraising_goals_handler.inc.php
View File

@ -2,16 +2,16 @@
if ($_POST['action'] == 'funddelete' && $_POST['delete']) {
// first lookup all the sponsorships inside the fund
$id = intval($_POST['delete']);
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND year='" . $config['FISCALYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=? AND year=?");
$q->execute([$id,$config['FISCALYEAR']]);
$f = $q->fetch(PDO::FETCH_OBJ);
// hold yer horses, no deleting system funds!
if ($f) {
if ($f->system == 'no') {
$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal='" . $f->type . "' AND fiscalyear='" . $config['FISCALYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=?");
$stmt->execute([$f->type,$config['FISCALYEAR']]);
$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id=?");
$stmt->execute([$id]);
if ($pdo->rowCount())
happy_('Successfully removed fund %1', array($f->name));
} else {
@ -23,8 +23,8 @@ if ($_POST['action'] == 'funddelete' && $_POST['delete']) {
if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') {
$fundraising_id = intval($_POST['fundraising_id']);
if ($fundraising_id) {
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$fundraising_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=?");
$q->execute([$fundraising_id]);
$f = $q->fetch(PDO::FETCH_OBJ);
$system = $f->system;
}
@ -37,11 +37,11 @@ if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') {
if ($_POST['action'] == 'fundedit') {
if (($system == 'yes' && $budget) || ($system == 'no' && $budget && $goal && $name)) {
if ($system == 'yes') {
$stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description' WHERE id='$fundraising_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising SET budget=?, description=? WHERE id=?");
$stmt->execute([$budget,$description,$fundraising_id]);
} else {
$stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description', goal='$goal', name='$name' WHERE id='$fundraising_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising SET budget=?, description=?, goal=?, name=? WHERE id=?");
$stmt->execute([$budget,$description,$goal,$name,$fundraising_id]);
}
if ($pdo->errorInfo())
@ -55,8 +55,8 @@ if ($_POST['action'] == 'fundedit') {
}
if ($_POST['action'] == 'fundadd') {
if ($goal && $type && $name) {
$stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES ('$goal','$name','$description','no','$budget','{$config['FISCALYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES (?,?,?,'no',?,?)");
$stmt->execute([$goal,$name,$description,$budget,$config['FISCALYEAR']]);
happy_('Added new fund');
} else
error_('Required fields were missing, please try again');

33
admin/fundraising_main.inc.php
View File

@ -1,8 +1,8 @@
<?
if ($_GET['action'] == 'fundraisingmain') {
// this table is eventually going to be massive, and probably not in a tableview format, it'll show goals as well as all ongoing fund pledges, probabilities, etc as well as over/under, etc, all prettily colour coded.. basically a good overview of the total fundraising status of the fair.
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY system DESC,goal");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY system DESC,goal");
$q->execute([$config['FISCALYEAR']]);
echo '<table class="fundraisingtable">';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -25,23 +25,24 @@ if ($_GET['action'] == 'fundraisingmain') {
$typetotal = 0;
$typeprobtotal = 0;
$sq = $pdo->prepare("
SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
\t FROM fundraising_donations
\t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
\t WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql)
\t AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
(SELECT fundraising_donations.id, sponsors.organization AS name,
fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
FROM fundraising_donations
JOIN sponsors ON fundraising_donations.sponsors_id = sponsors.id
WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?)
AND fundraising_donations.fiscalyear = ?)
UNION
UNION
SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
\t FROM fundraising_donations
\t JOIN users ON fundraising_donations.users_uid=users.uid
\t WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql)
\t AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
(SELECT fundraising_donations.id, CONCAT(users.firstname, ' ', users.lastname) AS name,
fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
FROM fundraising_donations
JOIN users ON fundraising_donations.users_uid = users.uid
WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?)
AND fundraising_donations.fiscalyear = ?)
\t ORDER BY status DESC, probability DESC, name
");
$sq->execute();
ORDER BY status DESC, probability DESC, name");
$sq->execute([$r->goal, $orsql, $config['FISCALYEAR'], $r->goal, $orsql, $config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
echo "<tr id=\"sponsorships_$sr->id\" class=\"fundraising{$sr->status}\">";

4
admin/fundraising_reports.php
View File

@ -84,8 +84,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
<select name="goal">
<option value="">All purposes</option>
<?
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
$q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<option value=\"$r->goal\">$r->name</option>\n";
}

32
admin/fundraising_reports_std.php
View File

@ -44,13 +44,13 @@ if ($id && $type) {
$rep->newPage();
$rep->setFontSize(8);
}
$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ";
$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ";
if ($_GET['fundraising_campaigns_id']) {
$sql .= " AND id='" . intval($_GET['fundraising_campaigns_id']) . "'";
$sql .= " AND id=?";
}
$sql .= ' ORDER BY name';
$q = $pdo->prepare($sql);
$q->execute();
$q->execute([$config['FISCALYEAR'],intval($_GET['fundraising_campaigns_id'])]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$rep->heading($r->name);
@ -62,8 +62,8 @@ if ($id && $type) {
$thisyear = $config['FISCALYEAR'];
$lastyear = $config['FISCALYEAR'] - 1;
$pq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$r->id'");
$pq->execute();
$pq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$pq->execute([$r->id]);
while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {
$u = user_load_by_uid($pr->users_uid);
// hopefully this never returns false, but who knows..
@ -75,16 +75,16 @@ if ($id && $type) {
// gah i dont know what the heck to do here
if ($u['sponsors_id']) {
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND fundraising_campaigns_id='$r->id' AND status='received' AND fiscalyear='$thisyear'");
$cq->execute();
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND fundraising_campaigns_id=? AND status='received' AND fiscalyear=?");
$cq->execute([$u['sponsors_id'],$r->id,$thisyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ);
$thisappeal = $cr->total;
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND status='received' AND fiscalyear='$thisyear'");
$cq->execute();
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
$cq->execute([$u['sponsors_id'],$thisyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ);
$thisyeartotal = $cr->total;
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND status='received' AND fiscalyear='$lastyear'");
$cq->execute();
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
$cq->execute([$u['sponsors_id'],$lastyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ);
$lastyeartotal = $cr->total;
if ($lastyeartotal)
@ -126,13 +126,13 @@ if ($id && $type) {
$rep->newPage();
$rep->setFontSize(8);
}
$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ";
$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear=? ";
if ($_GET['goal']) {
$sql .= " AND goal='" . $_GET['goal'] . "'";
$sql .= " AND goal=?";
}
$sql .= ' ORDER BY name';
$q = $pdo->prepare($sql);
$q->execute();
$q->execute([$config['FISCALYEAR'],$_GET['goal']]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -143,8 +143,8 @@ if ($id && $type) {
$table['widths'] = array(1.5, 0.5, 0.5, 0.75, 0.9, 0.9, 0.9, 0.5);
$table['dataalign'] = array('left', 'right', 'right', 'center', 'center', 'center', 'center', 'right');
$cq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}'");
$cq->execute();
$cq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fundraising_goal=? AND fiscalyear=?");
$cq->execute([$r->goal,$config['FISCALYEAR']]);
while ($cr = $cq->fetch(PDO::FETCH_OBJ)) {
$table['data'][] = array(
$cr->name,

124
admin/fundraising_setup.php
View File

@ -28,45 +28,45 @@ require_once ('../user.inc.php');
user_auth_required('committee', 'admin');
// first, insert any default fundraising donor levels
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='" . $config['FISCALYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=?");
$q->execute([$config['FISCALYEAR']]);
if (!$q->rowCount()) {
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='-1'");
$q->execute();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$pdo->prepare("INSERT INTO fundraising_donor_levels (`level`,`min`,`max`,`description`,`fiscalyear`) VALUES (
'" . $r->level . "',
'" . $r->min . "',
'" . $r->max . "',
'" . $r->description . "',
'" . $config['FISCALYEAR'] . ")')");
?,
?,
?,
?,
?)')");
$pdo->execute();
$pdo->execute([$r->level,$r->min,$r->max,$r->description,$config['FISCALYEAR']]);
}
}
// first, insert any default fundraising goals
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='" . $config['FISCALYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=?");
$q->execute([$config['FISCALYEAR']]);
if (!$q->rowCount()) {
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='-1'");
$q->execute();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO fundraising_goals (`goal`,`name`,`description`,`system`,`budget`,`fiscalyear`) VALUES (
'" . stripslashes($r->goal) . "',
'" . stripslashes($r->name) . "',
'" . stripslashes($r->description) . "',
'" . $r->system . "',
'" . $r->budget . "',
'" . $config['FISCALYEAR'] . "')");
$stmt->execute();
?,
?,
?,
?,
?,
?)");
$stmt->execute([stripslashes($r->goal),stripslashes($r->name),stripslashes($r->description),$r->system,$r->budget, $config['FISCALYEAR']]);
}
}
switch (get_value_from_array($_GET, 'gettab')) {
case 'levels':
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY max");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY max");
$q->execute([$config['FISCALYEAR']]);
echo "<div id=\"levelaccordion\" style=\"width: 75%;\">\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<h3><a href=\"#\">$r->level (" . format_money($r->min, false) . ' to ' . format_money($r->max, false) . ")</a></h3>\n";
@ -120,8 +120,8 @@ switch (get_value_from_array($_GET, 'gettab')) {
break;
case 'goals':
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
$q->execute([$config['FISCALYEAR']]);
echo "<div id=\"goalaccordion\" style=\"width: 75%;\">\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<h3><a href=\"#\">$r->name (" . format_money($r->budget, false) . ') Deadline: ' . format_date($r->deadline) . "</a></h3>\n";
@ -225,30 +225,30 @@ switch (get_value_from_array($_GET, 'action')) {
if ($id) {
$stmt = $pdo->prepare("UPDATE fundraising_donor_levels SET
min='" . $_POST['min'] . "',
max='" . $_POST['max'] . "',
level='" . stripslashes($_POST['level']) . "',
description='" . stripslashes($_POST['description']) . "'
WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
min=?,
max=?,
level=?,
description=?
WHERE id=? AND fiscalyear=?
");
$stmt->execute();
$stmt->execute([$_POST['min'],$_POST['max'],stripslashes($_POST['level']),stripslashes($_POST['description']),$id,$config['FISCALYEAR']]);
happy_('Level Saved');
} else {
$stmt = $pdo->prepare("INSERT INTO fundraising_donor_levels (`level`,`min`,`max`,`description`,`fiscalyear`) VALUES (
'" . $_POST['level'] . "',
'" . $_POST['min'] . "',
'" . $_POST['max'] . "',
'" . $_POST['description'] . "',
'{$config['FISCALYEAR']}')");
$stmt->execute();
?,
?,
?,
?,
?)");
$stmt->execute([$_POST['level'],$_POST['min'],$_POST['max'],$_POST['description'],$config['FISCALYEAR']]);
happy_('Level Created');
}
exit;
break;
case 'level_delete':
$id = $_POST['id'];
$stmt = $pdo->prepare("DELETE FROM fundraising_donor_levels WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fundraising_donor_levels WHERE id=? AND fiscalyear=?");
$stmt->execute([$id,$config['FISCALYEAR']]);
happy_('Level Deleted');
exit;
break;
@ -261,20 +261,20 @@ switch (get_value_from_array($_GET, 'action')) {
}
if ($id) {
$stmt = $pdo->prepare("UPDATE fundraising_goals SET
budget='" . $_POST['budget'] . "',
deadline='" . $_POST['deadline'] . "',
name='" . stripslashes($_POST['name']) . "',
description='" . stripslashes($_POST['description']) . "'
WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
budget=?,
deadline=?,
name=?,
description=?
WHERE id=? AND fiscalyear=?
");
$stmt->execute();
$stmt->execute([$_POST['budget'],$_POST['deadline'],stripslashes($_POST['name']),stripslashes($_POST['description']),$id,$config['FISCALYEAR']]);
happy_('Purpose Saved');
} else {
$goal = strtolower($_POST['name']);
$goal = preg_replace('[^a-z]', '', $goal);
echo "SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}'";
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
$q->execute([$goal,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
error_('The automatically generated purpose key (%1) generated from (%2) is not unique. Please try a different Purpose Name', array($goal, $_POST['name']));
@ -282,13 +282,13 @@ switch (get_value_from_array($_GET, 'action')) {
}
$stmt = $pdo->prepare("INSERT INTO fundraising_goals (`goal`,`name`,`budget`,`deadline`,`description`,`fiscalyear`) VALUES (
'" . $goal . "',
'" . $_POST['name'] . "',
'" . $_POST['budget'] . "',
'" . $_POST['deadline'] . "',
'" . $_POST['description'] . "',
'{$config['FISCALYEAR']}')");
$stmt->execute();
?,
?,
?,
?,
?,
?)");
$stmt->execute([$goal,$_POST['name'],$_POST['budget'],$_POST['deadline'],$_POST['description'],$config['FISCALYEAR']]);
happy_('Purpose Created');
}
exit;
@ -296,8 +296,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'goal_delete':
$id = $_POST['id'];
// they cant delete system ones
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=? AND fiscalyear=?");
$q->execute([$id,$config['FISCALYEAR']]);
if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
error_('Invalid goal to delete');
exit;
@ -306,15 +306,15 @@ switch (get_value_from_array($_GET, 'action')) {
error_('Fundraising goals created automatically and used by the system cannot be deleted');
exit;
}
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=?");
$q->execute([$r->goal,$config['FISCALYEAR']]);
if ($q->rowCount()) {
error_('This goal already has donations assigned to it, it cannot be deleted');
exit;
}
$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id=? AND fiscalyear=?");
$stmt->execute([$id,$config['FISCALYEAR']]);
happy_('Purpose Deleted');
exit;
break;
@ -322,14 +322,14 @@ switch (get_value_from_array($_GET, 'action')) {
case 'setup_save':
$fye = sprintf('%02d-%02d', intval($_POST['fiscalendmonth']), intval($_POST['fiscalendday']));
$stmt = $pdo->prepare("UPDATE config SET val='$fye' WHERE var='fiscal_yearend' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='fiscal_yearend' AND year=?");
$stmt->execute([$fye,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("UPDATE config SET val='" . $_POST['registeredcharity'] . "' WHERE var='registered_charity' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='registered_charity' AND year=?");
$stmt->execute([$_POST['registeredcharity'],$config['FAIRYEAR']]);
$stmt = $pdo->prepare("UPDATE config SET val='" . $_POST['charitynumber'] . "' WHERE var='charity_number' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='charity_number' AND year=?");
$stmt->execute([$_POST['charitynumber'],$config['FAIRYEAR']]);
happy_('Fundraising module setup saved');
exit;
break;

4
admin/fundraising_sponsorship.php
View File

@ -29,8 +29,8 @@ user_auth_required('committee', 'admin');
if ($_GET['id']) {
$id = intval($_GET['id']);
$q = $pdo->prepare("SELECT fundraising_donations.*, sponsors.organization FROM fundraising_donations,sponsors WHERE fundraising_donations.id='$id' AND fundraising_donations.sponsors_id=sponsors.id");
$q->execute();
$q = $pdo->prepare("SELECT fundraising_donations.*, sponsors.organization FROM fundraising_donations,sponsors WHERE fundraising_donations.id=? AND fundraising_donations.sponsors_id=sponsors.id");
$q->execute([$id]);
$sponsorship = $q->fetch(PDO::FETCH_OBJ);
$formaction = 'sponsorshipedit';
} else {

32
admin/fundraising_sponsorship_handler.inc.php
View File

@ -1,7 +1,7 @@
<?
if ($_POST['action'] == 'sponsorshipdelete') {
$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE id='" . intval($_POST['delete']) . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE id=?");
$stmt->execute([intval($_POST['delete'])]);
if ($pdo->rowCount())
happy_('Successfully removed sponsorship');
exit;
@ -24,8 +24,8 @@ if ($_POST['action'] == 'sponsorshipedit' || $_POST['action'] == 'sponsorshipadd
if ($_POST['action'] == 'sponsorshipedit') {
if ($fundraising_donations_id && $fundraising_type && $value) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE id='$fundraising_donations_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE id=?");
$q->execute([$fundraising_donations_id]);
$current = $q->fetch(PDO::FETCH_OBJ);
unset($log);
@ -43,15 +43,15 @@ if ($_POST['action'] == 'sponsorshipedit') {
$log[] = "Changed sponsorship probability from $current->probability to $probability";
if (count($log)) {
$stmt = $pdo->prepare("UPDATE fundraising_donations SET fundraising_type='$fundraising_type', value='$value', status='$status', probability='$probability' WHERE id='$fundraising_donations_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE fundraising_donations SET fundraising_type=?, value=?, status=?, probability=? WHERE id=?");
$stmt->execute([$fundraising_type,$value,$status,$probability,$fundraising_donations_id]);
foreach ($log AS $l) {
$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
'$current->sponsors_id',
?,
NOW(),
'" . $_SESSION['users_id'] . "',
'" . $l . "')");
$stmt->execute();
?,
?)");
$stmt->execute([$current->sponsors_id,$_SESSION['users_id'],$l]);
}
if ($pdo->errorInfo())
echo error_($pdo->errorInfo());
@ -66,16 +66,12 @@ if ($_POST['action'] == 'sponsorshipedit') {
}
if ($_POST['action'] == 'sponsorshipadd') {
if ($sponsors_id && $fundraising_type && $value) {
$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES ('$sponsors_id','$fundraising_type','$value','$status','$probability','{$config['FISCALYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES (?,?,?,?,?,?)");
$stmt->execute([$sponsors_id,$fundraising_type,$value,$status,$probability,$config['FISCALYEAR']]);
$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
$stmt->execute();
'$sponsors_id',
NOW(),
'" . $_SESSION['users_id'] . "',
'" . "Created sponsorship: type=$fundraising_type, value=\$$value, status=$status, probability=$probability%") . "')";
$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),?, Created sponsorship: type=?, value=\$?, status=?, probability=?%) ");
happy_('Added new sponsorship');
$stmt->execute([$sponsors_id,$_SESSION['users_id'],$fundraising_type,$value,$status,$probability]);
} else
error_('Required fields were missing, please try again');
if ($pdo->errorInfo())

4
admin/fundraising_types.php
View File

@ -29,8 +29,8 @@ user_auth_required('committee', 'admin');
if ($_GET['id']) {
$id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising WHERE id=?");
$q->execute([$id]);
// echo "<h2>Edit Fund</h2>";
$fund = $q->fetch(PDO::FETCH_OBJ);
$formaction = 'fundedit';

4
admin/gettranslation.php
View File

@ -30,8 +30,8 @@ $ret = array();
foreach ($config['languages'] AS $l => $ln) {
if ($l == $config['default_language'])
continue;
$q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='" . md5(iconv('ISO-8859-1', 'UTF-8', $_GET['str'])) . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
$q->execute([$l,md5(iconv('ISO-8859-1', 'UTF-8', $_GET['str']))]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$ret[$l] = iconv('ISO-8859-1', 'UTF-8', $r->val);
else

48
admin/judges.inc.php
View File

@ -8,10 +8,10 @@ function getJudgingTeams()
FROM
judges_teams
WHERE
judges_teams.year='" . $config['FAIRYEAR'] . "'
judges_teams.year=?
ORDER BY
num,name");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
$lastteamid = -1;
$lastteamnum = -1;
@ -28,8 +28,8 @@ function getJudgingTeams()
$rounds = array();
$tq = $pdo->prepare("SELECT * FROM judges_teams_timeslots_link
LEFT JOIN judges_timeslots ON judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
WHERE judges_teams_timeslots_link.judges_teams_id='{$r->id}'");
$tq->execute();
WHERE judges_teams_timeslots_link.judges_teams_id=?");
$tq->execute([$r->id]);
$teams[$r->id]['timeslots'] = array();
$teams[$r->id]['rounds'] = array();
@ -39,8 +39,8 @@ function getJudgingTeams()
}
foreach ($rounds as $round_id) {
$tq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='{$round_id}'");
$tq->execute();
$tq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$tq->execute([$round_id]);
$teams[$r->id]['rounds'][] = $tq->fetch(PDO::FETCH_ASSOC);
}
@ -55,12 +55,12 @@ function getJudgingTeams()
judges_teams_link
WHERE
judges_teams_link.users_id=users.id AND
judges_teams_link.judges_teams_id='$r->id'
judges_teams_link.judges_teams_id=?
ORDER BY
captain DESC,
lastname,
firstname");
$mq->execute();
$mq->execute([$r->id]);
show_pdo_errors_if_any($pdo);
$teamlangs = array();
@ -87,9 +87,9 @@ function getJudgingTeams()
$lq = $pdo->prepare("SELECT projects.language
FROM judges_teams_timeslots_projects_link
LEFT JOIN projects ON judges_teams_timeslots_projects_link.projects_id=projects.id
WHERE judges_teams_timeslots_projects_link.year='{$config['FAIRYEAR']}' AND
judges_teams_id='$r->id' AND language!='' ");
$lq->execute();
WHERE judges_teams_timeslots_projects_link.year=? AND
judges_teams_id=? AND language!='' ");
$lq->execute([$config['FAIRYEAR'],$r->id]);
show_pdo_errors_if_any($pdo);
$projectlangs = array();
while ($lr = $lq->fetch(PDO::FETCH_OBJ)) {
@ -113,13 +113,13 @@ function getJudgingTeams()
award_types
WHERE
judges_teams_awards_link.award_awards_id=award_awards.id
AND judges_teams_awards_link.judges_teams_id='$r->id'
AND judges_teams_awards_link.judges_teams_id=?
AND award_awards.award_types_id=award_types.id
AND award_types.year='{$config['FAIRYEAR']}'
AND award_types.year=?
ORDER BY
name
");
$aq->execute();
$aq->execute([$r->id,$config['FAIRYEAR']]);
while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
$teams[$r->id]['awards'][] = array(
'id' => $ar->id,
@ -144,13 +144,13 @@ function getJudgingTeam($teamid)
FROM
judges_teams
WHERE
judges_teams.year='" . $config['FAIRYEAR'] . "' AND
judges_teams.id='$teamid'
judges_teams.year=? AND
judges_teams.id=?
ORDER BY
num,
name
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$teamid]);
$team = array();
@ -172,12 +172,12 @@ function getJudgingTeam($teamid)
judges_teams_link
WHERE
judges_teams_link.users_id=users.id AND
judges_teams_link.judges_teams_id='$r->id'
judges_teams_link.judges_teams_id=?
ORDER BY
captain DESC,
lastname,
firstname");
$mq->execute();
$mq->execute([$r->id]);
show_pdo_errors_if_any($pdo);
while ($mr = $mq->fetch(PDO::FETCH_OBJ)) {
@ -200,13 +200,13 @@ function getJudgingTeam($teamid)
award_types
WHERE
judges_teams_awards_link.award_awards_id=award_awards.id
AND judges_teams_awards_link.judges_teams_id='$r->id'
AND judges_teams_awards_link.judges_teams_id=?
AND award_awards.award_types_id=award_types.id
AND award_types.year='{$config['FAIRYEAR']}'
AND award_types.year=?
ORDER BY
name
");
$aq->execute();
$aq->execute([$r->id,$config['FAIRYEAR']]);
while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
$team['awards'][] = array(
'id' => $ar->id,
@ -248,11 +248,11 @@ function judges_load_all()
$ret = array();
$query = "SELECT id FROM users WHERE types LIKE '%judge%'
AND year='{$config['FAIRYEAR']}'
AND year=?
AND deleted='no'
ORDER BY lastname, firstname";
$r = $pdo->prepare($query);
$r->execute();
$r->execute([$config['FAIRYEAR']]);
while ($i = $r->fetch(PDO::FETCH_ASSOC)) {
$u = user_load($i['id']);
if ($u['judge_complete'] == 'no')

20
admin/judges_info.php
View File

@ -105,8 +105,8 @@ if ($id < 1) {
// get their availability
$availabilityText = '';
if ($config['judges_availability_enable'] == 'yes') {
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=\"{$judgeinfo['id']}\" ORDER BY `start`");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
$q->execute([$judgeinfo['id']]);
$sel = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$st = substr($r->start, 0, 5);
@ -131,9 +131,9 @@ if ($judgeinfo['special_award_only'] == 'yes') {
$query = 'SELECT aa.name AS awardname FROM judges_specialaward_sel jss'
. ' JOIN users ON jss.users_id = users.id'
. ' JOIN award_awards aa ON aa.id = jss.award_awards_id'
. ' WHERE users.id=' . $id;
. ' WHERE users.id=?';
$results = $pdo->prepare($query);
$results . execute();
$results->execute([$id]);
while ($record = $results . fetch()) {
$awardList[] = $record['awardname'];
}
@ -143,8 +143,8 @@ if ($judgeinfo['special_award_only'] == 'yes') {
}
// get their preference for age category
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
$catPreferenceText = $pdo->errorInfo() . '<ul>';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -188,8 +188,8 @@ $catPreferenceText .= '</ul>';
<?php
// grab the list of divisions, because the last fields of the table will be the sub-divisions
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
$divs = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divs[] = $r->id;
@ -203,8 +203,8 @@ foreach ($divs as $div) {
echo '<td>';
$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE
projectdivisions_id='$div' AND year='{$config['FAIRYEAR']}' ORDER BY subdivision");
$subq->execute();
projectdivisions_id=? AND year=? ORDER BY subdivision");
$subq->execute([$div,$config['FAIRYEAR']]);
$sd = array();
while ($subr = $subq->fetch(PDO::FETCH_OBJ)) {
if ($u['div_prefs_sub'][$subr->id] == 1) {

