use prepare statements for these final 4 files where possible

admin/donors.php

@@ -398,8 +398,8 @@ switch (get_value_from_array($_GET, 'action')) {
 			if ($_POST['email'])
 				$searchstr .= " AND email LIKE '%" . $_POST['email'] . "%'";
 
-			$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE ? GROUP BY uid HAVING deleted='no'");
-			$q->execute([$searchstr]);
+			$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE '$searchstr' GROUP BY uid HAVING deleted='no'");
+			$q->execute();
 			$num = $q->rowCount();
 			if ($num == 0) {
 				echo i18n('No existing users match, will create a new user');

admin/donors_search.php

@@ -42,10 +42,10 @@ if (count(get_value_from_array($_POST, 'donortype', []))) {
 	}
 	$sql .= ') ';
 }
-$query = "SELECT * FROM sponsors WHERE 1 ? ORDER BY organization";
+$query = "SELECT * FROM sponsors WHERE 1 $sql ORDER BY organization";
 //		echo "query=$query";
 $q = $pdo->prepare($query);
-$q->execute([$sql]);
+$q->execute();
 get_value_from_array($_POST, 'donortype');
 $thisyear = $config['FISCALYEAR'];
 $lastyear = $config['FISCALYEAR'] - 1;

admin/project_editor.php

@@ -138,22 +138,39 @@ function project_save()
 	} else
 		$title = stripslashes($_POST['title']);
 
-	$stmt = $pdo->prepare('UPDATE projects SET '
-		. "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT','?') . "', "
-		. "projectdivisions_id=?, "
-			. "projecttype=?, "
-			. "language=?, "
-			. "req_table=?, "
-			. "req_electricity=?, "
-			. "req_special=?, "
-			. "human_participants=?, "
-			. "animal_participants=?, "
-			. "summary=?, "
-			. "summarycountok=?,"
-			. "feedback=?, "
-			. "projectsort=?"
-			. "WHERE id=?");
-	$stmt->execute([$title,intval($_POST['projectdivisions_id'],stripslashes($_POST['projecttype']),stripslashes($_POST['language']),stripslashes($_POST['req_table']),stripslashes($_POST['req_electricity']),stripslashes($_POST['human_participants']),stripslashes($_POST['animal_participants']),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])),$summarycountok,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])),stripslashes($_POST['projectsort']),intval($_POST['id']))]);
+		$stmt = $pdo->prepare("UPDATE projects SET 
+		title=?, 
+		projectdivisions_id=?, 
+		projecttype=?,
+		language=?, 
+		req_table=?, 
+		req_electricity=?, 
+		req_special=?, 
+		human_participants=?, 
+		animal_participants=?, 
+		summary=?, 
+		summarycountok=?, 
+		feedback=?, 
+		projectsort=? 
+		WHERE