48
admin/judges_jdiv.php
View File

@ -56,16 +56,16 @@ function newbuttonclicked(jdivs)
$div = array();
$divshort = array();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divshort[$r->id] = $r->division_shortform;
$div[$r->id] = $r->division;
}
$cat = array();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$cat[$r->id] = $r->category;
}
@ -74,8 +74,8 @@ $dkeys = array_keys($div);
$ckeys = array_keys($cat);
if ($config['filterdivisionbycategory'] == 'yes') {
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
$q->execute([$config['FAIRYEAR']]);
$divcat = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@ -133,13 +133,13 @@ function get_all_divs()
* unassigned anymore
*/
$stmt = $pdo->prepare('INSERT INTO judges_jdiv (id, jdiv_id, projectdivisions_id, projectcategories_id, lang) '
. " VALUES('', 0, '$y', '$x', '$z')");
$stmt->execute();
. " VALUES('', 0,?,?,?)");
$stmt->execute([$y,$x,$z]);
$q = $pdo->prepare('SELECT id FROM judges_jdiv WHERE '
. " projectdivisions_id='$y' "
. " AND projectcategories_id='$x' "
. " AND lang='$z' ");
$q->execute();
. " projectdivisions_id=?"
. " AND projectcategories_id=?"
. " AND lang=?");
$q->execute([$y,$x,$z]);
$r = $q->fetch(PDO::FETCH_OBJ);
$cdl[$r->id]['id'] = $r->id;
@ -159,13 +159,13 @@ function get_all_divs()
$y = $divshort[$cdl[$id]['div']];
$z = $div[$cdl[$id]['div']];
$q = $pdo->prepare('SELECT count(projects.id) AS cnt FROM projects,registrations WHERE '
. " projectdivisions_id='{$cdl[$id]['div']}' "
. " AND projectcategories_id='{$cdl[$id]['cat']}' "
. " AND language='{$cdl[$id]['lang']}' "
. " AND registrations.year='{$config['FAIRYEAR']}'"
. " projectdivisions_id=?"
. " AND projectcategories_id=?"
. " AND language=?"
. " AND registrations.year=?"
. ' AND projects.registrations_id=registrations.id'
. " AND (registrations.status='complete' OR registrations.status='paymentpending')");
$q->execute();
$q->execute([$cdl[$id]['div'],$cdl[$id]['cat'],$cdl[$id]['lang'],$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
show_pdo_errors_if_any($pdo);
@ -180,21 +180,21 @@ function get_all_divs()
if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'jdiv_id') && count(get_value_from_array($_POST, 'cdllist', [])) > 0) {
foreach ($_POST['cdllist'] AS $selectedcdl) {
$q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id='{$_POST['jdiv_id']}' WHERE "
. " id='$selectedcdl' ");
$q->execute();
$q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=? WHERE "
. " id=?");
$q->execute([$_POST['jdiv_id'],$selectedcdl]);
}
echo happy(i18n('Judging Division(s) successfully added'));
}
if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'cdl_id')) {
$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id='{$_GET['cdl_id']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id=?");
$stmt->execute([$_GET['cdl_id']]);
}
if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'jdiv_id')) {
$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id='{$_GET['jdiv_id']}' ");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id=?");
$stmt->execute([$_GET['jdiv_id']]);
echo happy(i18n('Emptied all divisions from Judging Division Group %1', array($_GET['jdiv_id'])));
}

150
admin/judges_sa.php
View File

@ -63,9 +63,9 @@ function set_status($txt)
{
global $pdo;
TRACE("Status: $txt\n");
$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE
var='judge_scheduler_activity' AND year=0");
$stmt->execute();
$stmt->execute([$txt]);
}
$set_percent_last_percent = -1;
@ -78,9 +78,9 @@ function set_percent($n)
if ($p == $set_percent_last_percent)
return;
TRACE("Progress: $p\%\n");
$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE
var='judge_scheduler_percent' AND year=0");
$stmt->execute();
$stmt->execute([$p]);
$set_percent_last_percent = $p;
}
@ -413,8 +413,8 @@ set_status('Loading Data From Database...');
TRACE("\n\n");
$div = array();
TRACE("Loading Project Divisions...\n");
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divshort[$r->id] = $r->division_shortform;
$div[$r->id] = $r->division;
@ -423,8 +423,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
TRACE("Loading Project Age Categories...\n");
$cat = array();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$cat[$r->id] = $r->category;
TRACE(" {$r->id} - {$r->category}\n");
@ -442,14 +442,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
TRACE("Loading Judging Round time data...\n");
$round_special_awards = array();
$round = array();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
$q->execute([$config['FAIRYEAR']]);
/* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
TRACE(" id:{$r['id']} type:{$r['type']} name:{$r['name']}\n");
$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
$qq->execute();
$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
$qq->execute([$r['id']]);
if ($qq->rowCount() == 0) {
echo "ERROR: Round type:{$r['type']} name:{$r['name']} has no judging timeslots! Abort.\n";
exit;
@ -497,13 +497,13 @@ foreach ($keys as $jdiv_id) {
TRACE("\t- ");
TRACE($cat[$d['cat']] . ' ' . $div[$d['div']] . ' - ' . $langr[$d['lang']]);
$qp = $pdo->prepare('SELECT projects.* FROM projects, registrations WHERE '
. " projects.year='" . $config['FAIRYEAR'] . "' AND "
. " projectdivisions_id='{$d['div']}' AND "
. " projectcategories_id='{$d['cat']}' AND "
. " language='{$d['lang']}' AND "
. " projects.year=? AND "
. " projectdivisions_id=? AND "
. " projectcategories_id=? AND "
. " language=? AND "
. ' registrations.id = projects.registrations_id '
. getJudgingEligibilityCode());
$qp->execute();
$qp->execute([$config['FAIRYEAR'],$d['div'],$d['cat'],$d['lang']]);
$count = 0;
while ($rp = $qp->fetch(PDO::FETCH_OBJ)) {
$jdiv[$jdiv_id]['projects'][$rp->id] = array(
@ -524,37 +524,37 @@ foreach ($keys as $jdiv_id) {
/* Clean out the judging teams that were autocreated in a previous run */
TRACE('Deleting autocreated divisional and special award judging teams:');
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year=?");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$id = $r->id;
print (" $id");
/* Clean out the judges_teams_link */
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$id,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Awards */
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$id,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Timeslots */
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$id,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Timeslots projects */
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$id,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
}
echo "\n";
/* Finally, delete all the autocreated judges teams */
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year=?");
$stmt->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/*
@ -564,14 +564,14 @@ show_pdo_errors_if_any($pdo);
$q = $pdo->prepare("SELECT judges_teams_link.id, judges_teams.id AS judges_teams_id
FROM judges_teams_link
LEFT JOIN judges_teams ON judges_teams_link.judges_teams_id=judges_teams.id
WHERE judges_teams_link.year={$config['FAIRYEAR']}");
WHERE judges_teams_link.year=?");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
$n = 0;
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
if (!$r->judges_teams_id) {
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id=?");
$stmt->execute([$r->id]);
$n++;
}
}
@ -595,9 +595,9 @@ foreach ($judges as &$j) {
}
$q = $pdo->prepare("SELECT users_id FROM judges_teams_link WHERE
users_id='{$j['id']}'
AND year='{$config['FAIRYEAR']}'");
$q->execute();
users_id=?
AND year=?");
$q->execute([$j['id'],$config['FAIRYEAR']]);
if ($q->rowCount() != 0) {
TRACE(" {$j['name']} is already on a judging team, skipping.\n");
unset($judges[$j['id']]);
@ -605,8 +605,8 @@ foreach ($judges as &$j) {
}
if ($config['judges_availability_enable'] == 'yes') {
/* Load the judge time availability */
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='{$j['id']}' ORDER BY `start`");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
$q->execute([$j['id']]);
if ($q->rowCount() == 0) {
TRACE(" {$j['name']} hasn't selected any time availability, POTENTIAL BUG (they shouldn't be marked as complete).\n");
TRACE(" Ignoring this judge.\n");
@ -624,9 +624,9 @@ foreach ($judges as &$j) {
judges_specialaward_sel,award_awards
WHERE
award_awards.id=judges_specialaward_sel.award_awards_id
AND judges_specialaward_sel.users_id='{$j['id']}'
AND award_awards.year='{$config['FAIRYEAR']}'");
$q->execute();
AND judges_specialaward_sel.users_id=?
AND award_awards.year=?");
$q->execute([$j['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
if ($j['special_award_only'] == 'yes') {
@ -676,8 +676,8 @@ if (count($judges) == 0) {
* Load the numbers for any user-defined judge teams that already exist,
* these numbers will be off-limits for auto-assigning numbers
*/
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year={$config['FAIRYEAR']}");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
$used_judges_teams_numbers = array();
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
$used_judges_teams_numbers[] = $i['num'];
@ -725,11 +725,9 @@ function judge_team_create($num, $name)
function judge_team_add_judge($team_id, $users_id)
{
global $config, $judges;
$stmt = $pdo->prepare("INSERT INTO judges_teams_link
\t (users_id,judges_teams_id,captain,year)
\t VALUES ('$users_id','$team_id','{$judges[$users_id]['willing_chair']}',
'{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id, judges_teams_id, captain, year) VALUES (?, ?, ?, ?)");
$stmt->execute([$users_id, $team_id, $judges[$users_id]['willing_chair'], $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
}
@ -919,20 +917,20 @@ for ($x = 1; $x < count($jteam); $x++) {
award_awards_projectcategories,
award_awards_projectdivisions
WHERE
award_awards.year='{$config['FAIRYEAR']}'
award_awards.year=?
AND award_awards.id=award_awards_projectcategories.award_awards_id
AND award_awards.id=award_awards_projectdivisions.award_awards_id
AND award_awards_projectcategories.projectcategories_id='{$cfg['cat']}'
AND award_awards_projectdivisions.projectdivisions_id='{$cfg['div']}'
AND award_awards_projectcategories.projectcategories_id=?
AND award_awards_projectdivisions.projectdivisions_id=?
AND award_awards.award_types_id='1'
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$cfg['cat'],$cfg['div']]);
if ($q->rowCount() != 1) {
echo error(i18n('Cannot find award for %1 - %2', array($cat[$cfg['cat']], $div[$cfg['div']])));
} else {
$r = $q->fetch(PDO::FETCH_OBJ);
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
$stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]);
/* Add the award ID to the jdiv, if it's not already there */
if (!in_array($r->id, $jdiv[$t['jdiv_id']]['award_ids'])) {
$jdiv[$t['jdiv_id']]['award_ids'][] = $r->id;
@ -1008,8 +1006,8 @@ if ($round_divisional2 == NULL) {
/* Assign all the awards in this jdiv */
foreach ($jd['award_ids'] as $aid) {
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$aid','$team_id','{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
$stmt->execute([$aid,$team_id,$config['FAIRYEAR']]);
}
}
}
@ -1134,14 +1132,14 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
/* Load special awards */
$q = "SELECT award_awards.name,award_awards.id FROM award_awards,award_types
WHERE
award_awards.year='{$config['FAIRYEAR']}'
award_awards.year=?
AND award_types.id=award_awards.award_types_id
AND award_awards.schedule_judges='yes'
AND award_types.year='{$config['FAIRYEAR']}'
AND award_types.year=?
AND award_types.type='Special'
";
$r = $pdo->prepare($q);
$r->execute();
$r->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
print ($pdo->errorInfo());
/* sa_jteam for leftover judges, if any */
$sa_jteam = array();
@ -1179,8 +1177,8 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
/* Link the award to this team */
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year)
VALUES ('{$i->id}','{$sa_jteam[$x]['id']}','{$config['FAIRYEAR']}')");
$stmt->execute();
VALUES (?,?,?)");
$stmt->execute([$i->id,$sa_jteam[$x]['id'],$config['FAIRYEAR']]);
TRACE("Created Team: {$i->name}, " . count($projects) . " projects => $min judges needed (db id:{$sa_jteam[$x]['id']}) \n");
$x++;
@ -1397,16 +1395,16 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
/* Do timeslot and project timeslot assignment */
$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link
(judges_teams_id,judges_timeslots_id,year)
VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '{$config['FAIRYEAR']}')");
$stmt->execute();
VALUES (?,?,?)");
$stmt->execute([$t['id'],$r['timeslots'][0]['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
foreach ($t['projects'] as $proj) {
$pid = $proj['id'];
$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link
(judges_teams_id,judges_timeslots_id,projects_id,year)
VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '$pid', '{$config['FAIRYEAR']}')");
$stmt->execute();
VALUES (?,?,?,?)");
$stmt->execute([$t['id'],$r['timeslots'][0]['id'],$pid,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
}
$ids = $a->bucket[$x];
@ -1437,11 +1435,11 @@ TRACE("Loading Divisional1 Timeslot Data\n");
$available_timeslots = array();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE
round_id='{$round_divisional1['id']}'
AND year='{$config['FAIRYEAR']}'
round_id=?
AND year=?
AND type='timeslot'
ORDER BY date,starttime");
$q->execute();
$q->execute([$round_divisional1['id'],$config['FAIRYEAR']]);
$x = 0;
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$available_timeslots[] = array('id' => $r->id,
@ -1620,19 +1618,11 @@ for ($k = 0; $k < $keys_count; $k++) {
continue;
/* if jteam_id isn't 0, instert it into the db */
$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_link '
. ' (judges_teams_id,judges_timeslots_id,year)'
. " VALUES ('{$jteam[$jteam_id]['team_id']}', "
. " '{$available_timeslots[$y]['id']}', "
. " '{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year) VALUES (?,?,?)');
$stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$config['FAIRYEAR']]);
$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_projects_link '
. ' (judges_teams_id,judges_timeslots_id,projects_id,year) '
. " VALUES ('{$jteam[$jteam_id]['team_id']}', "
. " '{$available_timeslots[$y]['id']}', "
. " '$pid', '{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES (?,?,?,?)');
$stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$pid,$config['FAIRYEAR']]);
}
printf("\n");
}

50
admin/judges_schedulerconfig_check.inc.php
View File

@ -5,13 +5,13 @@ function judges_scheduler_check_timeslots()
global $config, $pdo;
$q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE '
. " year='" . $config['FAIRYEAR'] . "'"
. " year=?"
. " AND `type`='divisional1'");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount()) {
$round = $q->fetch(PDO::FETCH_OBJ);
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'");
$q->execute([$round->id]);
return $q->rowCount();
} else
return 0;
@ -23,13 +23,13 @@ function judges_scheduler_check_timeslots_sa()
$rows = 0;
$q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE '
. " year='" . $config['FAIRYEAR'] . "'"
. " year=?"
. " AND `type`='special'");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount()) {
while (($round = $q->fetch(PDO::FETCH_OBJ))) {
$rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'");
$rq->execute();
$rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'");
$rq->execute([$round->id]);
$rows += $rq->rowCount();
}
}
@ -40,13 +40,13 @@ function judges_scheduler_check_awards()
{
global $config, $pdo;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$div[$r->id] = $r->division;
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cat[$r->id] = $r->category;
@ -54,8 +54,8 @@ function judges_scheduler_check_awards()
$ckeys = array_keys($cat);
if ($config['filterdivisionbycategory'] == 'yes') {
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
$q->execute([$config['FAIRYEAR']]);
$divcat = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@ -78,16 +78,16 @@ function judges_scheduler_check_awards()
award_awards_projectcategories,
award_awards_projectdivisions
WHERE
award_awards.year='{$config['FAIRYEAR']}'
AND award_awards_projectcategories.year='{$config['FAIRYEAR']}'
AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}'
award_awards.year=?
AND award_awards_projectcategories.year=?
AND award_awards_projectdivisions.year=?
AND award_awards.id=award_awards_projectcategories.award_awards_id
AND award_awards.id=award_awards_projectdivisions.award_awards_id
AND award_awards_projectcategories.projectcategories_id='$c'
AND award_awards_projectdivisions.projectdivisions_id='$d'
AND award_awards_projectcategories.projectcategories_id=?
AND award_awards_projectdivisions.projectdivisions_id=?
AND award_awards.award_types_id='1'
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$c,$d]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount() != 1) {
$missing_awards[] = "{$cat[$c]} - {$div[$d]} (" . i18n('%1 found', array($q->rowCount())) . ')';
@ -128,13 +128,13 @@ function judges_scheduler_check_judges()
$l = $r->lang;
$qp = $pdo->prepare('SELECT COUNT(projects.id) as cnt FROM projects, registrations WHERE '
. " projects.year='" . $config['FAIRYEAR'] . "' AND "
. " projectdivisions_id='$d' AND "
. " projectcategories_id='$c' AND "
. " language='$l' AND "
. " projects.year=? AND "
. " projectdivisions_id=? AND "
. " projectcategories_id=? AND "
. " language=? AND "
. ' registrations.id = projects.registrations_id '
. getJudgingEligibilityCode());
$qp->execute();
$qp->execute([$config['FAIRYEAR'],$d,$c,$l]);
$qr = $qp->fetch(PDO::FETCH_OBJ);
// if (get_value_from_3d_array($jdiv, $r->jdiv_id, 'num_projects', 'total') !== null){

119
admin/judges_teams.php
View File

@ -40,16 +40,16 @@ if (get_value_from_array($_POST, 'action'))
if ($action == 'delete' && get_value_from_array($_GET, 'delete')) {
// ALSO DELETE: team members, timeslots, projects, awards
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?");
$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
message_push(happy(i18n('Judge team successfully removed, and all of its corresponding members, timeslots, projects and awards unlinked from team')));
}
@ -58,25 +58,26 @@ if (get_value_or_default($action) == 'deletealldivisional') {
FROM \t
judges_teams
WHERE
year='" . $config['FAIRYEAR'] . "'
year=?
AND autocreate_type_id='1'
");
$q2->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$numdeleted = 0;
while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
// okay now we can start deleting things! whew!
// first delete any linkings to the team
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$numdeleted++;
}
if ($numdeleted)
@ -89,24 +90,24 @@ if (get_value_or_default($action) == 'deleteall') {
$q2 = $pdo->prepare("SELECT *
FROM \tjudges_teams
WHERE
year='" . $config['FAIRYEAR'] . "'
year=?
");
$q2->execute();
$q2->execute([$config['FAIRYEAR']]);
$numdeleted = 0;
while ($r2 = $q2->FETCH(PDO::FETCH_OBJ)) {
// okay now we can start deleting things! whew!
// first delete any linkings to the team
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?");
$stmt->execute([$r2->id,$config['FAIRYEAR']]);
$numdeleted++;
}
if ($numdeleted)
@ -120,8 +121,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
// but when we're done, if we're "assign" then go back to edit that team
// if we're save, then go back to the team list
$err = false;
$q = $pdo->prepare("UPDATE judges_teams SET num='" . $_POST['team_num'] . "', name='" . (stripslashes($_POST['team_name'])) . "' WHERE id='$edit'");
$q->execute();
$q = $pdo->prepare("UPDATE judges_teams SET num=?, name=? WHERE id=?");
$q->execute([ $_POST['team_num'],(stripslashes($_POST['team_name'])),$edit]);
if ($pdo->errorInfo()) {
$err = true;
message_push(error($pdo->errorInfo()));
@ -133,8 +134,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
// the judges wouldnt know which projects to judge for which award. This doesnt apply for divisions
// because the category/division is obvious based on project numbesr. A divisional judge team could easily
// be assigned to do all of Comp Sci - Junior, Intermediate and Senior without any problems.
$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.award_types_id=award_types.id AND award_awards.id='" . $_POST['award'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.award_types_id=award_types.id AND award_awards.id=?");
$q->execute([$_POST['award']]);
$aw = $q->fetch(PDO::FETCHH_OBJ);
$addaward = true;
@ -144,12 +145,12 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
award_awards,
award_types
WHERE
judges_teams_awards_link.judges_teams_id='$edit'
judges_teams_awards_link.judges_teams_id=?
AND judges_teams_awards_link.award_awards_id=award_awards.id
AND award_awards.award_types_id=award_types.id
AND award_types.type='Special'
");
$q->exxecute();
$q->exxecute([$edit]);
$r = $q->fetch(PDO::FETCHH_OBJ);
echo "special awards: $r->num";
if ($r->num) {
@ -162,8 +163,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
if ($addaward) {
// link up the award
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('" . $_POST['award'] . "','$edit','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
$stmt->execute([$_POST['award'],$edit,$config['FAIRYEAR']]);
message_push(happy(i18n('Award assigned to team')));
}
}
@ -182,8 +183,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
}
if (get_value_or_default($action) == 'unassign') {
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$edit' AND award_awards_id='" . $_GET['unassign'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND award_awards_id=? AND year=?");
$stmt->execute([$edit,$_GET['unassign'],$config['FAIRYEAR']]);
message_push(happy(i18n('Award unassigned from judge team')));
// keep editing the same team
$action = 'edit';
@ -191,8 +192,8 @@ if (get_value_or_default($action) == 'unassign') {
if (get_value_or_default($action) == 'createall') {
// first make sure we dont have any non-divisional award teams (dont want people hitting refresh and adding all the teams twice
$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year=?");
$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->c) {
message_push(error(i18n("Cannot 'Create All' teams when any divisional teams currently exist. Try deleting all existing non-divisional teams first.")));
@ -207,18 +208,18 @@ if (get_value_or_default($action) == 'createall') {
award_types
WHERE \t
award_awards.award_types_id=award_types.id
AND award_awards.year='" . $config['FAIRYEAR'] . "'
AND award_types.year='" . $config['FAIRYEAR'] . "'
AND award_awards.year=?
AND award_types.year=?
AND award_types_id!='1'
ORDER BY
award_types_order,
award_awards.order,
name");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
// startat
$q2 = $pdo->prepare("SELECT MAX(num) AS lastnum FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
$q2->execute();
$q2 = $pdo->prepare("SELECT MAX(num) AS lastnum FROM judges_teams WHERE year=?");
$q2->execute([$config['FAIRYEAR']]);
$r2 = $q2->fetch(PDO::FETCH_OBJ);
if ($r2->lastnum)
$num = $r2->lastnum + 1;
@ -239,8 +240,8 @@ if (get_value_or_default($action) == 'createall') {
$team_id = $pdo->lastInsertId();
if ($team_id) {
// now link the new team to the award
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
$stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]);
message_push(happy(i18n('Created team #%1: %2', array($num, $name))));
} else {
message_push(error(i18n('Error creating team #%1: %2', array($num, $name))));
@ -251,8 +252,8 @@ if (get_value_or_default($action) == 'createall') {
}
if (get_value_or_default($action) == 'add' && $_GET['num']) {
$stmt = $pdo->prepare("INSERT INTO judges_teams(num,year) VALUES ('" . $_GET['num'] . "','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams(num,year) VALUES (?,?)");
$stmt->execute([$_GET['num'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$edit = $pdo->lastInsertId();
$action = 'edit';
@ -342,10 +343,10 @@ function addclicked()
)
LEFT JOIN judges_teams_awards_link ON award_awards.id = judges_teams_awards_link.award_awards_id
WHERE
award_awards.year='" . $config['FAIRYEAR'] . "' AND
award_awards.year=? AND
judges_teams_awards_link.award_awards_id IS NULL
AND award_types.id=award_awards.award_types_id
AND award_types.year='{$config['FAIRYEAR']}'
AND award_types.year=?
ORDER BY
award_type_order,
name";
@ -353,7 +354,7 @@ function addclicked()
echo '<tr><td colspan=2>';
$q = $pdo->prepare($querystr);
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
echo '<select name="award">';
@ -395,8 +396,8 @@ function addclicked()
echo '<table width="95%">';
echo '<tr><td>';
$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year=?");
$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if (!$r->c) {
echo '<a href="judges_teams.php?action=createall">' . i18n('Automatically create one new team for every non-divisional award') . '</a><br />';

68
admin/judges_teams_members.php
View File

@ -108,8 +108,8 @@ jQuery(document).ready(function(){
if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'team_num') && count(get_value_from_array($_POST, 'judgelist', [])) > 0) {
// first check if this team exists.
$q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num='" . $_POST['team_num'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num=? AND year=?");
$q->execute([$_POST['team_num'],$config['FAIRYEAR']]);
if ($q->rowCount()) {
$r = $q->fetch(PDO::FETCH_OBJ);
$team_id = $r->id;
@ -127,14 +127,14 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO
foreach ($_POST['judgelist'] AS $selectedjudge) {
// before we insert them, we need to make sure they dont already belong to this team. We can not have the same judge assigned to the same team multiple times.
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id='$selectedjudge' AND judges_teams_id='$team_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id=? AND judges_teams_id=?");
$q->execute([$selectedjudge,$team_id]);
if ($q->rowCount()) {
echo notice(i18n('Judge (%1) already belongs to judging team: %2', array($selectedjudge, $team_name)));
} else {
// lets make the first one we add a captain, the rest, non-captains :)
$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$selectedjudge','$team_id','$captain','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,?,?)");
$stmt->execute([$selectedjudge,$team_id,$captain,$config['FAIRYEAR']]);
$added++;
}
// if this is alreayd no, then who cares, but if its the first one that is going into the new team, then
@ -151,13 +151,13 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO
}
if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id') && get_value_from_array($_GET, 'users_id')) {
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='" . $_GET['users_id'] . "' AND judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=? AND judges_teams_id=? AND year=?");
$stmt->execute([$_GET['users_id'],$_GET['team_id'],$config['FAIRYEAR']]);
echo happy(i18n('Removed judge from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name'])));
// if there is still members left in the team, make sure we have a captain still
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
$q->execute([$_GET['team_id'],$config['FAIRYEAR']]);
if ($q->rowCount()) {
// make sure the team still has a captain!
// FIXME: this might best come from the "i am willing to be a team captain" question under the judges profile
@ -176,24 +176,24 @@ if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET
}
if (!$gotcaptain) {
// make the first judge the captain
$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='$firstjudge' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=? AND year=?");
$stmt->execute([$_GET['team_id'],$firstjudge,$config['FAIRYEAR']]);
echo notice(i18n('Team captain was removed. A new team captain has been automatically assigned'));
}
}
}
if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id')) {
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
$stmt->execute([$_GET['team_id'],$config['FAIRYEAR']]);
echo happy(i18n('Emptied all judges from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name'])));
}
if (get_value_from_array($_POST, 'action') == 'saveteamnames') {
if (count($_POST['team_names'])) {
foreach ($_POST['team_names'] AS $team_id => $team_name) {
$stmt = $pdo->prepare("UPDATE judges_teams SET name='" . stripslashes($team_name) . "' WHERE id='$team_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_teams SET name=? WHERE id=?");
$stmt->execute([stripslashes($team_name),$team_id]);
}
echo happy(i18n('Team names successfully saved'));
}
@ -201,20 +201,20 @@ if (get_value_from_array($_POST, 'action') == 'saveteamnames') {
if (get_value_from_array($_GET, 'action') == 'addcaptain') {
// teams can have as many captains as they want, so just add it.
$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=?");
$stmt->execute([ $_GET['team_id'],$_GET['judge_id']]);
echo happy(i18n('Team captain assigned'));
}
if (get_value_from_array($_GET, 'action') == 'removecaptain') {
// teams must always have at least one captain, so if we only have one, and we are trying to remove it, dont let them!
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id='" . $_GET['team_id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id=?");
$q->execute([$_GET['team_id']]);
if ($q->rowCount() < 2) {
echo error(i18n('A judge team must always have at least one captain'));
} else {
$pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'");
$pdo->execute();
$pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id=? AND users_id=?");
$pdo->execute([$_GET['team_id'],$_GET['judge_id']]);
echo happy(i18n('Team captain removed'));
}
}
@ -225,16 +225,16 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') {
/* Load all the teams */
$teams = array();
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
$teams[$i['id']] = $i;
}
/* And the links */
$links = array();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
$judgelist[$i['users_id']]['teams_links'][] = $i;
}
@ -254,12 +254,12 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') {
foreach ($j['special_award_selected'] AS $awardid) {
echo "Looking for a team for award $awardid <br />";
// find the award id linked to a team
$q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id='{$awardid}' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id=? AND year=?");
$q->execute([$awardid,$config['FAIRYEAR']]);
if ($q->rowCount()) {
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$jid','$r->judges_teams_id','yes','{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,'yes',?)");
$stmt->execute([$jid,$r->judges_teams_id,$config['FAIRYEAR']]);
echo happy(i18n('%1 %2 to their special award(s) team(s)', array($j['firstname'], $j['lastname'])));
}
} else {
@ -308,16 +308,16 @@ $judgelist = judges_load_all();
/* Load all the teams */
$teams = array();
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
$teams[$i['id']] = $i;
}
/* And the links */
$links = array();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
$judgelist[$i['users_id']]['teams_links'][] = $i;
}

42
admin/judges_teams_projects.php
View File

@ -81,20 +81,20 @@ if (get_value_from_array($_GET, 'judges_projects_list_eligible'))
$_SESSION['viewstate']['judges_projects_list_eligible'] = $_GET['judges_projects_list_eligible'];
if (get_value_from_array($_GET, 'action') == 'delete' && $_GET['delete'] && $_GET['edit']) {
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id='" . $_GET['delete'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id=?");
$stmt->execute([$_GET['delete']]);
echo happy(i18n('Judging team project successfully removed'));
$action = 'edit';
}
if (get_value_from_array($_POST, 'action') == 'assign' && $_POST['edit'] && $_POST['timeslot'] && $_POST['project_id']) {
$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES ('" . $_POST['edit'] . "','" . $_POST['timeslot'] . "','" . $_POST['project_id'] . "','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES (?,?,?,?)");
$stmt->execute([$_POST['edit'],$_POST['timeslot'],$_POST['project_id'],$config['FAIRYEAR']]);
echo happy(i18n('Project assigned to team timeslot'));
}
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount() > 1)
$show_date = true;
else
@ -155,13 +155,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
judges_teams,
judges_teams_timeslots_link
WHERE
judges_teams.id='" . $team['id'] . "' AND
judges_teams.id=? AND
judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
ORDER BY
date,starttime
");
$q->execute();
$q->execute([$team['id']]);
$numslots = $q - rowCount();
if ($numslots) {
@ -201,7 +201,7 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
projectnumber is not null
' . getJudgingEligibilityCode() . " AND
projects.registrations_id=registrations.id AND
projects.year='" . $config['FAIRYEAR'] . "'
projects.year=?
ORDER BY
projectnumber";
} else if ($_SESSION['viewstate']['judges_projects_list_show'] == 'unassigned') {
@ -219,13 +219,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
' . getJudgingEligibilityCode(). ' AND
projects.registrations_id=registrations.id AND
judges_teams_timeslots_projects_link.projects_id IS NULL AND
projects.year='" . $config['FAIRYEAR'] . "'
projects.year=?
ORDER BY
projectnumber";
}
$pq = $pdo->prepare($querystr);
$pq->execute();
$pq->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$eligibleprojects = getProjectsEligibleOrNominatedForAwards($award_ids);
@ -284,14 +284,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
projects,
judges_teams_timeslots_projects_link
WHERE
judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
judges_teams_timeslots_projects_link.judges_teams_id=? AND
judges_teams_timeslots_projects_link.projects_id=projects.id AND
judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
judges_teams_timeslots_projects_link.year=?
ORDER BY
projectnumber
");
$projq->execute();
$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@ -357,13 +357,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
judges_teams,
judges_teams_timeslots_link
WHERE
judges_teams.id='" . $team['id'] . "' AND
judges_teams.id=? AND
judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
ORDER BY
date,starttime
");
$q->execute();
$q->execute([$team['id']]);
$numslots = $q->rowCount();
echo '<a href="judges_teams_projects.php?action=edit&edit=' . $team['id'] . '">' . i18n('Edit team project assignments') . '</a>';
@ -391,14 +391,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
projects,
judges_teams_timeslots_projects_link
WHERE
judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
judges_teams_timeslots_projects_link.judges_teams_id=? AND
judges_teams_timeslots_projects_link.projects_id=projects.id AND
judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
judges_teams_timeslots_projects_link.year=?
ORDER BY
projectnumber
");
$projq->execute();
$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {

28
admin/judges_teams_timeslots.php
View File

@ -42,15 +42,15 @@ if (array_key_exists('action', $_POST))
if (get_value_from_array($_GET, 'action') && $action == 'delete') {
$id = intval($_GET['delete']);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id='$id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id=?");
$stmt->execute([$id]);
message_push(happy(i18n('Judging team timeslot successfully removed')));
}
if (array_key_exists('empty', $_GET) && $action == 'empty') {
$id = intval($_GET['empty']);
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=?");
$stmt->execute([$id]);
message_push(happy(i18n('Judging team timeslots successfully removed')));
}
@ -61,8 +61,8 @@ if ($action == 'assign') {
foreach ($_POST['teams'] AS $tm) {
foreach ($_POST['timeslots'] AS $ts) {
$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year)
VALUES ('$tm','$ts','{$config['FAIRYEAR']}')");
$stmt->execute();
VALUES (?,?,?)");
$stmt->execute([$tm,$ts,$config['FAIRYEAR']]);
}
}
message_push(happy(i18n('%1 Timeslots assigned to %2 teams', array(count($_POST['timeslots']), count($_POST['teams'])))));
@ -126,8 +126,8 @@ echo '<a href="" onclick="return checknone(\'timeslots\')">select none</a>';
echo '&nbsp;|&nbsp';
echo '<a href="" onclick="return checkinvert(\'timeslots\')">invert selection</a>';
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount() > 1)
$show_date = true;
else
@ -143,16 +143,16 @@ echo '<th>' . i18n('End Time') . '</th>';
echo "</tr>\n";
$q = $pdo->prepare("SELECT * FROM judges_timeslots
WHERE year='{$config['FAIRYEAR']}'
WHERE year=?
AND round_id='0' ORDER BY date,starttime");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
$span = $show_date ? 4 : 3;
echo "<td colspan=\"$span\">{$r->name} (" . $round_str[$r->type] . ')</td>';
$qq = $pdo->prepare("SELECT * FROM judges_timeslots
WHERE round_id='{$r->id}' ORDER BY date,starttime");
$qq->execute();
WHERE round_id=? ORDER BY date,starttime");
$qq->execute([$r->id]);
while ($rr = $qq->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
echo "<td><input type=\"checkbox\" name=\"timeslots[]\" value=\"{$rr->id}\" /></td>";
@ -213,13 +213,13 @@ foreach ($teams AS $team) {
judges_teams,
judges_teams_timeslots_link
WHERE
judges_teams.id='" . $team['id'] . "' AND
judges_teams.id=? AND
judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
ORDER BY
date,starttime
");
$q->execute();
$q->execute([$team['id']]);
$numslots = $q->rowCount();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {

90
admin/judges_timeslots.php
View File

@ -92,16 +92,16 @@ if ($action == 'saveround') {
if ($save == true) {
if ($round_id == 0) {
/* New entry */
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,year) VALUES('0','{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,year) VALUES('0',?)");
$stmt->execute([$config['FAIRYEAR']]);
$round_id = $pdo->lastInsertId();
}
$stmt = $pdo->prepare("UPDATE judges_timeslots SET `date`='$date',
starttime='$starttime', endtime='$endtime',
`name`='$name',
`type`='$type' WHERE id='$round_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_timeslots SET `date`=?,
starttime=?, endtime=?,
`name`=?,
`type`=? WHERE id=?");
$stmt->execute([$date,$starttime,$endtime,$name,$type,$round_id]);
show_pdo_errors_if_any($pdo);
message_push(happy(i18n('Round successfully saved')));
@ -110,18 +110,18 @@ if ($action == 'saveround') {
}
if ($action == 'deleteround') {
$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id='$round_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id=?");
$stmt->execute([$round_id]);
/* Also delete all timeslots */
$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE round_id='$round_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE round_id=?");
$stmt->execute([$round_id]);
message_push(happy(i18n('Round successfully removed')));
$action = '';
}
if ($action == 'deletetimeslot') {
$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id='$timeslot_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id=?");
$stmt->execute([$timeslot_id]);
message_push(happy(i18n('Timeslot successfully removed')));
$action = '';
}
@ -129,8 +129,8 @@ if ($action == 'deletetimeslot') {
if ($action == 'savetimeslot') {
$save = true;
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$q->execute([$round_id]);
$round_data = $q->fetch(PDO::FETCH_ASSOC);
$date = $round_data['date'];
@ -152,15 +152,15 @@ if ($action == 'savetimeslot') {
if ($save == true) {
if ($timeslot_id == 0) {
/* New entry */
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,date,type,year) VALUES('$round_id',
'$date','timeslot','{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,date,type,year) VALUES(?,
?,'timeslot',?)");
$stmt->execute([$round_id,$date,$config['FAIRYEAR']]);
$timeslot_id = $pdo->lastInsertId();
}
$stmt = $pdo->prepare("UPDATE judges_timeslots SET starttime='$starttime', endtime='$endtime'
WHERE id='$timeslot_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE judges_timeslots SET starttime=?, endtime=?
WHERE id=?");
$stmt->execute([$starttime,$endtime,$timeslot_id]);
show_pdo_errors_if_any($pdo);
message_push(happy(i18n('Timeslot successfully saved')));
@ -176,8 +176,8 @@ if ($action == 'savemultiple') {
$break = intval($_POST['break']);
if (array_key_exists('starttime_hour', $_POST) && array_key_exists('starttime_minute', $_POST) && $addnum && $duration) {
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$q->execute([$round_id]);
$round_data = $q->fetch(PDO::FETCH_ASSOC);
$date = $round_data['date'];
@ -188,9 +188,15 @@ if ($action == 'savemultiple') {
$tt = $duration + $break;
for ($x = 0; $x < $addnum; $x++) {
$q = $pdo->prepare("SELECT \tDATE_ADD('$date $hr:$min:00', INTERVAL $duration MINUTE) AS endtime,
DATE_ADD('$date $hr:$min:00', INTERVAL $tt MINUTE) AS startnext ");
$q->execute();
$q = $pdo->prepare("SELECT
DATE_ADD(?, INTERVAL ? MINUTE) AS endtime,
DATE_ADD(?, INTERVAL ? MINUTE) AS startnext");
$q->execute([
"$date $hr:$min:00", $duration,
"$date $hr:$min:00", $tt
]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_OBJ);
list($ed, $et) = split(' ', $r->endtime);
@ -199,10 +205,10 @@ if ($action == 'savemultiple') {
$starttime = sprintf('%02d:%02d:00', $hr, $min);
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (date,type,round_id,starttime,endtime,year) VALUES (
'$date','timeslot','{$round_data['id']}',
'$starttime', '$et',
'{$config['FAIRYEAR']}')");
$stmt->execute();
?,'timeslot',?,
?,?,
?)");
$stmt->execute([$date,$round_data['id'],$starttime,$et,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$date = $nd;
list($s_h, $s_m, $s_s) = split(':', $nt);
@ -242,8 +248,8 @@ if ($action == 'addround' || $action == 'editround') {
$r['date'] = $config['dates']['fairdate'];
} else {
echo '<h3>Edit Judging Round</h3>';
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$q->execute([$round_id]);
if ($q->rowCount() != 1) {
echo "UNKNOWN ROUND $round_id";
exit;
@ -289,8 +295,8 @@ if ($action == 'addtimeslot' || $action == 'edittimeslot') {
echo "<input type=\"hidden\" name=\"round_id\" value=\"$round_id\">\n";
echo "<input type=\"hidden\" name=\"timeslot_id\" value=\"$timeslot_id\">\n";
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$q->execute([$round_id]);
$round_data = $q->fetch(PDO::FETCH_ASSOC);
if ($action == 'addtimeslot') {
@ -299,8 +305,8 @@ if ($action == 'addtimeslot' || $action == 'edittimeslot') {
$r['date'] = $round_data['date'];
} else {
echo '<h3>Edit Judging Timeslot</h3>';
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$timeslot_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$q->execute([$timeslot_id]);
if ($q->rowCount() != 1) {
echo "UNKNOWN ROUND $round_id";
exit;
@ -334,8 +340,8 @@ if ($action == 'addmultiple') {
echo "<input type=\"hidden\" name=\"round_id\" value=\"$round_id\">\n";
echo "<input type=\"hidden\" name=\"timeslot_id\" value=\"$timeslot_id\">\n";
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
$q->execute([$round_id]);
$round_data = $q->fetch(PDO::FETCH_ASSOC);
echo '<table border="0">';
@ -375,12 +381,12 @@ if ($action == '') {
echo '<th>' . i18n('Actions') . '</th>';
echo '</tr>';
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='{$config['FAIRYEAR']}' AND `type`!='timeslot' ORDER BY date,starttime");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND `type`!='timeslot' ORDER BY date,starttime");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r->id}' ORDER BY `date`,`starttime`");
$qq->execute();
$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? ORDER BY `date`,`starttime`");
$qq->execute([$r->id]);
$c = $qq->rowCount() + 1;
echo "<td rowspan=\"$c\"><b>" . format_date($r->date) . '</b></td>';

24
admin/judging_score_edit.php
View File

@ -51,10 +51,10 @@ if ($_GET['projectid']) {
$score_error = '*** ERROR **** You entered a value greater than 100.00';
}
$stmt = $pdo->prepare("UPDATE judges_teams_timeslots_projects_link
\t \t\t\t\t\tSET score=" . $score
. ' WHERE judges_teams_id = ' . $_POST['team_' . $curr_team . '_id']
. " and projects_id =$project_id and year=$year");
$stmt->execute();
SET score=?
WHERE judges_teams_id =?
and projects_id =? and year=?");
$stmt->execute([$score,$_POST['team_' . $curr_team . '_id'],$project_id,$year]);
show_pdo_errors_if_any($pdo);
}
$curr_team--;
@ -64,18 +64,18 @@ if ($_GET['projectid']) {
?>
<?
if ($project_id) {
$q = $pdo->prepare("SELECT * FROM projects WHERE projects.id = '" . $project_id . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE projects.id =?");
$q->execute([$project_id]);
$r = $q->fetch(PDO::FETCH_OBJ);
$project_number = $r->projectnumber;
$project_title = $r->title;
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cats[$r->id] = $r->category;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$year]);
$q = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id,
\t score,
@ -83,8 +83,8 @@ if ($project_id) {
\t FROM judges_teams_timeslots_projects_link,
\t judges_teams
\t WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id
\t AND projects_id = " . $project_id . ' ORDER BY judges_teams_id');
$q->execute();
\t AND projects_id =? ORDER BY judges_teams_id");
$q->execute([$project_id]);
show_pdo_errors_if_any($pdo);
echo 'Project# ' . $project_number . ' ' . $project_title . '<br />';
if ($score_error != '') {

30
admin/judging_score_entry.php
View File

@ -44,13 +44,13 @@ if ($_GET['csv'] == 'yes') {
}
?>
<?
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cats[$r->id] = $r->category;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$divs[$r->id] = $r->division;
@ -74,13 +74,13 @@ $q = $pdo->prepare("SELECT registrations.id AS reg_id,
left outer join projects on projects.registrations_id=registrations.id
left outer join judges_teams_timeslots_projects_link on projects.id=judges_teams_timeslots_projects_link.projects_id
WHERE
registrations.year='$year' "
registrations.year=?"
. getJudgingEligibilityCode() . "
GROUP BY projectid
ORDER BY
$ORDERBY
");
$q->execute();
$q->execute([$year]);
show_pdo_errors_if_any($pdo);
if ($_GET['csv'] != 'yes') {
@ -101,15 +101,15 @@ if ($_GET['csv'] != 'yes') {
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
if ($_GET['csv'] == 'yes') {
echo "$r->projectnumber \t $r->title \t" . $cats[$r->projectcategories_id] . "\t" . $divs[$r->projectdivisions_id] . " \t $r->score \t $r->norm_score ";
$p = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id,
\t \t\t\t\t score,
\t judges_teams.num
\t FROM judges_teams_timeslots_projects_link,
\t judges_teams
\t WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id
\t AND projects_id = " . $r->projectid . ' ORDER BY judges_teams_id');
$p->execute();
echo "$r->projectnumber \t ? \t ? \t ? \t ? \t ? ";
$p = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id, score, judges_teams.num
FROM judges_teams_timeslots_projects_link, judges_teams
WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id
AND projects_id = ?
ORDER BY judges_teams_id");
$p->execute([$r->title, $cats[$r->projectcategories_id], $divs[$r->projectdivisions_id], $r->score, $r->norm_score, $r->projectid]);
show_pdo_errors_if_any($pdo);
while ($s = $p->fetch(PDO::FETCH_OBJ)) {
$team = getJudgingTeam($s->judges_teams_id);

126
admin/project_editor.php
View File

@ -47,11 +47,11 @@ if ($auth_type == 'fair') {
/* Make sure they have permission to laod this student, check
the master copy of the fairs_id in the project */
$q = $pdo->prepare("SELECT * FROM projects WHERE
registrations_id='$registrations_id'
AND year='{$config['FAIRYEAR']}'
AND fairs_id=$fairs_id");
registrations_id=?
AND year=?
AND fairs_id=?");
$q->execute();
$q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
if ($q->rowCount() != 1) {
echo 'permission denied.';
exit;
@ -69,22 +69,22 @@ switch ($action) {
project_save();
/* Now generate */
$q = $pdo->prepare("SELECT id FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$registrations_id,$config['FAIRYEAR']]);
$i = $q->fetch(PDO::FETCH_ASSOC);
$id = $i['id'];
$stmt = $pdo->prepare("UPDATE projects SET projectnumber=NULL,projectsort=NULL,
projectnumber_seq='0',projectsort_seq='0'
WHERE id='$id'");
$stmt->execute();
WHERE id=?");
$stmt->execute([$id]);
show_pdo_errors_if_any($pdo);
list($pn, $ps, $pns, $pss) = generateProjectNumber($registrations_id);
// print("Generated Project Number [$pn]");
$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$pn',projectsort='$ps',
projectnumber_seq='$pns',projectsort_seq='$pss'
WHERE id='$id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,projectsort=?,
projectnumber_seq=?,projectsort_seq=?
WHERE id=?");
$stmt->execute([$pn,$ps,$pns,$pss,$id]);
happy_("Generated and Saved Project Number: $pn");
break;
@ -102,8 +102,8 @@ function project_save()
global $registrations_id, $config, $pdo;
// first, lets make sure this project really does belong to them
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$registrations_id,$config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
if (!projectinfo) {
echo error(i18n('Invalid project to update'));
@ -121,13 +121,13 @@ function project_save()
if (empty($_POST['feedback'])) {
$stmt = $pdo->prepare('UPDATE projects SET '
. "flagged='0'"
. "WHERE id='" . intval($_POST['id']) . "'");
$stmt->execute();
. "WHERE id=?");
$stmt->execute([intval($_POST['id'])]);
} else {
$stmt = $pdo->prepare('UPDATE projects SET '
. "flagged='1'"
. "WHERE id='" . intval($_POST['id']) . "'");
$stmt->execute();
. "WHERE id=?");
$stmt->execute([intval($_POST['id'])]);
}
show_pdo_errors_if_any($pdo);
happy_('Flagging process successfully updated');
@ -138,36 +138,54 @@ function project_save()
} else
$title = stripslashes($_POST['title']);
$stmt = $pdo->prepare('UPDATE projects SET '
. "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $title) . "', "
. "projectdivisions_id='" . intval($_POST['projectdivisions_id'] . "', "
. "projecttype='" . stripslashes($_POST['projecttype']) . "', "
. "language='" . stripslashes($_POST['language']) . "', "
. "req_table='" . stripslashes($_POST['req_table']) . "', "
. "req_electricity='" . stripslashes($_POST['req_electricity']) . "', "
. "req_special='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['req_special'])) . "', "
. "human_participants='" . stripslashes($_POST['human_participants']) . "', "
. "animal_participants='" . stripslashes($_POST['animal_participants']) . "', "
. "summary='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])) . "', "
. "summarycountok='$summarycountok',"
. "feedback='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])) . "', "
. "projectsort='" . stripslashes($_POST['projectsort']) . "'"
. "WHERE id='" . intval($_POST['id'])) . "'");
$stmt = $pdo->prepare("UPDATE projects SET
title=?,
projectdivisions_id=?,
projecttype=?,
language=?,
req_table=?,
req_electricity=?,
req_special=?,
human_participants=?,
animal_participants=?,
summary=?,
summarycountok=?,
feedback=?,
projectsort=?
WHERE id=?");
$stmt->execute([
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['title']),
intval($_POST['projectdivisions_id']),
$_POST['projecttype'],
$_POST['language'],
$_POST['req_table'],
$_POST['req_electricity'],
$_POST['req_special'],
$_POST['human_participants'],
$_POST['animal_participants'],
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['summary']),
$_POST['summarycountok'],
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['feedback']),
$_POST['projectsort'],
intval($_POST['id'])
]);
show_pdo_errors_if_any($pdo);
happy_('Project information successfully updated');
// check if they changed the project number
if ($_POST['projectnumber'] != $projectinfo->projectnumber) {
// check if hte new one is available
$q = $pdo->prepare("SELECT * FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber='" . $_POST['projectnumber'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE year=?' AND projectnumber=?");
$q->execute([$config['FAIRYEAR'],$_POST['projectnumber']]);
if ($q->rowCount()) {
error_('Could not change project number. %1 is already in use', array($_POST['projectnumber']));
} else {
$stmt = $pdo->prepare("UPDATE projects SET
projectnumber='" . $_POST['projectnumber'] . "'
WHERE id='" . $_POST['id'] . "'");
$stmt->execute();
projectnumber=?
WHERE id=?");
$stmt->execute([$_POST['projectnumber'],$_POST['id']]);
happy_('Project number successfully changed to %1', array($_POST['projectnumber']));
}
}
@ -178,13 +196,13 @@ function project_load()
global $registrations_id, $config, $pdo, $projectcategories_id;
// $projectcategories_id=null;
// now lets find out their MAX grade, so we can pre-set the Age Category
$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='" . $registrations_id . "'");
$q->execute();
$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id=?");
$q->execute([$registrations_id]);
$gradeinfo = $q->fetch(PDO::FETCH_OBJ);
// now lets grab all the age categories, so we can choose one based on the max grade
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
// save these in an array, just incase we need them later (FIXME: remove this array if we dont need it)
$agecategories[$r->id]['category'] = $r->category;
@ -196,24 +214,24 @@ function project_load()
}
// now select their project info
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $registrations_id . "' AND year='" . $config['FAIRYEAR'] . "'");
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
// check if it exists, if we didnt find any record, lets insert one
$q->execute();
$q->execute([$registrations_id,$config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
if (!$projectinfo) {
$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $registrations_id . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')");
$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES (?,?,?)");
// and then pull it back out
$stmt->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $registrations_id . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$stmt->execute([$registrations_id,$projectcategories_id,$config['FAIRYEAR']]);
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute([ $registrations_id,$config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
}
// make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly
if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) {
echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category'])));
$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id=? WHERE id=?");
$stmt->execute([$projectcategories_id,$projectinfo->id]);
}
// output the current status
@ -293,13 +311,13 @@ function countwords()
<?
// ###### Feature Specific - filtering divisions by category
if ($config['filterdivisionbycategory'] == 'yes') {
$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year='" . $config['FAIRYEAR'] . "' AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' ORDER BY division");
$q->execute();
$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=? AND projectdivisions.year=? AND projectcategoriesdivisions_link.year=? ORDER BY division');
$q->execute([$projectcategories_id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
// ###
} else
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
$q->execute([$config['FAIRYEAR']]);
echo '<select name="projectdivisions_id">';
echo '<option value="">' . i18n('Select a division') . "</option>\n";

93
admin/registration_list.php
View File

@ -39,14 +39,14 @@ if (get_value_from_array($_GET, 'year'))
else
$year = $config['FAIRYEAR'];
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cats[$r->id] = $r->category;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$divs[$r->id] = $r->division;
@ -62,34 +62,34 @@ switch ($action) {
case 'delete':
$regid = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='$regid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
$q->execute([$regid]);
if ($q->rowCount()) {
$p = $q->fetch(PDO::FETCH_ASSOC);
$stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id='{$p['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id=?");
$stmt->execute([$p['id']]);
}
$stmt = $pdo->prepare("DELETE FROM registrations WHERE id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM registrations WHERE id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=? AND year=?");
$stmt->execute([$regid,$config['FAIRYEAR']]);
happy_('Registration and all related data successfully deleted');
exit;
}
@ -444,29 +444,30 @@ function list_query($year, $wherestatus, $reg_id)
$fair = "AND projects.fairs_id='{$_SESSION['fairs_id']}'";
}
$q = $pdo->prepare("SELECT registrations.id AS reg_id,
registrations.num AS reg_num,
registrations.status,
registrations.email,
projects.title,
projects.projectnumber,
projects.projectcategories_id,
projects.projectdivisions_id,
projects.feedback,
projects.flagged
FROM
registrations
left outer join projects on projects.registrations_id=registrations.id
WHERE
1
AND registrations.year='$year'
$wherestatus
$reg $fair
ORDER BY
registrations.status DESC, projects.title
");
$q = $pdo->prepare("
SELECT
registrations.id AS reg_id,
registrations.num AS reg_num,
registrations.status,
registrations.email,
projects.title,
projects.projectnumber,
projects.projectcategories_id,
projects.projectdivisions_id,
projects.feedback,
projects.flagged
FROM
registrations
LEFT OUTER JOIN projects ON projects.registrations_id = registrations.id
WHERE
registrations.year = ?
AND registrations.status = ?
AND registrations.num = ?
AND registrations.fair = ?
ORDER BY
registrations.status DESC, projects.title ");
$q->execute([$year, $wherestatus, $reg, $fair]);
$q->execute();
// FIXME
show_pdo_errors_if_any($pdo);
@ -516,11 +517,11 @@ function print_row($r)
FROM
students,schools
WHERE
students.registrations_id='$r->reg_id'
students.registrations_id=?
AND
students.schools_id=schools.id
");
$sq->execute();
$sq->execute([$r->reg_id]);
show_pdo_errors_if_any($pdo);
$studnum = 1;

62
admin/registration_receivedforms.php
View File

@ -41,8 +41,8 @@ echo '<br />';
$showformatbottom = true;
if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array($_POST, 'registration_number')) {
$q = $pdo->prepare("SELECT * FROM registrations WHERE num='" . $_POST['registration_number'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
$q->execute([$_POST['registration_number'],$config['FAIRYEAR']]);
if ($q->rowCount() == 1) {
$r = $q->fetch(PDO::FETCH_OBJ);
$reg_id = $r->id;
@ -77,7 +77,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
FROM
projects,projectcategories,projectdivisions
WHERE
projects.registrations_id='$reg_id'
projects.registrations_id=?
AND
projects.projectcategories_id=projectcategories.id
AND
@ -87,7 +87,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
AND
projectdivisions.year=projects.year
");
$q->execute();
$q->execute([$reg_id]);
show_pdo_errors_if_any($pdo);
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
@ -116,11 +116,11 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
FROM
students,schools
WHERE
students.registrations_id='$reg_id'
students.registrations_id=?
AND
students.schools_id=schools.id
");
$q->execute();
$q->execute([$reg_id]);
$studnum = 1;
while ($studentinfo = $q->fetch(PDO::FETCH_OBJ)) {
@ -193,14 +193,14 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
$checkNumQuery = $pdo->prepare("SELECT projectnumber
FROM projects, registrations
WHERE projects.registrations_id = registrations.id
AND num='$regnum'
AND registrations.year='{$config['FAIRYEAR']}'");
$checkNumQuery->execute();
AND num=?
AND registrations.year=?");
$checkNumQuery->execute([$regnum,$config['FAIRYEAR']]);
$checkNumResults = $checkNumQuery->fetch(PDO::FETCH_OBJ);
$projectnum = $checkNumResults->projectnumber;
$q = $pdo->prepare("SELECT id FROM registrations WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM registrations WHERE num=? AND year=?");
$q->execute([$regnum, $config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$reg_id = $r->id;
@ -218,8 +218,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
if ($_POST['action'] == 'receivedyes') {
// actually set it to 'complete'
$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
$stmt->execute([$regnum,$config['FAIRYEAR']]);
foreach ($recipients AS $recip) {
$to = $recip['to'];
$subsub = array();
@ -238,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
echo happy(i18n('Registration of form %1 successfully completed', array($regnum)));
} else if ($_POST['action'] == 'receivedyesnocash') {
// actually set it to 'paymentpending'
$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num=? AND year=?");
$stmt->execute([$regnum,$config['FAIRYEAR']]);
foreach ($recipients AS $recip) {
$to = $recip['to'];
$subsub = array();
@ -261,13 +261,13 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
echo notice(i18n('Registration of form %1 cancelled', array($_POST['registration_number'])));
} else if (get_value_from_array($_GET, 'action') == 'unregister' && get_value_from_array($_GET, 'registration_number')) {
$reg_num = intval(trim($_GET['registration_number']));
$q = $pdo - prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year='{$config['FAIRYEAR']}' AND registrations.num='$reg_num'");
$q->execute();
$q = $pdo->prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year=? AND registrations.num=?");
$q->execute([$config['FAIRYEAR'],$reg_num]);
$r = $q->fetch(PDO::FETCH_OBJ);
$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id='$r->proj_id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->reg_id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id=? AND year=?");
$stmt->execute([$r->proj_id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=? AND year=?");
$stmt->execute([$r->reg_id,$config['FAIRYEAR']]);
echo happy(i18n('Successfully unregistered project'));
}
@ -305,9 +305,9 @@ if ($showformatbottom) {
if (get_value_from_array($_POST, 'action') == 'receive_all') {
// Grab all projects that don't have project numbers. Status should therefor be open or new but not complete
$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =' . $config['FAIRYEAR'] . '');
$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =?');
// Define arrays to append to later
$query_noprojectnumber->execute();
$query_noprojectnumber->execute([$config['FAIRYEAR']]);
$completed_students = array();
$incomplete_students = array();
$newstatus_students = array();
@ -315,8 +315,8 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
// loop through each project that doesn't have a project number
while ($studentproject = $query_noprojectnumber->fetch(PDO::FETCH_ASSOC)) {
// Grab registration information about the current project
$q = $pdo->prepare("SELECT * FROM registrations WHERE id='" . $studentproject['registrations_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE id=? AND year=?");
$q->execute([$studentproject['registrations_id'],$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$reg_id = $r->id;
$reg_num = $r->num;
@ -347,18 +347,18 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
) {
// Generate project number and update it in data base
list($projectnumber, $ps, $pns, $pss) = generateProjectNumber($reg_id);
$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$projectnumber',
projectsort='$ps',projectnumber_seq='$pns',projectsort_seq='$pss'
WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,
projectsort=?,projectnumber_seq=?,projectsort_seq=?
WHERE registrations_id=? AND year=?");
$stmt->execute([$projectnumber,$ps,$pns,$pss,$reg_id,$config['FAIRYEAR']]);
// email stuff
// get all students with this registration number
// $recipients=getEmailRecipientsForRegistration($reg_id);
// Set status to 'complete'
$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$reg_num' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
$stmt->execute([$reg_num,$config['FAIRYEAR']]);
/*foreach($recipients AS $recip) {
$to=$recip['to'];
$subsub=array();

15
admin/registration_stats.php
View File

@ -63,13 +63,13 @@ foreach ($status_str as $s => $str) {
echo '</select>';
echo '</form>';
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cats[$r->id] = $r->category;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$divs[$r->id] = $r->division;
@ -133,12 +133,12 @@ $q = $pdo->prepare("SELECT registrations.id AS reg_id,
left outer join projects on projects.registrations_id=registrations.id
WHERE
1
AND registrations.year='$year'
AND registrations.year=?,
$wherestatus
ORDER BY
$ORDERBY
");
$q->execute();
$q->execute([$year]);
show_pdo_errors_if_any($pdo);
$stats_totalprojects = 0;
@ -188,10 +188,11 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
FROM
students,schools
WHERE
students.registrations_id='$r->reg_id'
students.registrations_id=?
AND
students.schools_id=schools.id
");
$sq->execute([$r->reg_id]);
show_pdo_errors_if_any($pdo);
$studnum = 1;

18
admin/registration_webconsent.php
View File

@ -44,12 +44,12 @@ if (get_value_from_array($_POST, 'changed')) {
$webphoto = get_value_from_2d_array($_POST, 'webphoto', $id) == 'yes' ? 'yes' : 'no';
$stmt = $pdo->prepare("UPDATE students SET
webfirst='$webfirst',
weblast='$weblast',
webphoto='$webphoto'
webfirst=?,
weblast=?,
webphoto=?
WHERE
id='$id'");
$stmt->execute();
id=?");
$stmt->execute([$webfirst,$weblast,$webphoto,$id]);
}
}
@ -87,12 +87,12 @@ $sq = $pdo->prepare("SELECT students.firstname,
students.registrations_id=registrations.id
AND\t( registrations.status = 'complete' OR registrations.status='paymentpending' )
AND\tprojects.registrations_id=registrations.id
AND \tregistrations.year='" . $config['FAIRYEAR'] . "'
AND \tprojects.year='" . $config['FAIRYEAR'] . "'
AND \tstudents.year='" . $config['FAIRYEAR'] . "'
AND \tregistrations.year=?
AND \tprojects.year=?
AND \tstudents.year=?
ORDER BY projectnumber
");
$sq->execute();
$sq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
echo '<form method="post" action="registration_webconsent.php">';

48
admin/reports.inc.php
View File

@ -351,9 +351,9 @@ foreach($report_stock as $n=>$v) {
/* First delete all existing fields */
$stmt = $pdo->prepare("DELETE FROM reports_items
WHERE `reports_id`='{$report['id']}'
AND `type`='$type'");
$stmt->execute();
WHERE `reports_id`=?
AND `type`=?");
$stmt->execute([$report['id'],$type]);
/* Now add new ones */
if(count($report[$type]) == 0) return;
@ -385,9 +385,9 @@ foreach($report_stock as $n=>$v) {
`field`,`value`,`x`, `y`, `w`, `h`,
`lines`, `face`, `align`,`valign`,
`fontname`,`fontstyle`,`fontsize`,`on_overflow`)
VALUES $q");
VALUES ?");
$stmt->execute();
$stmt->execute([$q]);
show_pdo_errors_if_any($pdo);
}
@ -404,8 +404,8 @@ foreach($report_stock as $n=>$v) {
$report = array();
$q = $pdo->prepare("SELECT * FROM reports WHERE id='$report_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM reports WHERE id=?");
$q->execute([$report_id]);
$r = $q->fetch(PDO::FETCH_ASSOC);
$report['name'] = get_value_from_array($r, 'name');
$report['id'] = get_value_from_array($r, 'id');
@ -430,9 +430,9 @@ foreach($report_stock as $n=>$v) {
$allow_fields=array();
$q = $pdo->prepare("SELECT * FROM reports_items
WHERE reports_id='{$report['id']}'
WHERE reports_id=?
ORDER BY `ord`");
$q->execute();
$q->execute([$report['id']]);
show_pdo_errors_if_any($pdo);
if($q->rowCount() == 0) return $report;
@ -491,8 +491,8 @@ foreach($report_stock as $n=>$v) {
} else {
/* if the report['id'] is not zero, see if this is a
* systeim report before doing anything. */
$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='{$report['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
$q->execute([$report['id']]);
$i = $q->fetch(PDO::FETCH_ASSOC);
if(intval($i['system_report_id']) != 0) {
/* This is a system report, the editor (should)
@ -513,12 +513,12 @@ foreach($report_stock as $n=>$v) {
*/
$stmt = $pdo->prepare("UPDATE reports SET
`name`='".$report['name']."',
`desc`='".$report['desc']."',
`creator`='".$report['creator']."',
`type`='".$report['type']."'
WHERE `id`={$report['id']}");
$stmt->execute();
`name`=?,
`desc`=?,
`creator`=?,
`type`=?
WHERE `id`=?");
$stmt->execute([$report['name'],$report['desc'],$report['creator'],$report['type'],$report['id']]);
report_save_field($report, 'col', get_value_from_array($report, 'loc'));
report_save_field($report, 'group', array());
@ -533,7 +533,7 @@ foreach($report_stock as $n=>$v) {
{ global $pdo;
$ret = array();
$q = $pdo->prepare("SELECT * FROM reports ORDER BY `name`");
$q->execute();
while($r = $q->fetch(PDO::FETCH_ASSOC)) {
$report = array();
$report['name'] = $r['name'];
@ -551,8 +551,8 @@ foreach($report_stock as $n=>$v) {
$r = intval($report_id);
/* if the report['id'] is not zero, see if this is a
* systeim report before doing anything. */
$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='$r'");
$q->execute();
$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
$q->execute([$r]);
$i = $q->fetch(PDO::FETCH_ASSOC);
if(intval($i['system_report_id']) != 0) {
/* This is a system report, the editor (should)
@ -563,10 +563,10 @@ foreach($report_stock as $n=>$v) {
echo "ERROR: attempt to delete a system report (reports.id=$r)";
exit;
}
$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=$r");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=$r");
$stmt->execute();}
$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=?");
$stmt->execute([$r]);
$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=?");
$stmt->execute([$r]);
function report_gen($report)

31
admin/reports.php
View File

@ -39,8 +39,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'remove_report':
$id = intval($_GET['id']);
$stmt = $pdo->prepare("DELETE FROM reports_committee WHERE
users_id='{$_SESSION['users_uid']}' AND id='$id'");
$stmt->execute();
users_id=? AND id=?");
$stmt->execute([$_SESSION['users_uid'],$id]);
happy_('Report successfully removed');
exit;
case 'reload':
@ -64,16 +64,17 @@ switch (get_value_from_array($_GET, 'action')) {
$ret['name'] = $report['name'];
$ret['category'] = '';
} else {
$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id='$id'");
$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id=?");
$q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
$ret['type'] = $ret['format'];
}
/* Load available categories */
$q = $pdo->prepare("SELECT DISTINCT category FROM reports_committee
\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
\t\t\tWHERE users_id=?
ORDER BY category");
$q->execute();
$q->execute([$_SESSION['users_uid']]);
while ($i = $q->fetch(PDO::FETCH_OBJ))
$ret['cat'][] = $i->category;
echo json_encode($ret);
@ -87,8 +88,8 @@ switch (get_value_from_array($_GET, 'action')) {
if ($id == -1) {
/* New entry */
$stmt = $pdo->prepare("INSERT INTO `reports_committee` (`users_id`,`reports_id`)
VALUES('{$_SESSION['users_uid']}','$reports_id');");
$stmt->execute();
VALUES(?,?);");
$stmt->execute([$_SESSION['users_uid'],$reports_id]);
show_pdo_errors_if_any($pdo);
$id = $pdo->lastInsertId();
}
@ -124,12 +125,12 @@ switch (get_value_from_array($_GET, 'action')) {
}
$stmt = $pdo->prepare("UPDATE `reports_committee` SET
`category`='$category',
`comment`='$comment',
`format`='$type',
`stock`='$stock'
WHERE id='$id'");
$stmt->execute();
`category`=?,
`comment`=?,
`format`=?,
`stock`=?
WHERE id=?");
$stmt->execute([$category,$comment,$type,$stock,$id]);
happy_('Saved');
exit;
}
@ -248,9 +249,9 @@ global $edit_mode;
$q = $pdo->prepare("SELECT reports_committee.*,reports.name
\t\t\tFROM reports_committee
LEFT JOIN reports ON reports.id=reports_committee.reports_id
\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
\t\t\tWHERE users_id=?
ORDER BY category,id");
$q->execute();
$q->execute([$_SESSION['users_uid']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount() == 0) {
echo i18n('You have no reports saved');

26
admin/reports_acscript.php
View File

@ -80,14 +80,14 @@ $q = $pdo->prepare("SELECT
award_types,
sponsors
WHERE
award_awards.year='$foryear'
AND\taward_types.year='$foryear'
AND\taward_awards.award_types_id=award_types.id
AND\taward_awards.sponsors_id=sponsors.id
AND\taward_awards.excludefromac='0'
$awardtype
award_awards.year=?
AND award_types.year=?
AND award_awards.award_types_id=award_types.id
AND award_awards.sponsors_id=sponsors.id
AND award_awards.excludefromac='0',
?
ORDER BY awards_order");
$q->execute();
$q->execute([$foryear,$foryear,$awardtype]);
show_pdo_errors_if_any($pdo);
// echo "<pre>";
@ -114,14 +114,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
award_awards_id='{$r->id}'
AND award_prizes.year='$foryear'
award_awards_id=?
AND award_prizes.year=?
AND award_prizes.excludefromac='0'
AND ($and_categories)
AND (?)
ORDER BY
`order`,
projects.projectnumber");
$pq->execute();
$pq->execute([$r->id,$foryear,$and_categories]);
show_pdo_errors_if_any($pdo);
$r->winners = array();
@ -246,10 +246,10 @@ foreach ($awards as $r) {
students,
schools
WHERE
students.registrations_id='$pr->reg_id'
students.registrations_id=?
AND students.schools_id=schools.id
");
$sq->execute();
$sq->execute([$pr->reg_id]);
$students = ' Students: ';
$studnum = 0;

7
admin/reports_appeal_letters.php
View File

@ -70,15 +70,16 @@ $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
/* Load the users */
$users = array();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute([$fcid]);
while ($l = $q->fetch(PDO::FETCH_ASSOC)) {
$uid = $l['users_uid'];
$users[$uid] = user_load_by_uid($uid);
}
/* Grab all the emails */
$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$fcid' AND val='$key'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
$q->execute([$fcid,$key]);
while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
foreach ($users as $uid => &$u) {

8
admin/reports_ceremony.php
View File

@ -61,8 +61,8 @@ echo "</td></tr>\n";
echo '<tr>';
// list award subsets to output
echo '<td><b>' . i18n('Award Type') . ':</b></td> <td> <select name="awardtype" size=1>';
$results = $pdo->prepare('SELECT type FROM award_types WHERE year=' . $config['FAIRYEAR'] . ' ORDER BY type');
$results->execute();
$results = $pdo->prepare('SELECT type FROM award_types WHERE year=? ORDER BY type');
$results->execute([$config['FAIRYEAR']]);
echo '<option value="All">' . i18n('All') . '</option>';
while ($r = $results->fetch(PDO::FETCH_OBJ)) {
echo "<option value=\"$r->type\">" . i18n("$r->type") . '</option>';
@ -94,8 +94,8 @@ echo '<td><input name="group_by_prize" type="checkbox" /></td></tr>';
echo '<tr><td><b>' . i18n('Include the following age categories') . ':</b></td>';
echo '<td>';
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<input name=\"show_category[{$r->id}]\" type=\"checkbox\" checked=\"checked\" />";
echo '' . i18n($r->category) . '<br />';

16
admin/reports_gen.php
View File

@ -40,8 +40,8 @@ if ($year < 1000)
/* If it's a system report, turn that into the actual report id */
if (array_key_exists('sid', $_GET)) {
$sid = intval($_GET['sid']);
$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id='$sid'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id=?");
$q->execute([$sid]);
$r = $q->fetch(PDO::FETCH_OBJ);
$id = $r['id'];
}
@ -91,9 +91,9 @@ switch ($_GET['action']) {
<?
/* See if the report is in this committee member's list */
$q = $pd->prepare("SELECT * FROM reports_committee
\t\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
AND reports_id='{$report['id']}'");
$q->execute();
\t\t\t\tWHERE users_id=?
AND reports_id=?");
$q->execute([$_SESSION['users_uid'],$report['id']]);
if ($q->rowCount() > 0) {
$i = $q->fetch(PDO::FETCH_ASSOC);
?>
@ -223,9 +223,9 @@ echo "<td>{$report['creator']}</td></tr>";
echo '<tr><td colspan="2"><hr /></td></tr>';
/* See if the report is in this committee member's list */
$q = $pdo->prepare("SELECT * FROM reports_committee
\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
AND reports_id='{$report['id']}'");
$q->execute();
\t\t\tWHERE users_id=?
AND reports_id=?");
$q->execute([$_SESSION['users_uid'],$report['id']]);
echo '<tr><td colspan="2"><h3>' . i18n('My Reports Info') . '</h3></td></tr>';
if ($q->rowCount() > 0) {
/* Yes, it is */

34
admin/reports_judges.inc.php
View File

@ -48,8 +48,8 @@ function report_judges_load_divs($year)
/* Load divisions for this year, only once */
if (!array_key_exists($year, $report_judges_divs)) {
$report_judges_divs[$year] = array();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
$q->execute([$year]);
while (($d = $q->fetch(PDO::FETCH_ASSOC))) {
$report_judges_divs[$year][$d['id']] = $d;
}
@ -61,8 +61,8 @@ function report_judges_load_cats($year)
global $report_judges_cats;
global $pdo;
if (!array_key_exists($year, $report_judges_cats)) {
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
$q->execute([$year]);
while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
$report_judges_cats[$year][$c['id']] = $c;
}
@ -142,14 +142,14 @@ function report_judges_custom_question($report, $field, $text)
$users_id = $text;
/* Find the actual question ID */
$q = $pdo->prepare("SELECT * FROM questions WHERE year='$year' AND ord='$q_ord'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM questions WHERE year=? AND ord=?");
$q->execute([$year,$q_ord]);
if ($q->rowCount() != 1)
return 'Question not specified';
$question = $q->fetch(PDO::FETCH_ASSOC);
$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='{$question['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?");
$q->execute([$users_id,$question['id']]);
if ($q->rowCount() != 1)
return '';
$answer = $q->fetch(PDO::FETCH_ASSOC);
@ -194,9 +194,9 @@ function report_judges_team_members($report, $field, $text)
$judges_teams_id = $text;
$q = $pdo->prepare("SELECT * FROM judges_teams_link
LEFT JOIN users ON judges_teams_link.users_id=users.id
WHERE judges_teams_link.year='$year'
AND judges_teams_link.judges_teams_id='$judges_teams_id'");
$q->execute();
WHERE judges_teams_link.year=?
AND judges_teams_link.judges_teams_id=?");
$q->execute([$year,$judges_teams_id]);
$ret = '';
while (($m = $q->fetch(PDO::FETCH_ASSOC))) {
$add = false;
@ -239,8 +239,8 @@ function report_judges_load_rounds($year)
if (count($report_judges_rounds))
return;
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
$q->execute([$year]);
/* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$report_judges_rounds[] = $r;
@ -258,8 +258,8 @@ function report_judges_specialaward($report, $field, $text)
global $config, $report_judges_rounds, $pdo;
$year = $report['year'];
$award_id = $text;
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='" . intval($award_id) . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([intval($award_id)]);
$r = $q->fetch(PDO::FETCH_OBJ);
return $r->name;
}
@ -284,8 +284,8 @@ function report_judges_time_availability($report, $field, $text)
exit;
}
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='$users_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=?");
$q->execute([$users_id]);
// echo mysql_error();
while (($r = $q->fetch(PDO::FETCH_ASSOC))) {
if ($r['start'] <= $round['starttime'] &&

20
admin/reports_judges.php
View File

@ -77,8 +77,8 @@ foreach ($keys as $qid) {
}
// grab the list of divisions, because the last fields of the table will be the sub-divisions
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
$numcats = $q->rowCount();
$catheadings = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -86,8 +86,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$catheadings[] = "$r->category (out of 5)";
}
// grab the list of divisions, because the last fields of the table will be the sub-divisions
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
$divheadings = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divs[] = $r->id;
@ -102,8 +102,8 @@ $times = array();
$datetimeheadings = array();
/* Load the judging rounds */
$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type");
$q->execute();
$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type");
$q->execute([$config['FAIRYEAR']]);
$x = 0;
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$found = false;
@ -138,13 +138,13 @@ $q = $pdo->prepare("SELECT
JOIN users_judge ON users.id=users_judge.users_id
WHERE
users.deleted='no' AND
users.year='" . $config['FAIRYEAR'] . "'
users.year=?
AND users.types LIKE '%judge%'
ORDER BY
lastname,
firstname");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$u = user_load($r->id);
@ -182,8 +182,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$qarray[] = $qans[$qid];
}
$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id="' . $r->id . '" ORDER BY `start`');
$tq->execute();
$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`');
$tq->execute([$r->id]);
$sel = array();
$timedata = array();

8
admin/reports_judges_allyears.php
View File

@ -78,8 +78,8 @@ foreach ($keys as $qid) {
}
// grab the list of divisions, because the last fields of the table will be the sub-divisions
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
$numcats = $q->rowCount();
$catheadings = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -87,8 +87,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$catheadings[] = "$r->category (out of 5)";
}
// grab the list of divisions, because the last fields of the table will be the sub-divisions
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
$divheadings = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divs[] = $r->id;

24
admin/reports_judges_teams_projects.php
View File

@ -45,8 +45,8 @@ if ($type == 'pdf') {
$teams = getJudgingTeams();
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount() > 1)
$show_date = true;
else
@ -83,8 +83,8 @@ foreach ($teams AS $team) {
$rep->addText(i18n('Criteria') . ': ' . $award['criteria']);
// get category eligibility
$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id='{$award['id']}' AND award_awards_projectcategories.year='{$config['FAIRYEAR']}' AND projectcategories.year='{$config['FAIRYEAR']}' ORDER BY category");
$q->execute();
$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.year=? AND projectcategories.year=? ORDER BY category");
$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$cats = '';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -96,8 +96,8 @@ foreach ($teams AS $team) {
$rep->addText(i18n('Categories') . ": $cats");
// get division eligibility
$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id='{$award['id']}' AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}' AND projectdivisions.year='{$config['FAIRYEAR']}' ORDER BY division_shortform");
$q->execute();
$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id=? AND award_awards_projectdivisions.year=? AND projectdivisions.year=? ORDER BY division_shortform");
$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$divs = '';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -123,13 +123,13 @@ foreach ($teams AS $team) {
judges_teams,
judges_teams_timeslots_link
WHERE
judges_teams.id='" . $team['id'] . "' AND
judges_teams.id=? AND
judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
ORDER BY
date,starttime
");
$q->execute();
$q->execute([$team['id']]);
$numslots = $q->rowCount();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -147,14 +147,14 @@ foreach ($teams AS $team) {
projects,
judges_teams_timeslots_projects_link
WHERE
judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
judges_teams_timeslots_projects_link.judges_teams_id=? AND
judges_teams_timeslots_projects_link.projects_id=projects.id AND
judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
judges_teams_timeslots_projects_link.year=?
ORDER BY
projectnumber
");
$projq->execute();
$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
$table['data'][] = array($timeslot, $proj->projectnumber, $proj->title);

8
admin/reports_mailinglabels_generator.php
View File

@ -83,11 +83,11 @@ if ($report) {
FROM
schools
WHERE
year='{$config['FAIRYEAR']}'
year=?
ORDER BY
school
");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
break;
case 'sponsors':
@ -129,11 +129,11 @@ if ($report) {
judges_years
WHERE
judges_years.judges_id=judges.id
AND judges_years.year='{$config['FAIRYEAR']}'
AND judges_years.year=?
ORDER BY
lastname,firstname
");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
break;
}

16
admin/reports_program_awards.php
View File

@ -30,13 +30,13 @@ $q = $pdo->prepare("SELECT
award_awards,
award_types
WHERE
award_awards.year='" . $config['FAIRYEAR'] . "'
AND\taward_types.year='" . $config['FAIRYEAR'] . "'
award_awards.year=?
AND\taward_types.year=?
AND\taward_awards.award_types_id=award_types.id
AND\taward_awards.excludefromac='0'
AND\t(award_types.type='special' OR award_types.type='grand')
ORDER BY awards_order");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
@ -45,8 +45,8 @@ if ($q->rowCount()) {
$rep->heading(i18n($r->name));
// get teh age categories
$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.award_awards_id='$r->id' AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
$acq->execute();
$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE projectcategories.year=? AND award_awards_projectcategories.year=? AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
$acq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$r->id]);
show_pdo_errors_if_any($pdo);
$cats = '';
while ($acr = $acq->fetch(PDO::FETCH_OBJ)) {
@ -64,12 +64,12 @@ if ($q->rowCount()) {
FROM
award_prizes
WHERE
award_awards_id='$r->id'
AND award_prizes.year='" . $config['FAIRYEAR'] . "'
award_awards_id=?
AND award_prizes.year=?
AND award_prizes.excludefromac='0'
ORDER BY
`order`");
$pq->execute();
$pq->execute([$r->id,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$prevprizeid = -1;
while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {

15
admin/reports_projects_details.php
View File

@ -65,14 +65,15 @@ $projq = $pdo->prepare("SELECT
LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
WHERE
projects.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
projects.year=?
AND projectdivisions.year=?
AND projectcategories.year=?
AND ( registrations.status='complete'
\t OR registrations.status='paymentpending' )
ORDER BY
projects.projectnumber
");
$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$totalprojects = $projq->rowCount();
@ -85,9 +86,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
FROM
students
WHERE
students.registrations_id='$proj->reg_id'
students.registrations_id=?
");
$sq->execute();
$sq->execute([$proj->reg_id]);
$students = '';
$studnum = 0;
while ($studentinfo = $sq->fetch(PDO::FETCH_OBJ)) {
@ -115,8 +116,8 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
$rep->addTable($table);
unset($table);
$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $proj->reg_id . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=?");
$q->execute([$proj->reg_id]);
$rep->nextline();
$rep->heading(i18n('Mentor Information'));
$rep->nextline();

22
admin/reports_projects_judges_teams.php
View File

@ -49,8 +49,8 @@ if ($type == 'pdf') {
$teams = getJudgingTeams();
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount() > 1)
$show_date = true;
else
@ -73,15 +73,15 @@ $projq = $pdo->prepare("SELECT
LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
WHERE
projects.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
projects.year=?
AND projectdivisions.year=?
AND projectcategories.year=?
AND ( registrations.status='complete'
\t OR registrations.status='paymentpending' )
ORDER BY
projects.projectnumber
");
$projq->execute();
$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@ -92,9 +92,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
FROM
students
WHERE
students.registrations_id='$proj->reg_id'
students.registrations_id=?
");
$sq->execute();
$sq->execute([$proj->reg_id]);
$students = '';
$studnum = 0;
@ -127,12 +127,12 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
LEFT JOIN judges_timeslots ON judges_teams_timeslots_projects_link.judges_timeslots_id=judges_timeslots.id
LEFT JOIN judges_teams ON judges_teams_timeslots_projects_link.judges_teams_id=judges_teams.id
WHERE
judges_teams_timeslots_projects_link.projects_id='$proj->id'
AND judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
judges_teams_timeslots_projects_link.projects_id=?
AND judges_teams_timeslots_projects_link.year=?
ORDER BY
date,starttime
");
$q->execute();
$q->execute([$proj->id,$config['FAIRYEAR']]);
$numslots = $q->rowCount();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {

28
admin/reports_students.inc.php
View File

@ -81,9 +81,9 @@ function report_student_safety_question($report, $field, $text)
safety.answer
FROM safetyquestions
JOIN safety ON safetyquestions.id=safety.safetyquestions_id
WHERE safety.registrations_id='" . $regid . "'
WHERE safety.registrations_id=?
ORDER BY safetyquestions.ord LIMIT $q_ord,1");
$q->execute();
$q->execute([$regid]);
$r = $q->fetch(PDO::FETCH_OBJ);
return $r->answer;
@ -94,9 +94,9 @@ function reports_students_numstudents($report, $field, $text)
global $pdo;
$year = $report['year'];
$q = $pdo->prepare("SELECT students.id FROM students
WHERE students.registrations_id='$text'
AND students.year='$year'");
$q->execute();
WHERE students.registrations_id=?
AND students.year=?");
$q->execute([$text,$year]);
return $q->rowCount();
}
@ -108,11 +108,11 @@ function reports_students_award_selfnom_num($report, $field, $text, $n)
projects
LEFT JOIN project_specialawards_link ON project_specialawards_link.projects_id=projects.id
LEFT JOIN award_awards ON award_awards.id=project_specialawards_link.award_awards_id
WHERE projects.id='$text'
AND projects.year='$year'
AND project_specialawards_link.year='$year'
LIMIT $n,1");
$q->execute();
WHERE projects.id=?
AND projects.year=?
AND project_specialawards_link.year=?
LIMIT ?,1");
$q->execute([$text,$year,$year,$n]);
show_pdo_errors_if_any($pdo);
$i = $q->fetch(PDO::FETCH_OBJ);
return $i['name'];
@ -157,8 +157,8 @@ function report_student_regfee_item($report, $field, $text)
{
$year = $report['year'];
$id = intval(substr($field, 12));
$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id='$text' AND regfee_items_id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id=? AND regfee_items_id=?");
$q->execute([$text,$id]);
show_pdo_errors_if_any($pdo);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
return i18n('Yes');
@ -167,8 +167,8 @@ function report_student_regfee_item($report, $field, $text)
}
}
$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
$regfeeitems = array();
$first = true;
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {

154
admin/rerollprizes.php
View File

@ -40,122 +40,124 @@ $newfairyear = 2008;
// first make sure they have indeed done the rollover...
if ($config['FAIRYEAR'] == 2008) {
// make sure the number of awards are identical (aka they havent added any new ones)
$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$newfairyear'");
$nq1->execute();
$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
$nq2->execute();
$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
$nq1->execute([$newfairyear]);
$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
$nq2->execute([$currentfairyear]);
if ($nq1->rowCount() == $nq2->rowcount()) {
$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$newfairyear'");
$npq1->execute();
$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear'");
$npq2->execute();
$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year?");
$npq1->execute([$newfairyear]);
$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=?");
$npq2->execute([$currentfairyear]);
if ($npq2->rowCount() > 0 && $npq1->rowCount() == 0) {
echo '<br />';
echo notice(i18n('A BUG WAS IDENTIFIED IN YOUR PREVIOUS YEAR ROLLOVER WHICH CAUSED AWARD PRIZES TO NOT BE ROLLED OVER PROPERLY. THEY ARE NOW BEING RE-ROLLED OVER WITH THE PROPER PRIZE INFORMATION. THIS WILL ONLY HAPPEN ONCE.')) . '<br />';
$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year='$newfairyear'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year='$newfairyear'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year='$newfairyear'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM award_types WHERE year='$newfairyear'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year='$newfairyear'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year='$newfairyear'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year=?");
$stmt->execute([$newfairyear]);
$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year=?");
$stmt->execute([$newfairyear]);
$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year=?");
$stmt->execute([$newfairyear]);
$stmt = $pdo->prepare("DELETE FROM award_types WHERE year=?");
$stmt->execute([$newfairyear]);
$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year=?");
$stmt->execute([$newfairyear]);
$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year=?");
$stmt->execute([$newfairyear]);
echo i18n('Rolling awards') . '<br />';
// awards
$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO award_awards (award_sponsors_id,award_types_id,name,criteria,presenter,`order`,year,excludefromac,cwsfaward) VALUES (
'" . $r->award_sponsors_id . "',
'" . $r->award_types_i . "',
'" . $r->name . "',
'" . $r->criteria . "',
'" . $r->presenter . "',
'" . $r->order . "',
'" . $newfairyear . "',
'" . $r->excludefromac . "',
'" . $r->cwsfaward . "')");
?,
?,
?,
?,
?,
?,
?,
?,
?)");
$stmt->execute([$r->award_sponsors_id,$r->award_types_i ,$r->name,$r->criteria,$r->presenter,$r->order,$newfairyear,$r->excludefromac,$r->cwsfaward ]);
$award_awards_id = $pdo->lastInsertId();
$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
$q2->execute();
$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year=? AND award_awards_id=?");
$q2->execute([$currentfairyear,$r->id]);
show_pdo_errors_if_any($pdo);
while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (
'" . $award_awards_id . "',
'" . $r2->projectcategories_id . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?)");
$stmt->execute([$award_awards_id,$r2->projectcategories_id,$newfairyear]);
}
$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
$q2->execute();
$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year=? AND award_awards_id=?");
$q2->execute([$currentfairyear,$r->id]);
show_pdo_errors_if_any($pdo);
while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (
'" . $award_awards_id . "',
'" . $r2->projectdivisions_id . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?");
$stmt->execute([$award_awards_id,$r2->projectdivisions_id,$newfairyear]);
}
echo i18n('&nbsp; Rolling award prizes') . '<br />';
$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
$q2->execute();
$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=? AND award_awards_id=?");
$q2->execute([$currentfairyear,$r->id]);
show_pdo_errors_if_any($pdo);
while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,`value`,prize,number,`order`,year,excludefromac) VALUES (
'" . $award_awards_id . "',
'" . $r2->cash . "',
'" . $r2->scholarship . "',
'" . $r2->value . "',
'" . $r2->prize . "',
'" . $r2->number . "',
'" . $r2->order . "',
'" . $newfairyear . "',
'" . $r2->excludefromac . "')");
?,
?,
?,
?,
?,
?,
?,
?,
?)");
}
}
$q2->execute([$award_awards_id,$r2->cash,$r2->scholarship,$r2->value,$r2->prize,$r2->number,$r2->order,$newfairyear,$r2->excludefromac]);
echo i18n('Rolling award contacts') . '<br />';
// award contacts
$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$stmt = $pdo->prepare("INSERT INTO award_contacts (award_sponsors_id,salutation,firstname,lastname,position,email,phonehome,phonework,phonecell,fax,notes,year) VALUES (
'" . $r->award_sponsors_id . "',
'" . $r->salutation . "',
'" . $r->firstname . "',
'" . $r->lastname . "',
'" . $r->position . "',
'" . $r->email . "',
'" . $r->phonehome . "',
'" . $r->phonework . "',
'" . $r->phonecell . "',
'" . $r->fax . "',
'" . $r->notes . "',
'" . $newfairyear . "')");
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?)");
$stmt->execute([$r->award_sponsors_id,$r->salutation,$r->firstname,$r->lastname,$r->position,$r->email,$r->phonehome,$r->phonework,$r->phonecell,$r->fax,$r->notes,$newfairyear]);
echo i18n('Rolling award types') . '<br />';
// award types
$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
'" . $r->id . "',
'" . $r->type . "',
'" . $r->order . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?)");
$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
}
}
}

105
admin/schools.php
View File

@ -33,8 +33,8 @@ user_auth_required('committee', 'admin');
if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POST, 'save') == 'add') {
if (get_value_from_array($_POST, 'save') == 'add') {
$q = $pdo->prepare("INSERT INTO schools (year) VALUES ('" . $config['FAIRYEAR'] . "')");
$q->execute();
$q = $pdo->prepare("INSERT INTO schools (year) VALUES (?)");
$q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId();
} else
$id = intval(get_value_from_array($_POST, 'id'));
@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
*/
/* Get the uids for principal/science head */
$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id=?");
$q->execute([$id]);
$i = $q->fetch(PDO::FETCH_ASSOC);
$principal_update = '';
@ -154,31 +154,54 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
user_save($sh);
}
$exec = 'UPDATE schools SET '
. "school='" . get_value_from_array($_POST, 'school') . "', "
. "schoollang='" . get_value_from_array($_POST, 'schoollang') . "', "
. "designate='" . get_value_from_array($_POST, 'schooldesignate') . "', "
. "schoollevel='" . get_value_from_array($_POST, 'schoollevel') . "', "
. "school='" . get_value_from_array($_POST, 'school') . "', "
. "board='" . get_value_from_array($_POST, 'board') . "', "
. "district='" . get_value_from_array($_POST, 'district') . "', "
. "address='" . get_value_from_array($_POST, 'address') . "', "
. "city='" . get_value_from_array($_POST, 'city') . "', "
. "province_code='" . get_value_from_array($_POST, 'province_code') . "', "
. "postalcode='" . get_value_from_array($_POST, 'postalcode') . "', "
. "schoolemail='" . get_value_from_array($_POST, 'schoolemail') . "', "
. "phone='" . get_value_from_array($_POST, 'phone') . "', "
. "fax='" . get_value_from_array($_POST, 'fax') . "', "
. "registration_password='" . get_value_from_array($_POST, 'registration_password') . "', "
. "projectlimit='" . get_value_from_array($_POST, 'projectlimit') . "', "
. "projectlimitper='" . get_value_from_array($_POST, 'projectlimitper') . "', "
. "accesscode='" . get_value_from_array($_POST, 'accesscode') . "', "
. $sciencehead_update . $principal_update
. "atrisk='$atrisk' "
. "WHERE id='$id'";
$stmt = $pdo->prepare($exec);
$stmt->execute();
show_pdo_errors_if_any($pdo);
$exec = 'UPDATE schools SET
school=?,
schoollang=?,
designate=?,
schoollevel=?,
board=?,
district=?,
address=?,
city=?,
province_code=?,
postalcode=?,
schoolemail=?,
phone=?,
fax=?,
registration_password=?,
projectlimit=?,
projectlimitper=?,
accesscode=?,
sciencehead=?,
principal=?,
atrisk=?
WHERE id=?';
$stmt = $pdo->prepare($exec);
$stmt->execute([
get_value_from_array($_POST, 'school'),
get_value_from_array($_POST, 'schoollang'),
get_value_from_array($_POST, 'designate'), // FIXED: Corrected key name
get_value_from_array($_POST, 'schoollevel'),
get_value_from_array($_POST, 'board'),
get_value_from_array($_POST, 'district'),
get_value_from_array($_POST, 'address'),
get_value_from_array($_POST, 'city'),
get_value_from_array($_POST, 'province_code'),
get_value_from_array($_POST, 'postalcode'),
get_value_from_array($_POST, 'schoolemail'),
get_value_from_array($_POST, 'phone'),
get_value_from_array($_POST, 'fax'),
get_value_from_array($_POST, 'registration_password'),
get_value_from_array($_POST, 'projectlimit'),
get_value_from_array($_POST, 'projectlimitper'),
get_value_from_array($_POST, 'accesscode'),
get_value_from_array($_POST, 'sciencehead'), // FIXED: Using function for consistency
get_value_from_array($_POST, 'principal'),
get_value_from_array($_POST, 'atrisk'),
get_value_from_array($_POST, 'id')
]);
if (get_value_from_array($_POST, 'save') == 'add')
$notice = 'added';
@ -187,24 +210,24 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
}
if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete', '')) {
$stmt = $pdo->prepare("DELETE FROM schools WHERE id='" . $_GET['delete'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM schools WHERE id=?");
$stmt->execute([$_GET['delete']]);
$notice = 'deleted';
}
if (get_value_from_array($_GET, 'action') == 'clearaccesscodes') {
$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year=?");
$stmt->execute([$config['FAIRYEAR']]);
$notice = 'clearaccess';
}
if (get_value_from_array($_GET, 'action') == 'makeaccesscodes') {
$q = $pdo->prepare("SELECT id FROM schools WHERE year='{$config['FAIRYEAR']}' AND (accesscode IS NULL OR accesscode='')");
$q->execute();
$q = $pdo->prepare("SELECT id FROM schools WHERE year=? AND (accesscode IS NULL OR accesscode='')");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$ac = generatePassword(5);
$stmt = $pdo->prepare("UPDATE schools SET accesscode='$ac' WHERE id='$r->id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE schools SET accesscode=? WHERE id=? AND year=?");
$stmt->execute([$ac,$r->id,$config['FAIRYEAR']]);
}
$notice = 'makeaccess';
}
@ -217,8 +240,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
'schools_management');
if (get_value_from_array($_GET, 'action') == 'edit') {
$buttontext = 'Save School';
$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . get_value_from_array($_GET, 'edit', '') . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE id=?");
$q->execute([get_value_from_array($_GET, 'edit', '')]);
$r = $q->fetch(PDO::FETCH_OBJ);
} else if (get_value_from_array($_GET, 'action') == 'add') {
$buttontext = 'Add School';
@ -371,8 +394,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo ' <th>' . i18n('Action') . '</th>';
echo "</tr></thead>\n";
$q = $pdo->prepare("SELECT * FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE year=? ORDER BY school");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<tr>\n";
echo " <td>$r->school</td>\n";

47
admin/schoolsimport.php
View File

@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'action') == 'import') {
// okay it looks like we have something.. lets dump the current stuff
if ($_POST['emptycurrent'] == 1) {
echo happy(i18n('Old school data erased'));
$stmt = $pdo->prepare("DELETE FROM schools WHERE year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM schools WHERE year=?");
$stmt->execute([$config['FAIRYEAR']]);
}
$loaded = 0;
@ -87,26 +87,29 @@ if (get_value_from_array($_POST, 'action') == 'import') {
user_save($principal);
}
$stmt = $pdo->prepare("INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,schoolemail,accesscode,registration_password,projectlimit,projectlimitper,year,principal_uid,sciencehead_uid) VALUES (
'" . stripslashes($row[0]) . "',
'" . stripslashes($row[1]) . "',
'" . stripslashes($row[2]) . "',
'" . stripslashes($row[3]) . "',
'" . stripslashes($row[4]) . "',
'" . stripslashes($row[5]) . "',
'" . stripslashes($row[6]) . "',
'" . stripslashes($row[7]) . "',
'" . stripslashes($row[8]) . "',
'" . stripslashes($row[9]) . "',
'" . stripslashes($row[10]) . "',
'" . stripslashes($row[14]) . "',
'" . stripslashes($row[18]) . "',
'" . stripslashes($row[19]) . "',
'" . stripslashes($row[20]) . "',
'" . stripslashes($row[21]) . "',
'" . $config['FAIRYEAR'] . "',
'" . $principal['uid'] . "',
'" . $scienceHead['uid'] . "')");
$stmt->execute();
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?)");
$stmt->execute([stripslashes($row[0]),stripslashes($row[1],stripslashes($row[2]),stripslashes($row[3])),
stripslashes($row[4]),stripslashes($row[5]),stripslashes($row[6]),stripslashes($row[7]),stripslashes($row[8]),
stripslashes($row[9]),stripslashes($row[10]),stripslashes($row[14]),stripslashes($row[18]),stripslashes($row[19]),
stripslashes($row[20]),stripslashes($row[21]),$config['FAIRYEAR'],$principal['uid'],$scienceHead['uid']]);
if (!$pdo->errorInfo())
$loaded++;
else

28
admin/send_emailqueue.php
View File

@ -44,8 +44,8 @@ if (!$config['emailqueue_lock']) {
$q->execute();
if ($q->rowCount()) {
$r = $q->fetch(PDO::FETCH_OBJ);
$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id='$r->emailqueue_id'");
$eq->execute();
$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id=?");
$eq->execute([$r->emailqueue_id]);
$email = $eq->fetch(PDO::FETCH_OBJ);
$blank = array();
@ -73,31 +73,31 @@ if (!$config['emailqueue_lock']) {
$result = email_send_new($to, $email->from, $email->subject, $body, $bodyhtml);
if ($result) {
$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id=?");
$stmt->execute([$r->id]);
show_pdo_errors_if_any($pdo);
$newnumsent = $email->numsent + 1;
$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=$newnumsent WHERE id='$email->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=? WHERE id=?");
$stmt->execute([$newnumsent,$email->id]);
show_pdo_errors_if_any($pdo);
echo "ok\n";
} else {
$stmt = Spdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id=?");
$stmt->execute([$r->id]);
show_pdo_errors_if_any($pdo);
$newnumfailed = $email->numfailed + 1;
$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=$newnumfailed WHERE id='$email->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=? WHERE id=?");
$stmt->execute([$newnumfailed,$email->id]);
show_pdo_errors_if_any($pdo);
echo "failed\n";
}
// now check if we're done yet
$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id='$email->id'");
$rq->execute();
$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id=?");
$rq->execute([$email->id]);
$rr = $rq->fetch(PDO::FETCH_OBJ);
if ($rr->num == 0) {
$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='$email->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
$stmt->execute([$email->id]);
}
usleep(rand($sleepmin, $sleepmax));
} else

16
admin/settranslation.php
View File

@ -38,19 +38,19 @@ foreach ($config['languages'] AS $l => $ln) {
$m = md5($_POST['translate_str_hidden']);
if ($_POST['translate_' . $l]) {
$q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='$m'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
$q->execute([$l,$m]);
if ($q->rowCount()) {
$stmt = $pdo->prepare("UPDATE translations SET val='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "' WHERE lang='$l' AND strmd5='$m'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE translations SET val=? WHERE lang=? AND strmd5=?");
$stmt->execute([iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])),$l,$m]);
} else {
$stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES ('$l','$m','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])) . "','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES (?,?,?,?)");
$stmt->execute([$l,$m,iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])),iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l]))]);
}
} else {
$stmt = $pdo->prepare("DELETE FROM translations WHERE lang='$l' AND strmd5='$m'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
$stmt->execute([$l,$m]);
}
}
echo 'ok';

18
admin/sponsor_contacts.php
View File

@ -73,11 +73,11 @@ if ($sponsors_id) {
FROM users_sponsor, users
WHERE
users_sponsor.users_id=users.id
AND sponsors_id='$sponsors_id'
AND sponsors_id=?
AND `primary`='yes'
AND year='" . $config['FAIRYEAR'] . "'
AND users_id!='$id'");
$q->execute();
AND year=?
AND users_id!=?");
$q->execute([$sponsors_id,$config['FAIRYEAR'],$id]);
if ($q->rowCount() == 0) {
/* This must be the primary */
$p = 'yes';
@ -85,8 +85,8 @@ if ($sponsors_id) {
} else {
/* Unset all other primaries */
$stmt = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
WHERE sponsors_id='$sponsors_id'");
$stmt->execute();
WHERE sponsors_id=?");
$stmt->execute([$sponsors_id]);
}
$u['primary'] = $p;
@ -162,11 +162,11 @@ if ($sponsors_id) {
echo '<br />';
$q = $pdo->prepare("SELECT * FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
\t WHERE year='" . $config['FAIRYEAR'] . "'
\t AND sponsors_id='$sponsors_id'
\t WHERE year=?
\t AND sponsors_id=?
\t AND deleted='no'
\t ORDER BY lastname,firstname");
$q->execute();
$q->execute([$config['FAIRYEAR'],$sponsors_id]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {

215
admin/student_editor.php
View File

@ -44,10 +44,10 @@ if ($auth_type == 'fair') {
/* Make sure they have permission to laod this student, check
the master copy of the fairs_id in the project */
$q = $pdo->prepare("SELECT * FROM projects WHERE
registrations_id='$registrations_id'
AND year='{$config['FAIRYEAR']}'
AND fairs_id=$fairs_id");
$q->execute();
registrations_id=?
AND year=?
AND fairs_id=?");
$q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
if ($q->rowCount() != 1) {
echo 'permission denied.';
exit;
@ -75,8 +75,8 @@ switch ($action) {
case 'student_remove':
$remove_id = intval($_GET['students_id']);
$q = $pdo->prepare("SELECT id FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM students WHERE id=? AND registrations_id=?");
$q->execute([$remove_id,$registrations_id]);
if ($q->rowCount() != 1) {
error_('Invalid student to remove');
exit;
@ -86,42 +86,42 @@ switch ($action) {
exit;
}
$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
$stmt->execute([$remove_id,$registrations_id]);
// now see if they have an emergency contact that also needs to be removed
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
// no need to error message if this doesnt exist
if ($q->rowCount() == 1)
$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
if ($q->rowCount() != 1) {
error_('Invalid student to remove');
exit;
}
$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
$stmt->execute([$remove_id,$registrations_id]);
// now see if they have an emergency contact that also needs to be removed
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
// no need to error message if this doesnt exist
if ($q->rowCount() == 1)
$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
$stmt->execute([$remove_id,$registrations_id]);
// now see if they have an emergency contact that also needs to be removed
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
// no need to error message if this doesnt exist
if ($q->rowCount() == 1)
$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
happy_('Student successfully removed');
exit;
@ -141,8 +141,8 @@ function students_save()
if ($_POST['id'][$x] == 0) {
// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can choose the school on their own.
if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id=? AND YEAR=?");
$q->execute([$registrations_id,$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$schools_id = $r->schools_id;
$schoolvalue = "'$schools_id', ";
@ -151,26 +151,34 @@ function students_save()
}
// INSERT new record
$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
. "'" . $registrations_id . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
. "'" . stripslashes($_POST['sex'][$x]) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', "
. "'" . stripslashes($_POST['postalcode'][$x]) . "', "
. "'" . stripslashes($_POST['phone'][$x]) . "', "
. "'$dob', "
. "'" . stripslashes($_POST['grade'][$x]) . "', "
. $schoolvalue
. "'" . stripslashes($_POST['tshirt'][$x]) . "', "
. "'" . stripslashes($_POST['medicalalert'][$x]) . "', "
. "'" . stripslashes($_POST['foodreq'][$x]) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', "
. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', "
. "'" . $config['FAIRYEAR'] . "')");
$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?)');
$stmt->execute([$registrations_id,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),stripslashes($_POST['sex'][$x]),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])),
stripslashes($_POST['postalcode'][$x]),stripslashes($_POST['phone'][$x]),$dob,stripslashes($_POST['grade'][$x]),
$schoolvalue,stripslashes($_POST['tshirt'][$x]),stripslashes($_POST['medicalalert'][$x]),stripslashes($_POST['foodreq'][$x]),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])),
$config['FAIRYEAR']]);
happy_('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x]));
} else {
@ -184,26 +192,47 @@ function students_save()
// UPDATE existing record
$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
$stmt = $pdo->prepare('UPDATE students SET '
. "firstname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
. "lastname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
. "sex='" . stripslashes($_POST['sex'][$x]) . "', "
. "email='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', "
. "address='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', "
. "city='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', "
. "province='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', "
. "postalcode='" . stripslashes($_POST['postalcode'][$x]) . "', "
. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
. "dateofbirth='$dob', "
. "grade='" . stripslashes($_POST['grade'][$x]) . "', "
. $schoolquery
. "medicalalert='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['medicalalert'][$x])) . "', "
. "foodreq='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['foodreq'][$x])) . "', "
. "teachername='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', "
. "teacheremail='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', "
. "tshirt='" . stripslashes($_POST['tshirt'][$x]) . "' "
. "WHERE id='" . $_POST['id'][$x] . "'");
$stmt->execute();
$stmt = $pdo->prepare('UPDATE students SET
firstname=?,
lastname=?,
sex=?,
email=?,
address=?,
city=?,
province=?,
postalcode=?,
phone=?,
dateofbirth=?,
grade=?,
schoolquery=?,
medicalalert=?,
foodreq=?,
teachername=?,
teacheremail=?,
tshirt=?
WHERE id=?');
$stmt->execute([
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),
stripslashes($_POST['sex'][$x]),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])),
stripslashes($_POST['postalcode'][$x]),
stripslashes($_POST['phone'][$x]),
$dob,
stripslashes($_POST['grade'][$x]),
$schoolquery,
stripslashes($_POST['medicalalert'][$x]),
stripslashes($_POST['foodreq'][$x]),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),
iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])),
stripslashes($_POST['tshirt'][$x]),
$_POST['id'][$x]
]);
happy_('%1 %2 successfully updated', array(iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['firstname'][$x]), iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['lastname'][$x])));
}
$x++;
@ -216,9 +245,9 @@ function students_load()
// now query and display
$q = $pdo->prepare("SELECT * FROM students WHERE
registrations_id='$registrations_id'
AND year='{$config['FAIRYEAR']}'");
$q->execute();
registrations_id=?
AND year=?");
$q->execute([$registrations_id,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$numfound = $q->rowCount();
@ -405,8 +434,8 @@ function students_load()
echo "<tr>\n";
echo ' <td>' . i18n('School') . '</td><td colspan="3">';
if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
$schoolq->execute();
$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school");
$schoolq->execute([$config['FAIRYEAR']]);
echo "<select name=\"schools_id[$x]\">\n";
echo '<option value="">' . i18n('Choose School') . "</option>\n";
while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
@ -418,8 +447,8 @@ function students_load()
}
echo '</select>' . REQUIREDFIELD;
} else {
$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'");
$schoolq->execute();
$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?");
$schoolq->execute([$config['FAIRYEAR'],$studentinfo->schools_id]);
$r = $schoolq->fetch(PDO::FETCH_OBJ);
echo $r->school;
}
@ -471,23 +500,23 @@ function registration_load()
/* Find a reg num */
do {
$regnum = rand(100000, 999999);
$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year={$config['FAIRYEAR']}");
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
$q->execute([$regnum,$config['FAIRYEAR']]);
} while ($q->rowCount() > 0);
$r['num'] = $regnum;
echo notice(i18n('New registration number generated.'));
echo notice(i18n('This new registration will added when the "Save Registration Information" button is pressed below. At that time the other tabs will become available.'));
} else {
$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE id=?");
$q->execute([$registrations_id]);
if ($q->rowCount() != 1)
$r = array();
else {
$r = $q->fetch(PDO::FETCH_ASSOC);
/* Get the fair from the project */
$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id='$registrations_id'");
$q->execute();
$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id=?");
$q->execute([$registrations_id]);
if ($q->rowCount() == 1) {
$p = $q->fetch(PDO::FETCH_ASSOC);
$r['fairs_id'] = $p['fairs_id'];
@ -569,30 +598,30 @@ function registration_save()
if ($registrations_id == -1) {
$stmt = $pdo->prepare("INSERT INTO registrations (start,schools_id,year) VALUES (
NOW(), NULL, '{$config['FAIRYEAR']}')");
$stmt->execute();
NOW(), NULL,?)");
$stmt->execute([$config['FAIRYEAR']]);
$registrations_id = $pdo->lastInsertId();
/* Create one student and a project */
$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES (
$registrations_id, '$registration_email', '{$config['FAIRYEAR']}')");
$stmt->execute();
?,?,?)");
$stmt->execute([$registrations_id,$registration_email,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,year) VALUES (
$registrations_id, '{$config['FAIRYEAR']}')");
$stmt->execute();
?,?)");
$stmt->execute([$registrations_id,$config['FAIRYEAR']]);
happy_('Created student and project record');
}
/* Update registration */
$stmt = $pdo->prepare("UPDATE registrations SET
num='$registration_num',
status='$registration_status',
email='$registration_email'
num=?,
status=?,
email=?
WHERE
id='$registrations_id'");
$stmt->execute();
id=?");
$stmt->execute([$registration_num,$registration_status,$registration_email,$registrations_id]);
show_pdo_errors_if_any($pdo);
/*
@ -602,10 +631,10 @@ function registration_save()
if ($auth_type == 'fair')
$fairs_id = $_SESSION['fairs_id'];
$stmt = $pdo->prepare("UPDATE projects SET
fairs_id='$fairs_id'
fairs_id=?
WHERE
registrations_id='$registrations_id'");
$stmt->execute();
registrations_id=?");
$stmt->execute([$fairs_id,$registrations_id]);
show_pdo_errors_if_any($pdo);
happy_('Information Saved');
echo '<script language="javascript" type="text/javascript">';

50
admin/tours_assignments.php
View File

@ -33,9 +33,9 @@ user_auth_required('committee', 'admin');
/* Load Tours */
$query = "SELECT * FROM tours WHERE
year='{$config['FAIRYEAR']}'";
year=?";
$r = $pdo->prepare($query);
$r->execute();
$r->execute([$config['FAIRYEAR']]);
$tours = array();
while ($i = $r->fetch(PDO::FETCH_OBJ)) {
$tours[$i->id]['name'] = $i->name;
@ -45,20 +45,20 @@ while ($i = $r->fetch(PDO::FETCH_OBJ)) {
if (get_value_from_array($_GET, 'action') == 'info') {
$sid = intval($_GET['id']);
$query = "SELECT * FROM students WHERE id='$sid'
AND year='{$config['FAIRYEAR']}'";
$query = "SELECT * FROM students WHERE id=?
AND year=?";
$r = $pdo->prepare($query);
$r->execute();
$r->execute([$sid,$config['FAIRYEAR']]);
$i = $r->fetch(PDO::FETCH_OBJ);
send_popup_header(i18n('Student Tour Rank Information - %1 %2',
array($i->firstname, $i->lastname)));
$query = "SELECT * FROM tours_choice
WHERE students_id='$sid'
AND year='{$config['FAIRYEAR']}'
WHERE students_id=?
AND year=?
ORDER BY rank";
$r = $pdo->prepare($query);
$r->execute();
$r->execute([$sid,$config['FAIRYEAR']]);
echo '<table>';
$count = $r->rowwCount();
while ($i = $r->fetch(PDO::FETCH_OBJ)) {
@ -157,25 +157,25 @@ if (get_value_from_array($_POST, 'action') == 'add' && $tours_id != 0 && count($
$sid = intval($sid);
$q = $pdo->prepare("SELECT registrations_id FROM students
WHERE id='$sid'");
$q->execute();
WHERE id=?");
$q->execute([$sid]);
$i = $q->fetch(PDO::FETCH_OBJ);
$rid = $i->registrations_id;
/* Delete any old linking */
$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE
students_id='$sid' AND
year='{$config['FAIRYEAR']}' AND
students_id=? AND
year=? AND
rank='0'");
$stmt->execute();
$stmt->execute([$sid,$config['FAIRYEAR']]);
/* Connect this student to this tour */
$stmt = $pdo->prepare("INSERT INTO tours_choice
(`students_id`,`registrations_id`,
`tour_id`,`year`,`rank`)
VALUES (
'$sid', '$rid', '$tours_id',
'{$config['FAIRYEAR']}','0')");
$stmt->execute();
?,?,?,
?,'0')");
$stmt->execute([$sid,$rid,$tours_id,$config['FAIRYEAR']]);
$added++;
}
if ($added == 1)
@ -193,20 +193,20 @@ $students_id = intval(get_value_from_array($_GET, 'students_id'));
if (get_value_from_array($_GET, 'action') == 'del' && $tours_id > 0 && $students_id > 0) {
$stmt = $pdo->prepare("DELETE FROM tours_choice
WHERE students_id='$students_id'
AND year='{$config['FAIRYEAR']}'
WHERE students_id=?
AND year=?
AND rank='0'");
$stmt->execute();
$stmt->execute([$students_id,$config['FAIRYEAR']]);
echo happy(i18n('Removed student from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
}
if (get_value_from_array($_GET, 'action') == 'empty' && $tours_id > 0) {
$stmt = $po->prepare("DELETE FROM tours_choice WHERE
tour_id='$tours_id'
AND year='{$config['FAIRYEAR']}'
tour_id=?
AND year=?
AND rank='0'");
$stmt->execute();
$stmt->execute([$tours_id,$config['FAIRYEAR']]);
echo happy(i18n('Emptied all students from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
}
@ -243,8 +243,8 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
LEFT JOIN tours_choice ON (tours_choice.students_id=students.id AND tours_choice.rank=0)
LEFT JOIN registrations ON registrations.id=students.registrations_id
WHERE
students.year='{$config['FAIRYEAR']}' AND
(tours_choice.year='{$config['FAIRYEAR']}' OR
students.year=? AND
(tours_choice.year=? OR
\t tours_choice.year IS NULL) AND
registrations.status='complete'
ORDER BY
@ -253,7 +253,7 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
tours_choice.rank";
$q = $pdo->prepare($querystr);
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);

8
admin/tours_manager.php
View File

@ -39,12 +39,12 @@ send_header('Tour Management',
'Tours' => 'admin/tours.php'));
if ($_GET['action'] == 'renumber') {
$q = $pdo->prepare("SELECT id FROM tours WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM tours WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
$x = 1;
while ($i = $q->fetch(PDP::FETCH_OBJ)) {
$stmt = $pdo->prepare("UPDATE tours SET num='$x' WHERE id='{$i->id}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE tours SET num=? WHERE id=?");
$stmt->execute([$x,$i->id]);
$x++;
}
echo happy(i18n('Tours successfully renumbered'));

31
admin/tours_sa.php
View File

@ -53,9 +53,9 @@ TRACE('<pre>');
function set_status($txt)
{
TRACE("Status: $txt\n");
$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE
var='tours_assigner_activity' AND year=0");
$stmt->execute();
$stmt->execute([$txt]);
}
$set_percent_last_percent = -1;
@ -68,9 +68,9 @@ function set_percent($n)
return;
TRACE("Progress: $p\%\n");
$set_percent_last_percent = $p;
$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE
var='tours_assigner_percent' AND year=0");
$stmt->execute();
$stmt->execute([$p]);
}
set_status('Initializing...');
@ -205,16 +205,16 @@ function tour_cost_function($annealer, $bucket_id, $ids)
set_status('Cleaning existing tour assignments...');
TRACE("\n\n");
$q = $pdo->prepare("DELETE FROM tours_choice
WHERE year='{$config['FAIRYEAR']}'
WHERE year=?
AND rank='0'");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
set_status('Loading Data From Database...');
TRACE("\n\n");
TRACE("Tours...\n");
$tours = array();
$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
$q-- > execute();
$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
$q-> execute([$config['FAIRYEAR']]);
$x = 0;
/*
@ -240,13 +240,13 @@ $q = $pdo->prepare("SELECT students.id,students.grade,
FROM students
LEFT JOIN registrations ON registrations.id=students.registrations_id
WHERE
students.year='{$config['FAIRYEAR']}'
students.year=?
AND ( registrations.status='complete'
OR registrations.status='paymentpending' )
ORDER BY
students.id
");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
$last_sid = -1;
TRACE($pdo->errorInfo());
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -262,9 +262,9 @@ TRACE(' ' . (count($student_ids)) . " students loaded\n");
TRACE("Loading Tour Selection Preferences...\n");
$q = $pdo->prepare("SELECT * FROM tours_choice WHERE
tours_choice.year='{$config['FAIRYEAR']}'
tours_choice.year=?
ORDER BY rank ");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
TRACE($pdo->errorInfo());
$x = 0;
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -303,11 +303,8 @@ foreach ($tours as $x => $t) {
$stmt = $pdo->prepare("INSERT INTO tours_choice
(`students_id`,`registrations_id`,
`tour_id`,`year`,`rank`)
VALUES (
'$sid', '{$s['registrations_id']}',
'{$t['id']}', '{$config['FAIRYEAR']}',
'0')");
$stmt->execute();
VALUES (?,?,?,?,0)");
$stmt->execute([$sid,$s['registrations_id'],$t['id'],$config['FAIRYEAR']]);
}
}

10
admin/tours_sa_config.php
View File

@ -58,8 +58,8 @@ function tours_check_tours()
{
global $config;
global $pdo;
$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
return $q->rowCount();
}
@ -72,13 +72,13 @@ function tours_check_students()
LEFT JOIN tours_choice ON (tours_choice.students_id=students.id)
LEFT JOIN registrations ON (registrations.id=students.registrations_id)
WHERE
students.year='{$config['FAIRYEAR']}'
AND tours_choice.year='{$config['FAIRYEAR']}'
students.year=?
AND tours_choice.year=?
AND registrations.status='complete'
ORDER BY
students.id, tours_choice.rank
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
return $q->rowCount();
}

11
admin/translations.php
View File

@ -57,15 +57,16 @@ if (get_value_from_array($_POST, 'action') == 'save') {
// first, delete anything thats supposed to eb deleted
if (count(get_value_from_array($_POST, 'delete', []))) {
foreach ($_POST['delete'] AS $del) {
$stmt = $pdo->prepare("DELETE FROM translations WHERE lang='" . $_SESSION['translang'] . "' AND strmd5='" . $del . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
$stmt->execute([$_SESSION['translang'],$del]);
}
echo happy(i18n('Translation(s) deleted'));
}
if ($_POST['changedFields']) {
$changed = split(',', $_POST['changedFields']);
foreach ($changed AS $ch) {
$stmt = $pdo->prepare("UPDATE translations SET val='" . stripslashes($_POST['val'][$ch]) . "' WHERE strmd5='" . $ch . "' AND lang='" . $_SESSION['translang'] . "'");
$stmt = $pdo->prepare("UPDATE translations SET val=? WHERE strmd5=? AND lang=?");
$stmt->execute([stripslashes($_POST['val'][$ch]),$ch ,$_SESSION['translang']]);
}
echo happy(i18n('Translation(s) saved'));
}
@ -113,8 +114,8 @@ if ($show == 'missing')
else
$showquery = '';
$q = $pdo->prepare("SELECT * FROM translations WHERE lang='" . get_value_from_array($_SESSION, 'translang') . "' $showquery ORDER BY str");
$q->execute();
$q = $pdo->prepare("SELECT * FROM translations WHERE lang=? $showquery ORDER BY str");
$q->execute([get_value_from_array($_SESSION, 'translang')]);
$num = $q->rowCount();
echo i18n('Showing %1 translation strings', array($num), array('number of strings'));

8
admin/user_editor_window.php
View File

@ -98,8 +98,8 @@ if (array_key_exists('username', $_GET)) {
$username = $_GET['username'];
$type = $_GET['type'];
$un = $username;
$q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username='$un' GROUP BY uid");
$q->execute();
$q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username=? GROUP BY uid");
$q->execute([$un]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
@ -119,8 +119,8 @@ if (array_key_exists('username', $_GET)) {
}
} else {
// undelete them?
$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?");
$stmt->execute([$r->id]);
// then load them?
$u = user_load($r->id);
}

20
admin/user_list.php
View File

@ -164,9 +164,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
$user = user_load($id);
// Determine if there is a more recent uid that may possibly be in the current FAIRYEAR (allows refresh page to work)
$query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid='{$user['uid']}'
$query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid=?
ORDER BY year DESC LIMIT 1");
$query->execute();
$query->execute([$user['uid']]);
$user_new = $query->fetch(PDO::FETCH_ASSOC);
@ -178,9 +178,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
message_push(happy(i18n('User Updated')));
// find the newly updated user
$q_reload = $pdo->prepare("SELECT id FROM users WHERE uid='{$user['uid']}'
$q_reload = $pdo->prepare("SELECT id FROM users WHERE uid=?
ORDER BY year DESC LIMIT 1");
$q_reload->execute();
$q_reload->execute([$user['uid']]);
$reload_user = $q_reload->fetch(PDO::FETCH_ASSOC);
@ -296,16 +296,16 @@ $querystr = "SELECT
GROUP BY uid
HAVING
u1.deleted='no'
$having_year
$where_types
$where_complete
?
?
?
ORDER BY
lastname ASC,
firstname ASC,
year DESC";
$q = $pdo->prepare($querystr);
$q->execute();
$q->execute([$having_year,$where_types,$where_complete]);
show_pdo_errors_if_any($pdo);
$num = $q->rowCount();
@ -358,8 +358,8 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
if (in_array('fair', $types)) {
$qq = $pdo->prepare("SELECT * FROM users_fair
LEFT JOIN fairs ON fairs.id=users_fair.fairs_id
WHERE users_id='{$r['id']}'");
WHERE users_id=?");
$qq->execute([$r['id']]);
$rr = $qq->fetch(PDO::FETCH_ASSOC);
$name = '{' . get_value_from_array($rr, 'name') . '}' . ((trim($name) == '') ? '' : "<br />($name)");
}

72
admin/winners.php
View File

@ -56,21 +56,21 @@ switch ($action) {
}
// first check how many we are allowed to have
$q = $pdo->prepare("SELECT number FROM award_prizes WHERE id='$prize_id'");
$q->execute();
$q = $pdo->prepare("SELECT number FROM award_prizes WHERE id=?");
$q->execute([$prize_id]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$number = $r['number'];
/* Get the award info */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([$award_awards_id]);
show_pdo_errors_if_any($pdo);
$a = $q->fetch(PDO::FETCH_ASSOC);
/* Get the project */
$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id='$projects_id'");
$q->execute();
$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id=?");
$q->execute([$projects_id]);
show_pdo_errors_if_any($pdo);
$p = $q->fetch(PDO::FETCH_ASSOC);
$fairs_id = $p['fairs_id'];
@ -89,24 +89,24 @@ switch ($action) {
$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners
LEFT JOIN projects ON winners.projects_id=projects.id
WHERE
projects.fairs_id='$fairs_id'
awards_prizes_id='$prize_id'");
$q->execute();
projects.fairs_id=?
awards_prizes_id=?");
$q->execute([$fairs_id,$prize_id]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$count = $r['count'];
} else {
/* Count is the total number assigned */
$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id='$prize_id'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id=?");
$q->execute([$prize_id]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$count = $r['count'];
}
if ($count < $number) {
$stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES ('$prize_id','$projects_id','{$config['FAIRYEAR']}')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES (?,?,?)");
$stmt->execute([$prize_id,$projects_id,$config['FAIRYEAR']]);
happy_('Winning project added');
} else {
error_('This prize cannot accept any more winners. Maximum: %1', $number);
@ -119,8 +119,8 @@ switch ($action) {
$projects_id = intval($_GET['projects_id']);
if ($prize_id && $projects_id) {
$stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id='$prize_id' AND projects_id='$projects_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id=? AND projects_id=?");
$stmt->execute([$prize_id,$projects_id]);
happy_('Winning project removed');
}
exit;
@ -140,12 +140,12 @@ switch ($action) {
award_awards ,
award_types
WHERE
award_awards.year='{$config['FAIRYEAR']}'
award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
AND \taward_types.year=award_awards.year
AND\taward_awards.id='$award_awards_id'
AND\taward_awards.id=?
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$award_awards_id]);
show_pdo_errors_if_any($pdo);
@ -177,12 +177,12 @@ switch ($action) {
award_awards ,
award_types
WHERE
award_awards.year='{$config['FAIRYEAR']}'
award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
AND \taward_types.year=award_awards.year
AND\taward_awards.id='$award_awards_id'
AND\taward_awards.id=?
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$award_awards_id]);
show_pdo_errors_if_any($pdo);
@ -218,15 +218,15 @@ switch ($action) {
case 'additional_materials':
$fairs_id = intval($_GET['fairs_id']);
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([$award_awards_id]);
if ($fairs_id == 0) {
echo "Unsupported Action: Can't get additional materials for fairs_id=0. Edit the project and set it's fair to anything except 'Local/Unspecified'.";
exit;
}
$a = $q->fetch(PDO::FETCH_ASSOC);
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$pdf = fair_additional_materials($fair, $a, $config['FAIRYEAR']);
foreach ($pdf['header'] as $h)
@ -412,17 +412,17 @@ $q = $pdo->prepare("SELECT
award_types.type,
sponsors.organization
FROM
award_awards $fair_join,
award_awards ?,
award_types,
sponsors
WHERE
award_awards.year='{$config['FAIRYEAR']}'
award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
AND\taward_types.year='{$config['FAIRYEAR']}'
AND\taward_types.year=?
AND\taward_awards.sponsors_id=sponsors.id
$fair_where
?
ORDER BY awards_order");
$q->execute();
$q->execute([$fair_join,$config['FAIRYEAR'],$config['FAIRYEAR'],$fair_where]);
show_pdo_errors_if_any($pdo);
@ -500,11 +500,11 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
FROM
award_prizes
WHERE
award_awards_id='{$r['id']}'
AND award_prizes.year='{$config['FAIRYEAR']}'
award_awards_id=?
AND award_prizes.year=?
ORDER BY
`order`");
$q->execute();
$q->execute([$r['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
echo '<table width="100%"><tr><td>';
@ -535,9 +535,9 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
winners
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
winners.awards_prizes_id='{$pr->id}'
$fairs_where ");
$cq->execute();
winners.awards_prizes_id=?
? ");
$cq->execute([$pr->id,$fairs_where]);
show_pdo_errors_if_any($pdo);
$count = $cq->rowCount();
// echo "winners=$count";

17
app/projectinfo.php
View File

@ -32,8 +32,8 @@ require ('../common.inc.php');
global $pdo;
// first, lets make sure someone isng tryint to see something that they arent allowed to!
$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
$q->execute([$config['dates']['postparticipants']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$pn = trim($_GET['n']);
@ -56,20 +56,21 @@ if ($r->test) {
LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
registrations.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
registrations.year=?
AND projectcategories.year=?
AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
AND projects.projectnumber='$pn'
AND projects.projectnumber=?
LIMIT 1
");
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$pn]);
show_pdo_errors_if_any($pdo);
$r = $q->fetch(PDO::FETCH_ASSOC);
$regid = $r['reg_id'];
$q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id='$regid' ORDER BY lastname");
$q2->execute();
$q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id=? ORDER BY lastname");
$q2->execute([$regid]);
$students = '';
while ($stud = $q2->fetch(PDO::FETCH_OBJ)) {
if ($stud->webfirst == 'yes')

12
app/projectlist.php
View File

@ -31,8 +31,8 @@ require ('../common.inc.php');
global $pdo;
// first, lets make sure someone isnt trying to see something that they arent allowed to!
$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
$q->execute([$config['dates']['postparticipants']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->test) {
@ -52,16 +52,16 @@ if ($r->test) {
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
1
AND registrations.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
AND registrations.year=?
AND projectcategories.year=?
AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
ORDER BY
projectcategories.id,
projectdivisions.id,
projects.projectnumber
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$lastcat = 'something_that_does_not_exist';

12
app/projects.php
View File

@ -31,8 +31,8 @@ require ('../common.inc.php');
global $pdo;
// first, lets make sure someone isnt trying to see something that they arent allowed to!
$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
$q->execute([$config['dates']['postparticipants']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$ret = array();
@ -56,16 +56,16 @@ if ($r->test) {
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
1
AND registrations.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
AND registrations.year=?
AND projectcategories.year=?
AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
ORDER BY
projectcategories.id,
projectdivisions.id,
projects.projectnumber
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$lastcat = 'something_that_does_not_exist';

2
committees.php
View File

@ -36,7 +36,7 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
/* Select all the u$q=("SELECT * FROM committees ORDER BY ord,name");sers in the committee, using MAX(year) for the most recent year */
$q2 = $pdo->prepare("SELECT committees_link.*,users.uid,MAX(users.year),users.lastname
FROM committees_link LEFT JOIN users ON users.uid = committees_link.users_uid
WHERE committees_id='{$r->id}'
WHERE committees_id=?
GROUP BY users.uid ORDER BY ord,users.lastname ");
$q2->execute();
// if there's nobody in this committee, then just skip it and go on to the next one.

1576
common.inc.php
View File

File diff suppressed because it is too large Load Diff

20
config/backuprestore.php
View File

@ -40,12 +40,12 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
$dump .= '#SFIAB FAIR NAME: ' . $config['fairname'] . "\n";
$dump .= "#-------------------------------------------------\n";
$tableq = $pdo->prepare("SHOW TABLES FROM `$DBNAME`");
$tableq = $pdo->prepare("SHOW TABLES FROM $DBNAME");
$tableq->execute();
while ($tr = $tableq->fetch(PDO::FETCH_NUM)) {
$table = $tr[0];
$dump .= "#TABLE: $table\n";
$columnq = $pdo->prepare("SHOW COLUMNS FROM `$table`");
$columnq = $pdo->prepare("SHOW COLUMNS FROM $table");
$columnq->execute();
$str = "INSERT INTO `$table` (";
unset($fields);
@ -57,7 +57,7 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
$str = substr($str, 0, -1);
$str .= ') VALUES (';
$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY `{$fields[0]}`");
$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY $fields[0]");
$dataq->execute();
while ($data = $dataq->fetch(PDO::FETCH_OBJ)) {
$insertstr = $str;
@ -178,7 +178,7 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
$line = trim($line);
if (mb_ereg('^#TABLE: (.*)', $line, $args)) {
// empty out the table
$sql = 'TRUNCATE TABLE `' . $args[1] . '`';
$sql = "TRUNCATE TABLE $args[1]";
// echo $sql."\n";
$stmt = $pdo->prepare($sql);
@ -226,13 +226,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
user_purge($judge, 'judge');
} else {
// Find max year of judge
$max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid = ' . $judge['uid'] . ' ORDER BY year DESC limit 1');
$max_year_query->execute();
$max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid =? ORDER BY year DESC limit 1');
$max_year_query->execute([$judge['uid']]);
$judge_max_year = $max_year_query->fetch(PDO::FETCH_ASSOC);
// Grab old judge info.
// Old judge info consists of all entries in the database that are not the most recent for the specific judge
$deletable = $pdo->prepare('SELECT * FROM users WHERE uid =' . $judge['uid'] . ' AND year NOT LIKE ' . $judge_max_year['year']);
$deletable->execute();
$deletable = $pdo->prepare('SELECT * FROM users WHERE uid =? AND year NOT LIKE ?');
$deletable->execute([$judge['uid'],$judge_max_year['year']]);
// and if they have old data from previous fair years
if ($deletable->rowCount() > 0) {
// delete old data one by one
@ -260,8 +260,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
error(i18n($pdo->errorInfo()[0]));
}
} else if (get_value_from_array($_POST, 'action') == 'clean_parents') {
$query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=' . $config['FAIRYEAR']);
$query_parents->execute();
$query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=?');
$query_parents->execute([$config['FAIRYEAR']]);
while ($parent = $query_parents->fetch(PDO::FETCH_ASSOC)) {
if (!is_array($parent['types'])) {
$parent['types'] = array($parent['types']);

55
config/categories.php
View File

@ -42,21 +42,21 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
if (get_value_from_array($_POST, 'action') == 'edit') {
// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'category') && isset($_POST['mingrade']) && $_POST['maxgrade']) {
$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
$q->execute([$_POST['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
} else {
$stmt = $pdo->prepare('UPDATE projectcategories SET '
. "id='" . $_POST['id'] . "', "
. "category='" . stripslashes($_POST['category']) . "', "
. "category_shortform='" . stripslashes($_POST['category_shortform']) . "', "
. "mingrade='" . $_POST['mingrade'] . "', "
. "maxgrade='" . $_POST['maxgrade'] . "' "
. "WHERE id='" . $_POST['saveid'] . "'");
. "id=?, "
. "category=?, "
. "category_shortform=?, "
. "mingrade=?, "
. "maxgrade=?"
. "WHERE id=?");
echo happy(i18n('Category successfully saved'));
$stmt->execute();
$stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),$_POST['mingrade'],$_POST['maxgrade'],$_POST['saveid']]);
}
} else {
echo error(i18n('All fields are required'));
@ -66,19 +66,20 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
if (get_value_from_array($_POST, 'action') == 'new') {
// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
if (get_value_from_array($_POST, 'id') && $_POST['category'] && isset($_POST['mingrade']) && $_POST['maxgrade']) {
$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
$q->execute([$_POST['id'],$config['FAIRYEAR']]);
if ($q->rowCount()) {
echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
} else {
$stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES ( '
. "'" . $_POST['id'] . "', "
. "'" . stripslashes($_POST['category']) . "', "
. "'" . stripslashes($_POST['category_shortform']) . "', "
. "'" . $_POST['mingrade'] . "', "
. "'" . $_POST['maxgrade'] . "', "
. "'" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
?,
?,
?,
?,
?,
?)');
$stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),
$_POST['mingrade'],$_POST['maxgrade'],$config['FAIRYEAR']]);
echo happy(i18n('Category successfully added'));
}
} else {
@ -89,11 +90,11 @@ if (get_value_from_array($_POST, 'action') == 'new') {
if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
// for this division exist they should be deleted
$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id=? AND year=?");
$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
// ####
$stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id=? AND year=?");
$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
echo happy(i18n('Category successfully removed'));
}
@ -118,8 +119,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo '<input type="hidden" name="action" value="' . get_value_from_array($_GET, 'action') . "\">\n";
if (get_value_from_array($_GET, 'action') == 'edit') {
echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE id=? AND year=?");
$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
$categoryr = $q->fetch(PDO::FETCH_OBJ);
$buttontext = 'Save';
} else if (get_value_from_array($_GET, 'action') == 'new') {
@ -135,8 +136,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo ' <td><input type="submit" value="' . i18n($buttontext) . '"></td>';
echo '</tr>';
} else {
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
echo " <td align=\"center\">$r->id</td>";

18
config/dates.php
View File

@ -57,8 +57,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
$d = stripslashes($val);
$t = stripslashes($_POST['savetimes'][$key]);
$v = "$d $t";
$stmt = $pdo->prepare("UPDATE dates SET date='$v' WHERE year='" . $config['FAIRYEAR'] . "' AND id='$key'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE dates SET date=? WHERE year=? AND id=?");
$stmt->execute([$v,$config['FAIRYEAR'],$key]);
}
}
echo happy(i18n('Dates successfully saved'));
@ -83,8 +83,8 @@ $dates = array('fairdate' => array(),
/* Now copy the SQL data into the above array */
$q = $pdo->prepare("SELECT * FROM dates WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY date");
$q->execute();
$q = $pdo->prepare("SELECT * FROM dates WHERE year=? ORDER BY date");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$dates[$r->name]['description'] = $r->description;
$dates[$r->name]['id'] = $r->id;
@ -131,12 +131,12 @@ foreach ($dates as $dn => $d) {
$def = $defaultdates[$dn];
// hmm if we dont have a record for this date this year, INSERT the sql from the default
$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
'" . $def->date . "',
'" . $dn . "',
'" . $def->description . "',
'" . $config['FAIRYEAR'] . "'
?,
?,
?,
?
)");
$stmt->execute();
$stmt->execute([$def->date,$dn,$def->description,$config['FAIRYEAR']]);
$d['id'] = $pdo->lastInsertId();
$d['description'] = $def->description;
$d['date'] = $def->date;

75
config/divisions.php
View File

@ -45,29 +45,26 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
if (get_value_from_array($_POST, 'action') == 'edit') {
if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
$q->execute([$_POST['id'],$config['FAIRYEAR']]);
if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
} else {
$stmt = $pdo->prepare('UPDATE projectdivisions SET '
. "id='" . $_POST['id'] . "', "
. "division='" . stripslashes($_POST['division']) . "', "
. "division_shortform='" . stripslashes($_POST['division_shortform']) . "' "
. "WHERE id='" . $_POST['saveid'] . "' AND year='{$config['FAIRYEAR']}'");
$stmt->execute();
. "id=?, "
. "division=?, "
. "division_shortform=?"
. "WHERE id=? AND year=?");
$stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$_POST['saveid'],$config['FAIRYEAR']]);
// ###### Feature Specific - filtering divisions by category
if ($config['filterdivisionbycategory'] == 'yes') {
$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id='" . $_POST['saveid'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND year=?");
$stmt->execute([ $_POST['saveid'],$config['FAIRYEAR']]);
if (is_array($_POST['divcat'])) {
foreach ($_POST['divcat'] as $tempcat) {
$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
. "'" . $_POST['id'] . "', "
. "'" . $tempcat . "', "
. "'" . $config['FAIRYEAR'] . "') ");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?,?)');
$stmt->execute([$_POST['id'],$tempcat,$config['FAIRYEAR']]);
}
}
}
@ -82,25 +79,19 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
if (get_value_from_array($_POST, 'action') == 'new') {
if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
$q->execute([$_POST['id'],$config['FAIRYEAR']]);
if ($q->rowCount()) {
echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
} else {
$stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES ( '
. "'" . $_POST['id'] . "', "
. "'" . stripslashes($_POST['division']) . "', "
. "'" . stripslashes($_POST['division_shortform']) . "', "
. "'" . $config['FAIRYEAR'] . "') ");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES (?,?,?,?)');
$stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$config['FAIRYEAR']]);
// ###### Feature Specific - filtering divisions by category
if ($config['filterdivisionbycategory'] == 'yes') {
foreach ($_POST['divcat'] as $tempcat) {
$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
. "'" . $tempcat . "', "
. "'" . $config['FAIRYEAR'] . "') ");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?)');
$stmt->execute([$tempcat,$conference['id']]);
}
}
// #######
@ -114,10 +105,10 @@ if (get_value_from_array($_POST, 'action') == 'new') {
if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
// for this division exist they should be deleted
$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id=? AND year=?");
$stmt->execute([$_GET['remove'], $config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id=? AND year=?");
$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
echo happy(i18n('Division successfully removed'));
}
@ -142,8 +133,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo '<input type="hidden" name="action" value="' . get_value_from_array($_GET, 'action') . "\">\n";
if (get_value_from_array($_GET, 'action') == 'edit') {
echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id=? AND year=?");
$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
$divisionr = $q->fetch(PDO::FETCH_OBJ);
$buttontext = 'Save';
@ -158,12 +149,12 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
// ###### Feature Specific - filtering divisions by category
if ($config['filterdivisionbycategory'] == 'yes') {
echo ' <td>';
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
$q->execute([$config['FAIRYEAR']]);
while ($categoryr = $q->fetch(PDO::FETCH_OBJ)) {
$query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=' . $divisionr->id . ' AND projectcategories_id=' . $categoryr->id . " AND year='" . $config['FAIRYEAR'] . "'";
$query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND projectcategories_id=? AND year=?';
$t = $pdo->prepare($query);
$t->execute();
$t->execute([$divisionr->id,$categoryr->id,$config['FAIRYEAR']]);
if ($t && $t->rowCount() > 0)
echo "<nobr><input type=\"checkbox\" name=\"divcat[]\" value=\"$categoryr->id\" checked=\"checked\" /> $categoryr->category</nobr><br/>";
else
@ -175,8 +166,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo ' <td><input type="submit" value="' . i18n($buttontext) . '" /></td>';
echo '</tr>';
} else {
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
echo " <td>$r->id</td>";
@ -186,11 +177,11 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
if ($config['filterdivisionbycategory'] == 'yes') {
$c = $pdo->prepare("SELECT category FROM projectcategoriesdivisions_link, projectcategories
WHERE projectcategoriesdivisions_link.projectcategories_id = projectcategories.id
AND projectdivisions_id='$r->id'
AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions_id=?
AND projectcategoriesdivisions_link.year=?
AND projectcategories.year=?
ORDER BY projectcategories.mingrade");
$c->execute();
$c->execute([$r->id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
if (!$c) {
$tempcat = '&nbsp;';

8
config/divisions_cwsf.php
View File

@ -35,8 +35,8 @@ send_header('CWSF Project Divisions',
// //// FIX ME!!!!!
if (count(get_value_from_array($_POST, 'cwsfdivision', []))) {
foreach ($_POST['cwsfdivision'] AS $k => $v) {
$stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid='$v' WHERE id='$k' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid=? WHERE id=? AND year=?");
$stmt->execute([$v,$k,$config['FAIRYEAR']]);
}
echo happy(i18n('Corresponding CWSF divisions saved'));
}
@ -53,8 +53,8 @@ echo '<th>' . i18n('Your Division') . "</th>\n";
echo '<th>' . i18n('Corresponding CWSF Division') . "</th>\n";
echo '</tr>';
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
echo ' <td>' . i18n($r->division) . '</td>';

4
config/languagepacks.php
View File

@ -88,7 +88,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
$packs = loadLanguagePacks();
$loaded = 0;
if ($packs[$_GET['install']]) {
$lines = file("http://www.sfiab.ca/languages/{$packs[$_GET['install']]['filename']}");
$lines = file("http://www.sfiab.ca/languages/?");
$totallines = count($lines);
$numtranslations = round($totallines / 2);
echo i18n('There are %1 translations in this language pack... processing...', array($numtranslations));
@ -98,7 +98,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
if (substr($line, 0, 6) == 'UPDATE' || substr($line, 0, 6) == 'INSERT') {
$stmt = $pdo->prepare($line);
$stmt->execute();
$stmt->execute([$packs[$_GET['install']]['filename']]);
$a = $pdo->rowwCount();
$loaded += $a;
} else

43
config/pagetexts.php
View File

@ -43,18 +43,19 @@
while($r=$q->fetch(PDO::FETCH_OBJ))
{
foreach($config['languages'] AS $lang=>$langname) {
$q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=".$pdo->quote($config['FAIRYEAR'])." and textname=".$pdo->quote($r->textname)."");
$q_current->execute();
$q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=? and textname=?");
$q_current->execute([$pdo->quote($config['FAIRYEAR']),$pdo->quote($r->textname)]);
if ($q_current->rowCount() == 0) {
$q1 = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES (
".$pdo->quote($r->textname).",
".$pdo->quote($r->textdescription).",
".$pdo->quote($r->text).",
".$pdo->quote($config['FAIRYEAR']).",
".$pdo->quote($lang).")");
?,
?,
?,
?,
?)");
$q1->execute();
$q1->execute([$pdo->quote($r->textname),$pdo->quote($r->textdescription),$pdo->quote($r->text),
$pdo->quote($config['FAIRYEAR']),$pdo->quote($lang)]);
}
}
}
@ -69,12 +70,12 @@
$stmt = $pdo->prepare("UPDATE pagetext
SET
lastupdate=NOW(),
text=$text
text=?
WHERE
textname=".$pdo->quote($_POST['textname'])."
AND year='".$config['FAIRYEAR']."'
AND lang='$lang'");
$stmt->execute();
textname=?
AND year=?
AND lang=?");
$stmt->execute([$text,$pdo->quote($_POST['textname']),$config['FAIRYEAR'],$lang]);
}
echo happy(i18n("Page texts successfully saved"));
@ -82,8 +83,8 @@
if(get_value_from_array($_GET, 'textname'))
{
$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=?");
$q->execute([$_GET['textname'],$config['FAIRYEAR']]);
//needs to be at least one entry in any languages
if($r=$q->fetch(PDO::FETCH_OBJ))
{
@ -93,14 +94,14 @@
foreach($config['languages'] AS $lang=>$langname) {
$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."' AND lang='$lang'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=? AND lang=?");
$q->execute([$_GET['textname'],$config['FAIRYEAR'],$lang]);
$r=$q->fetch(PDO::FETCH_OBJ);
if(!$r)
{
$stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES ('".$pdo->quote($_GET['textname'])."','".$config['FAIRYEAR']."','$lang')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES (?,?,?)");
$stmt->execute([$pdo->quote($_GET['textname']),$config['FAIRYEAR'],$lang]);
show_pdo_errors_if_any($pdo);
}
@ -140,8 +141,8 @@
echo i18n("Choose a page text to edit");
echo "<table class=\"summarytable\">";
$q=$pdo->prepare("SELECT * FROM pagetext WHERE year='".$config['FAIRYEAR']."' AND lang='".$config['default_language']."' ORDER BY textname");
$q->execute();
$q=$pdo->prepare("SELECT * FROM pagetext WHERE year=? AND lang=? ORDER BY textname");
$q->execute([$config['FAIRYEAR'],$config['default_language']]);
echo "<tr><th>".i18n("Page Text Description")."</th><th>".i18n("Last Update")."</th></tr>";
while($r=$q->fetch(PDO::FETCH_OBJ))
{

207
config/rollover.php
View File

@ -66,7 +66,7 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
*/
/* Get field list for this table */
$q = $pdo->prepare("SHOW COLUMNS IN `$table`");
$q = $pdo->prepare("SHOW COLUMNS IN $table");
$q->execute();
show_pdo_errors_if_any($pdo);
while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
@ -91,8 +91,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
$where = '1';
/* Get data */
$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear' AND $where");
$q->execute();
$q = $pdo->prepare("SELECT * FROM $table WHERE year=? AND $where");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
$names = '`' . join('`,`', $fields) . '`';
@ -108,8 +108,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
$vals .= ',' . $pdo->quote($r[$f]);
}
$stmt = $pdo->prepare("INSERT INTO `$table`(`year`,$names) VALUES ('$newfairyear'$vals)");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO `$table` (`year`,?) VALUES (?,?)");
$stmt->execute([$names,$newfairyear,$vals]);
show_pdo_errors_if_any($pdo);
}
}
@ -134,119 +134,119 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
// now the dates
echo i18n('Rolling dates') . '<br />';
$q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
'" . $r->newdate . "',
'" . $r->name . "',
'" . $r->description . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?)");
$stmt->execute([$r->newdate,$r->name,$r->description,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
// page text
echo i18n('Rolling page texts') . '<br />';
$q = $pdo->prepare("SELECT * FROM pagetext WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM pagetext WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,lastupdate,year,lang) VALUES (
'" . $r->textname . "',
'" . $r->textdescription . "',
'" . $r->text . "',
'" . $r->lastupdate . "',
'" . $newfairyear . "',
'" . $r->lang . "')");
$stmt->execute();
?,
?,
?,
?,
?,
?)");
$stmt->execute([$r->textname,$r->textdescription,$r->text,$r->lastupdate,$newfairyear,$r->lang]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling project categories') . '<br />';
// project categories
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
'" . $r->id . "',
'" . $r->category . "',
'" . $r->category_shortform . "',
'" . $r->mingrade . "',
'" . $r->maxgrade . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?,
?,
?)");
$stmt->execute([$r->id,$r->category,$r->category_shortform,$r->mingrade,$r->maxgrade,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling project divisions') . '<br />';
// project divisions
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectdivisions (id,division,division_shortform,cwsfdivisionid,year) VALUES (
'" . $r->id . "',
'" . $r->division . "',
'" . $r->division_shortform . "',
'" . $r->cwsfdivisionid . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?,
?)");
$stmt->execute([$r->id,$r->division,$r->division_shortform,$r->cwsfdivisionid,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling project category-division links') . '<br />';
// project categories divisions links
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (
'" . $r->projectdivisions_id . "',
'" . $r->projectcategories_id . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?)");
$stmt->execute([$r->projectdivisions_id,$r->projectcategories_id ,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling project sub-divisions') . '<br />';
// project subdivisions
$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (
'" . $r->id . "',
'" . $r->projectsubdivisions_id . "',
'" . $r->subdivision . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?)");
$stmt->execute([$r->id,$r->projectsubdivisions_id,$r->subdivision,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling safety questions') . '<br />';
// safety questions
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES (
'" . $r->question . "',
'" . $r->type . "',
'" . $r->required . "',
'" . $r->ord . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?,
?");
$stmt->execute([$r->question,$r->type,$r->required ,$r->ord,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling awards') . '<br />';
// awards
$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
/* Roll the one award */
@ -265,69 +265,42 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
echo i18n('Rolling award types') . '<br />';
// award types
$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
'" . $r->id . "',
'" . $r->type . "',
'" . $r->order . "',
'" . $newfairyear . "')");
$stmt->execute();
?,
?,
?,
?)");
$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling schools') . '<br />';
// award types
$q = $pdo->prepare("SELECT * FROM schools WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$puid = ($r->principal_uid == null) ? 'NULL' : ("'" . intval($r->principal_uid) . "'");
$shuid = ($r->sciencehead_uid == null) ? 'NULL' : ("'" . intval($r->sciencehead_uid) . "'");
$stmt = $pdo->prepare('INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,principal_uid,schoolemail,sciencehead_uid,accesscode,lastlogin,junior,intermediate,senior,registration_password,projectlimit,projectlimitper,year) VALUES (
' . $pdo->quote($r->school) . ',
' . $pdo->quote($r->schoollang) . ',
' . $pdo->quote($r->schoollevel) . ',
' . $pdo->quote($r->board) . ',
' . $pdo->quote($r->district) . ',
' . $pdo->quote($r->phone) . ',
' . $pdo->quote($r->fax) . ',
' . $pdo->quote($r->address) . ',
' . $pdo->quote($r->city) . ',
' . $pdo->quote($r->province_code) . ',
' . $pdo->quote($r->postalcode) . ",$puid,
" . $pdo->quote($r->schoolemail) . ",$shuid,
" . $pdo->quote($r->accesscode) . ',
NULL,
' . $pdo->quote($r->junior) . ',
' . $pdo->quote($r->intermediate) . ',
' . $pdo->quote($r->senior) . ',
' . $pdo->quote($r->registration_password) . ',
' . $pdo->quote($r->projectlimit) . ',
' . $pdo->quote($r->projectlimitper) . ',
' . $newfairyear . ')');
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO schools (school, schoollang, schoollevel, board, district, phone, fax, address, city, province_code, postalcode, principal_uid, schoolemail, sciencehead_uid, accesscode, lastlogin, junior, intermediate, senior, registration_password, projectlimit, projectlimitper, year) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?)');
$stmt->execute([$r->school, $r->schoollang, $r->schoollevel, $r->board, $r->district, $r->phone, $r->fax, $r->address, $r->city, $r->province_code, $r->postalcode, $puid, $r->schoolemail, $shuid, $r->accesscode, $r->junior, $r->intermediate, $r->senior, $r->registration_password, $r->projectlimit, $r->projectlimitper, $newfairyear]);
show_pdo_errors_if_any($pdo);
}
echo i18n('Rolling questions') . '<br />';
$q = $pdo->prepare("SELECT * FROM questions WHERE year='$currentfairyear'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES (
'',
'$newfairyear',
" . $pdo->quote($r->section) . ',
' . $pdo->quote($r->db_heading) . ',
' . $pdo->quote($r->question) . ',
' . $pdo->quote($r->type) . ',
' . $pdo->quote($r->required) . ',
' . $pdo->quote($r->ord) . ')');
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO questions (id, year, section, db_heading, question, type, required, ord) VALUES ('', ?, ?, ?, ?, ?, ?, ?)");
$stmt->execute([$newfairyear, $r->section, $r->db_heading, $r->question, $r->type, $r->required, $r->ord]);
show_pdo_errors_if_any($pdo);
}
@ -341,32 +314,32 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
// timeslots and rounds
echo i18n('Rolling judging timeslots and rounds') . '<br />';
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='$currentfairyear' AND round_id='0'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND round_id='0'");
$q->execute([$currentfairyear]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$d = $newfairyear - $currentfairyear;
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`,`name`)
VALUES ('$newfairyear','0','{$r['type']}',DATE_ADD('{$r['date']}', INTERVAL $d YEAR),
'{$r['starttime']}','{$r['endtime']}','{$r['name']}')");
$stmt->execute();
VALUES (?,'0',?,DATE_ADD(?, INTERVAL ? YEAR),
?,?,?)");
$stmt->execute([$newfairyear,$r['type'],$r['date'],$d,$r['starttime'],$r['endtime'],$r['name']]);
show_pdo_errors_if_any($pdo);
$round_id = $pdo->lastInsertId();
$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
$qq->execute();
$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
$qq->execute([$r['id']]);
show_pdo_errors_if_any($pdo);
while ($rr = $qq->fetch(PDO::FETCH_ASSOC)) {
$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`)
VALUES ('$newfairyear','$round_id','timeslot',DATE_ADD('{$rr['date']}', INTERVAL $d YEAR),
'{$rr['starttime']}','{$rr['endtime']}')");
$stmt->execute();
VALUES (?,?,'timeslot',DATE_ADD(?, INTERVAL ? YEAR),
?,?)");
$stmt->execute([$newfairyear,$round_id,$rr['date'],$d,$rr['starttime'],$rr['endtime']]);
show_pdo_errors_if_any($pdo);
}
}
echo '<br /><br />';
$stmt = $pdo->prepare("UPDATE config SET val='$newfairyear' WHERE var='FAIRYEAR' AND year=0");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FAIRYEAR' AND year=0");
$stmt->execute([$newfairyear]);
show_pdo_errors_if_any($pdo);
echo happy(i18n('Fair year has been rolled over from %1 to %2', array($currentfairyear, $newfairyear)));
send_footer();

28
config/rolloverfiscal.php
View File

@ -82,8 +82,8 @@ function rolloverfiscalyear($newYear)
// first we'll roll over fundraising_campaigns:
$fields = '`name`,`type`,`startdate`,`enddate`,`followupdate`,`active`,`target`,`fundraising_goal`,`filterparameters`';
$q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear = $oldYear");
$q->execute();
$q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear =?");
$q->execute([$oldYear]);
while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
foreach (array('startdate', 'enddate', 'followupdate') as $dateField) {
@ -100,16 +100,16 @@ function rolloverfiscalyear($newYear)
foreach ($values as $idx => $val) {
$values[$idx] = $val;
}
$query = 'INSERT INTO fundraising_campaigns (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
$query = 'INSERT INTO fundraising_campaigns (`' . implode('`,`', $fields) . "`) VALUES(?)";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([implode("','", $values)]);
}
// next we'll hit findraising_donor_levels
$fields = '`level`,`min`,`max`,`description`';
if ($pdo->errorInfo()[0] == 0)
$q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear = $oldYear");
$q->execute();
$q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear =?");
$q->execute([$oldYear]);
while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
$r['fiscalyear'] = $newYear;
$fields = array_keys($r);
@ -117,16 +117,16 @@ function rolloverfiscalyear($newYear)
foreach ($values as $idx => $val) {
$values[$idx] = $val;
}
$query = 'INSERT INTO fundraising_donor_levels (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
$query = 'INSERT INTO fundraising_donor_levels (`' . implode('`,`', $fields) . "`) VALUES(?)";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([implode("','", $values)]);
}
// and now we'll do findraising_goals
$fields = '`goal`,`name`,`description`,`system`,`budget`,`deadline`';
if ($pdo->errorInfo()[0] == 0) {
$q = $pdo->prepare("SELECT $fields FROM fundraising_goals WHERE fiscalyear = $oldYear");
$q->execute();
$q = $pdo->prepare("SELECT ? FROM fundraising_goals WHERE fiscalyear =?");
$q->execute([$fields,$oldYear]);
}
while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
$dateval = $r['deadline'];
@ -142,15 +142,15 @@ function rolloverfiscalyear($newYear)
foreach ($values as $idx => $val) {
$values[$idx] = $val;
}
$query = 'INSERT INTO fundraising_goals (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
$query = 'INSERT INTO fundraising_goals (`' . implode('`,`', $fields) . "`) VALUES(?)";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([implode("','", $values)]);
}
// finally, let's update the fiscal year itself:
if ($pdo->errorInfo()[0] == 0) {
$stmt = $pdo->prepare("UPDATE config SET val='$newYear' WHERE var='FISCALYEAR'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FISCALYEAR'");
$stmt->execute([$newYear]);
}
if ($pdo->errorInfo()[0] == 0) {

38
config/safetyquestions.php
View File

@ -36,12 +36,13 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P
echo notice(i18n('Defaulting non-numeric order value %1 to 0', array($_POST['ord'])));
$stmt = $pdo->prepare("UPDATE safetyquestions SET
question='" . stripslashes($_POST['question']) . "',
`type`='" . stripslashes($_POST['type']) . "',
`required`='" . stripslashes($_POST['required']) . "',
ord='" . stripslashes($_POST['ord']) . "'
WHERE id='" . $_POST['save'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
question=?,
`type`=?,
`required`=?,
ord=?
WHERE id=? AND year=?");
$stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']),
stripslashes($_POST['ord']),$_POST['save'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
echo happy(i18n('Safety question successfully saved'));
@ -52,13 +53,14 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P
if (get_value_from_array($_POST, 'action') == 'new') {
if ($_POST['question']) {
$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES (
'" . stripslashes($_POST['question']) . "',
'" . stripslashes($_POST['type']) . "',
'" . stripslashes($_POST['required']) . "',
'" . stripslashes($_POST['ord']) . "',
'" . $config['FAIRYEAR'] . "'
?,
?,
?,
?,
?
)");
$stmt->execute();
$stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']),
stripslashes($_POST['ord']),$config['FAIRYEAR'] ]);
show_pdo_errors_if_any($pdo);
echo happy(i18n('Safety question successfully added'));
@ -67,8 +69,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
}
if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
$stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id=? AND year=?");
$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
echo happy(i18n('Safety question successfully removed'));
}
@ -82,8 +84,8 @@ if ((get_value_from_array($_GET, 'action') == 'edit' && get_value_from_array($_G
} else if ($_GET['action'] == 'edit') {
$buttontext = 'Save safety question';
echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id='" . $_GET['edit'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id=? AND year=?");
$q->execute([$_GET['edit'],$config['FAIRYEAR'] ]);
echo '<input type="hidden" name="save" value="' . $_GET['edit'] . "\">\n";
if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
$showform = false;
@ -141,8 +143,8 @@ echo '<br />';
echo '<a href="safetyquestions.php?action=new">' . i18n('Add new safety question') . '</a>';
echo '<table class="summarytable">';
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY ord");
$q->execute();
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
$q->execute([$config['FAIRYEAR']]);
echo '<tr><th>' . i18n('Ord') . '</th><th>' . i18n('Question') . '</th><th>' . i18n('Type') . '</th><th>' . i18n('Required') . '</th><th>' . i18n('Actions') . '</th></tr>';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';

8
config/signaturepage.php
View File

@ -66,10 +66,10 @@ if (get_value_from_array($_POST, 'action') == 'save') {
$stmt->bindParam(':text', $val);
$stmt->execute();
$stmt = $pdo->prepare("UPDATE signaturepage SET `use`='$usepa', `text`='" . get_value_from_array($_POST, 'postamble') . "' WHERE name='postamble'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE signaturepage SET `use`='$userf', `text`='' WHERE name='regfee'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE signaturepage SET `use`=?, `text`=? WHERE name='postamble'");
$stmt->execute([$usepa,get_value_from_array($_POST, 'postamble')]);
$stmt = $pdo->prepare("UPDATE signaturepage SET `use`=?, `text`='' WHERE name='regfee'");
$stmt->execute([$userf]);
echo happy(i18n("$sentence_begin_participationform text successfully saved"));
}

44
config/subdivisions.php
View File

@ -41,17 +41,17 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
if (get_value_from_array($_POST, 'action') == 'edit') {
if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'projectdivisions_id') && get_value_from_array($_POST, 'subdivision')) {
$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id=? AND year=?");
$q->execute([$_POST['id'],$config['FAIRYEAR']]);
if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
echo error(i18n('Sub-Division ID %1 already exists', array($_POST['id'])));
} else {
$stmt = $pdo->prepare('UPDATE projectsubdivisions SET '
. "id='" . $_POST['id'] . "', "
. "projectdivisions_id='" . $_POST['projectdivisions_id'] . "', "
. "subdivision='" . stripslashes($_POST['subdivision']) . "' "
. "WHERE id='" . $_POST['saveid'] . "'");
$stmt->execute();
. "id=?, "
. "projectdivisions_id=?, "
. "subdivision=?"
. "WHERE id=?");
$stmt->execute([$_POST['id'],$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$_POST['saveid']]);
echo happy(i18n('Sub-Division successfully saved'));
}
} else {
@ -69,17 +69,13 @@ if (get_value_from_array($_POST, 'action') == 'new') {
} else
$newid = $_POST['id'];
$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id='$newid' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id=? AND year=?");
$q->execute([$newid,$config['FAIRYEAR']]);
if ($q->rowCount()) {
echo error(i18n('Sub-Division ID %1 already exists', array($newid)));
} else {
$stmt = $pdo->prepare('INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES ( '
. "'$newid', "
. "'" . $_POST['projectdivisions_id'] . "', "
. "'" . stripslashes($_POST['subdivision']) . "', "
. "'" . $config['FAIRYEAR'] . "') ");
$stmt->execute();
$stmt = $pdo->prepare('INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (?,?,?,?) ');
$stmt->execute([$newid,$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$config['FAIRYEAR']]);
echo happy(i18n('Sub-Division successfully added'));
}
} else {
@ -88,8 +84,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
}
if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
$stmt = $pdo->prepare("DELETE FROM projectsubdivisions WHERE id='" . $_GET['remove'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projectsubdivisions WHERE id=?");
$stmt->execute([$_GET['remove']]);
echo happy(i18n('Sub-Division successfully removed'));
}
@ -111,8 +107,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
$divisionr = array();
if (get_value_from_array($_GET, 'action') == 'edit') {
echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE id=? AND year=?");
$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
$divisionr = $q->fetch(PDO::FETCH_OBJ);
$buttontext = 'Save';
} else if ($_GET['action'] == 'new') {
@ -121,8 +117,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
echo '<tr>';
echo ' <td>';
echo '<select name="projectdivisions_id">';
$dq = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division");
$dq->execute();
$dq = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
$dq->execute([$config['FAIRYEAR']]);
while ($dr = $dq->fetch(PDO::FETCH_OBJ)) {
if ($dr->id == $divisionr->projectdivisions_id)
$sel = 'selected="selected"';
@ -146,12 +142,12 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
projectsubdivisions,
projectdivisions
WHERE
projectsubdivisions.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
projectsubdivisions.year=?
AND projectdivisions.year=?
AND projectsubdivisions.projectdivisions_id=projectdivisions.id
ORDER BY
division,subdivision");
$q->execute();
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';

21
config/variables.php
View File

@ -32,22 +32,23 @@ $q = $pdo->prepare("SELECT * FROM config WHERE year='-1'");
$q->execute();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$q = $pdo->prepare("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
'" . $r->var . "',
'" . $r->val . "',
'" . $r->category . "',
'" . $r->type . "',
'" . $r->type_values . "',
'" . $r->ord . "',
'" . $r->description . "',
'" . $config['FAIRYEAR'] . "')");
?,
?,
?,
?,
?,
?,
?,
?)");
$q->execute([$r->var,$r->val,$r->category,$r->type,$r->type_values,$r->ord,$r->description,$config['FAIRYEAR']]);
}
// for the Special category
if (get_value_from_array($_POST, 'action') == 'save') {
if (get_value_from_array($_POST, 'specialconfig')) {
foreach ($_POST['specialconfig'] as $key => $val) {
$stmt = $pdo->prepare("UPDATE config SET val='" . stripslashes($val) . "' WHERE year='0' AND var='$key'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE config SET val=? WHERE year='0' AND var=?");
$stmt->execute([stripslashes($val),$key]);
}
}
message_push(happy(i18n('Configuration successfully saved')));

27
config_editor.inc.php
View File

@ -29,9 +29,9 @@ include_once ('helper.inc.php');
function config_editor_load($category, $year)
{
global $pdo;
$query = "SELECT * FROM config WHERE year='$year' AND category='$category' ORDER BY ord";
$query = "SELECT * FROM config WHERE year=? AND category=? ORDER BY ord";
$q = $pdo->prepare($query);
$q->execute();
$q->execute([$year, $category]);
// print_r($pdo->errorInfo());
$var = array();
@ -94,10 +94,10 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
*/
$q = $pdo->prepare("SELECT config.var FROM `config`
LEFT JOIN `config` AS C2 ON(config.var=C2.var
AND C2.year='$fairyear')
AND C2.year=?)
WHERE config.year=-1 AND C2.year IS NULL");
$q->execute();
$q->execute([$fairyear]);
show_pdo_errors_if_any($pdo);
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
@ -108,11 +108,11 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
* the -1 year, prefer last year's value
*/
$r2 = $pdo->prepare("SELECT * FROM `config`
WHERE config.var='$var'
AND (config.year='$lastfairyear'
WHERE config.var=?
AND (config.year=?
OR config.year='-1')
ORDER BY config.year DESC");
$r2->execute();
$r2->execute([$var, $lastfairyear]);
show_pdo_errors_if_any($pdo);
if ($r2->rowCount() < 1) {
@ -123,17 +123,8 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
$v = $r2->fetch(PDO::FETCH_ASSOC);
$r3 = $pdo->prepare('INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
' . $pdo->quote($v['var']) . ',
' . $pdo->quote($v['val']) . ',
' . $pdo->quote($v['category']) . ',
' . $pdo->quote($v['type']) . ',
' . $pdo->quote($v['type_values']) . ',
' . $pdo->quote($v['ord']) . ',
' . $pdo->quote($v['description']) . ",
'$fairyear')");
$r3->execute();
$r3 = $pdo->prepare('INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (?,?,?,?,?,?,?,?)');
$r3->execute([$pdo->quote($v['var']),$pdo->quote($v['val']),$pdo->quote($v['category']),$pdo->quote($v['type']),$pdo->quote($v['type_values']),$pdo->quote($v['ord']),$pdo->quote($v['description']),$fairyear]);
show_pdo_errors_if_any($pdo);
}
}

16
confirmed_participants.php
View File

@ -32,8 +32,8 @@ send_header('Confirmed Participants');
global $stats_totalstudents;
// first, lets make sure someone isnt tryint to see something that they arent allowed to!
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['postparticipants'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>? AS test");
$q->execute($config['dates']['postparticipants']);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->test != 1) {
list($d, $t) = explode(' ', $config['dates']['postparticipants']);
@ -56,16 +56,16 @@ if ($r->test != 1) {
LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
WHERE
1
AND registrations.year='" . $config['FAIRYEAR'] . "'
AND projectcategories.year='" . $config['FAIRYEAR'] . "'
AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
AND registrations.year=?
AND projectcategories.year=?
AND projectdivisions.year=?
AND (status='complete' OR status='paymentpending')
ORDER BY
projectcategories.id,
projectdivisions.id,
projects.projectnumber
");
$q->execute();
$q->execute([$config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
// Check for errors after the query execution
$errorInfo = $pdo->errorInfo();
@ -129,11 +129,11 @@ if ($r->test != 1) {
FROM
students,schools
WHERE
students.registrations_id='$r->reg_id'
students.registrations_id=?
AND
students.schools_id=schools.id
");
$sq->execute();
$sq->execute([$r->reg_id]);
// Check for errors after the query execution
$errorInfo = $pdo->errorInfo();

9
contact.php
View File

@ -39,9 +39,8 @@ if (get_value_from_array($_POST, 'action') == 'send') {
if (isEmailAddress(get_value_from_array($_POST, 'fromemail'))) {
list($id, $md5email) = explode(':', $_POST['to']);
$q = $pdo->prepare('SELECT * FROM users WHERE uid=.?. ORDER BY year DESC LIMIT 1');
$q->bindParam(1, $id);
$q->execute();
$q = $pdo->prepare('SELECT * FROM users WHERE uid=? ORDER BY year DESC LIMIT 1');
$q->execute([$id]);
// if a valid selection is made from the list, then this will always match.
if ($md5email == md5($r->email)) {
$from = cleanify($_POST['from']) . ' <' . cleanify($_POST['fromemail']) . '>';
@ -99,11 +98,11 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
users.deleted
FROM committees_link
LEFT JOIN users ON users.uid = committees_link.users_uid
WHERE committees_id=' . $r['id'] . '
WHERE committees_id=?
GROUP BY users.uid
ORDER BY ord,users.lastname');
$q2->execute();
$q2->execute([$r['id']]);
// if there's nobody in this committee, then just skip it and go on to the next one.

8
db/db.update.111.php
View File

@ -3,16 +3,16 @@ function db_update_111_post()
{
global $config, $pdo;
// grab the index page
$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year=?");
$q->execute([$config['FAIRYEAR']]);
if (!$q->rowCount()) {
$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year='-1'");
$q->execute();
}
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
// insert it into the CMS under index.html
$stmt = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,showlogo) VALUES ('index.html','$r->lastupdate','$r->lang','" . $r->text . "','1')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,showlogo) VALUES ('index.html',?,?,?,'1')");
$stmt->execute([$r->lastupdate,$r->lang,$r->text]);
}
// and remove it from the pagetext
$stmt = $pdo->prepare("DELETE FROM pagetext WHERE textname='index'");

112
db/db.update.116.php
View File

@ -4,8 +4,8 @@ function db_update_116_post()
global $config, $pdo;
/* Fix the users that have a 0 year */
$q = $pdo->prepare("UPDATE `users` SET year={$config['FAIRYEAR']} WHERE year=0");
$q->execute();
$q = $pdo->prepare("UPDATE `users` SET year=? WHERE year=0");
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Fix users without a username */
@ -25,8 +25,8 @@ function db_update_116_post()
$username = '';
for ($x = 0; $x < 16; $x++)
$username .= $available[rand(0, $len)];
$stmt = $pdo->prepare("UPDATE users SET username='$username' WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET username=? WHERE id=?");
$stmt->execute([$username,$r->id]);
}
// okay now finally, there's a chance of duplicates from
@ -37,9 +37,9 @@ function db_update_116_post()
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$orig_r = $r;
$qq = $pdo->prepare("SELECT * FROM `users` WHERE
(`username`='{$r['username']}' OR `email`='{$r['email']}')
AND `id`!={$r['id']}");
$qq->execute();
(`username`=? OR `email`=?)
AND `id`!=?");
$qq->execute([$r['username'],$r['email'],$r['id']]);
if ($qq->rowCount() == 0)
continue;
@ -93,8 +93,8 @@ function db_update_116_post()
}
if (count($set)) {
$query = join(',', $set);
$stmt = $pdo->prepare("UPDATE `users` SET $query WHERE id={$r['id']}");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE `users` SET ? WHERE id=?");
$stmt->execute([$query,$r['id']]);
echo "Update query: UPDATE `users` SET $query WHERE id={$r['id']}\n";
}
@ -104,13 +104,13 @@ function db_update_116_post()
echo "Merged... Deleting duplicate and adjusting volunteer tables...\n";
/* Delete the dupe */
$stmt = $pdo->prepare("DELETE FROM `users` $where_id");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM `users` ?");
$stmt->execute([$where_id]);
/* Update volunteer linkage */
$stmt = $pdo->prepare("UPDATE `users_volunteer` SET `users_id`={$r['id']} $where_users_id");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE `volunteer_positions_signup` SET `users_id`={$r['id']} $where_users_id");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE `users_volunteer` SET `users_id`=? ?");
$stmt->execute([$r['id'],$where_users_id]);
$stmt = $pdo->prepare("UPDATE `volunteer_positions_signup` SET `users_id`=? ?");
$stmt->execute([$r['id'],$where_users_id]);
echo "done with this user.\n";
}
@ -120,9 +120,9 @@ function db_update_116_post()
$q->execute();
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`,`volunteer_active`,`volunteer_complete`)
VALUES ('{$i->id}','yes','{$i->complete}')");
VALUES (?,'yes',?)");
$stmt->execute();
$stmt->execute([$i->id,$i->complete]);
}
/* Update any remaining volunteer entries */
@ -130,9 +130,9 @@ function db_update_116_post()
$q->execute();
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("UPDATE users_volunteer
SET volunteer_complete='{$i->complete}'
WHERE users_id='{$i->id}'");
$stmt->execute();
SET volunteer_complete=?
WHERE users_id=?");
$stmt->execute([$i->complete,$i->id]);
show_pdo_errors_if_any($pdo);
}
@ -142,8 +142,8 @@ function db_update_116_post()
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("UPDATE users_committee
SET committee_active='yes'
WHERE users_id='{$i->id}'");
$stmt->execute();
WHERE users_id=?");
$stmt->execute([$i->id]);
show_pdo_errors_if_any($pdo);
}
@ -196,8 +196,8 @@ function db_update_116_post()
$updateexclude = array('id', 'uid', 'types', 'username', 'password', 'passwordset', 'oldpassword', 'year', 'created', 'lastlogin', 'firstaid', 'cpr', 'deleted', 'deleteddatetime');
// check if a user already exists with this username
$uq = $pdo->prepare("SELECT * FROM users WHERE (username='" . $j->email . "' OR email='" . $j->email . "') AND year='$j->year'");
$uq->execute();
$uq = $pdo->prepare("SELECT * FROM users WHERE (username? OR email=?) AND year=?");
$uq->execute([$j->email,$j->email,$j->year]);
if ($j->email && $ur = $uq->fetch(PDO::FETCH_OBJ)) {
$id = $ur->id;
echo "Using existing users.id=$id for judges.id=$j->id because email address/year ($j->email/$j->year) matches\n";
@ -208,9 +208,9 @@ function db_update_116_post()
$sqlset .= "`$f`='" . $j->$f . "', ";
}
}
$sql = "UPDATE users SET $sqlset `types`='{$ur->types},judge',`username`='" . $j->email . "' WHERE id='$id'";
$sql = "UPDATE users SET ? `types`=?,judge',`username`=? WHERE id=?";
$stmt = $pdo->prepare($sql);
$stmt->execute();
$stmt->execute([$sqlset,$ur->types,$j->email,$id]);
show_pdo_errors_if_any($pdo);
echo " Updated user record with judge info, but only merged:\n";
echo " ($sqlset)\n";
@ -218,14 +218,14 @@ function db_update_116_post()
/* Insert the judge */
$fields = '`' . join('`,`', array_keys($u)) . '`';
$vals = "'" . join("','", array_values($u)) . "'";
$q = $pdo->prepare("INSERT INTO users ($fields) VALUES ($vals)");
$q->execute();
$q = $pdo->prepare("INSERT INTO users (?) VALUES (?)");
$q->execute([$fields,$vals]);
$id = $pdo->lastInsertId();
if ($map[$j->id]['uid'] == '') {
$map[$j->id]['uid'] = $id;
$q = $pdo->prepare("UPDATE users SET `uid`='$id' WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE users SET `uid`=? WHERE id=?");
$q->execute([$id,$id]);
}
}
@ -246,8 +246,8 @@ function db_update_116_post()
// $j->attending_lunch,
/* catprefs */
$q = $pdo->prepare("SELECT * FROM judges_catpref WHERE judges_id='{$j->id}' AND year='{$j->year}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_catpref WHERE judges_id=? AND year=?");
$q->execute([$j->id,$j->year]);
$catpref = array();
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
$catpref[$i->projectcategories_id] = $i->rank;
@ -256,8 +256,8 @@ function db_update_116_post()
$uj['cat_prefs'] = serialize($catpref);
/* divprefs and subdivision prefs */
$q = $pdo->prepare("SELECT * FROM judges_expertise WHERE judges_id='{$j->id}' AND year='{$j->year}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_expertise WHERE judges_id=? AND year=?");
$q->execute([$j->id,$j->year]);
$divpref = array();
$divsubpref = array();
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
@ -270,8 +270,8 @@ function db_update_116_post()
$uj['divsub_prefs'] = serialize($divsubpref);
/* languages */
$q = $pdo->prepare("SELECT * FROM judges_languages WHERE judges_id='{$j->id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_languages WHERE judges_id=?");
$q->execute([$j->id]);
$langs = array();
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
@ -291,8 +291,8 @@ function db_update_116_post()
'willing_chair' => 'Willing Chair');
foreach ($qmap as $field => $head) {
/* Find the question ID */
$q = $pdo->prepare("SELECT id FROM questions WHERE year='{$j->year}' AND db_heading='{$head}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM questions WHERE year=? AND db_heading=?");
$q->execute([$j->year,$head]);
if ($q->rowCount() == 0) {
echo "Warning: Question '$head' for judge {$j->id} doesn't exist in year '{$j->year}', cannot copy answer.\n";
continue;
@ -302,10 +302,10 @@ function db_update_116_post()
/* Now find the answer */
$q = $pdo->prepare("SELECT * FROM question_answers WHERE
year='{$j->year}' AND
registrations_id='{$j->id}' AND
questions_id='{$i->id}'");
$q->execute();
year=? AND
registrations_id=? AND
questions_id=?");
$q->execute([$j->year,$j->id,$i->id]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount() == 0) {
echo "Warning: Judge {$j->id} did not answer question '$head' in year '{$j->year}', cannot copy answer.\n";
@ -319,8 +319,8 @@ function db_update_116_post()
$fields = '`' . join('`,`', array_keys($uj)) . '`';
$vals = "'" . join("','", array_values($uj)) . "'";
$q = $pdo->prepare("INSERT INTO users_judge ($fields) VALUES ($vals)");
$q->execute();
$q = $pdo->prepare("INSERT INTO users_judge (?) VALUES (?)");
$q->execute([$fields,$vals]);
show_pdo_errors_if_any($pdo);
/*
@ -329,24 +329,24 @@ function db_update_116_post()
*/
/* judges_teams_link */
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_id='{$j->id}' AND year='{$j->year}'");
$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_id=? AND year=?");
$q->execute();
$q->execute([$j->id,$j->year]);
while ($i = $q->fetch(PDO::FETCH_OBJ))
$jtl[$i->id] = $id;
/* judges_specialawards_sel */
$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE judges_id='{$j->id}' AND year='{$j->year}'");
$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE judges_id=? AND year=?");
$q->execute();
$q->execute([$j->id,$j->year]);
show_pdo_errors_if_any($pdo);
while ($i = $q->fetch(PDO::FETCH_OBJ))
$jsal[$i->id] = $id;
/* question_answers */
$q = $pdo->prepare("SELECT * FROM question_answers WHERE registrations_id='{$j->id}' AND year='{$j->year}'");
$q = $pdo->prepare("SELECT * FROM question_answers WHERE registrations_id=? AND year=?");
$q->execute();
$q->execute([$j->id,$j->year]);
show_pdo_errors_if_any($pdo);
while ($i = $q->fetch(PDO::FETCH_OBJ))
$qa[$i->id] = $id;
@ -355,21 +355,21 @@ function db_update_116_post()
/* Now write back the judge ids */
if (count($jtl)) {
foreach ($jtl as $id => $new_id)
$q = $pdo->prepare("UPDATE judges_teams_link SET judges_id='$new_id' WHERE id='$id' ");
$q = $pdo->prepare("UPDATE judges_teams_link SET judges_id=? WHERE id=? ");
$q->execute();
$q->execute([$new_id,$id]);
}
if (count($jsal)) {
foreach ($jsal as $id => $new_id)
$q = $pdo->prepare("UPDATE judges_specialaward_sel SET judges_id='$new_id' WHERE id='$id' ");
$q = $pdo->prepare("UPDATE judges_specialaward_sel SET judges_id=? WHERE id=? ");
$q->execute();
$q->execute([$new_id,$id]);
}
if (count($qa)) {
foreach ($qa as $id => $new_id)
$q = $pdo->prepare("UPDATE question_answers SET registrations_id='$new_id' WHERE id='$id' ");
$q = $pdo->prepare("UPDATE question_answers SET registrations_id=? WHERE id=? ");
$q->execute();
$q->execute([$new_id,$id]);
}
}
?>

12
db/db.update.117.php
View File

@ -9,20 +9,20 @@ function db_update_117_post()
'willing_chair' => 'Willing Chair');
foreach ($qmap as $field => $head) {
$q = $pdo->prepare("SELECT id FROM questions WHERE db_heading='{$head}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM questions WHERE db_heading=?");
$q->execute([$head]);
while ($i = $q->fetch(PDO::FETCH_OBJ)) {
$id = $i->id;
/* Drop all answers for this question */
$stmt = $pdo->prepare("DELETE FROM question_answers
WHERE questions_id='$id'");
$stmt->execute();
WHERE questions_id=?");
$stmt->execute([$id]);
}
/* Now dump the question itself */
$stmt = $pdo->prepare("DELETE FROM questions
WHERE id='$id'");
$stmt->execute();
WHERE id=?");
$stmt->execute([$id]);
}
}

Some files were not shown because too many files have changed in this diff Show More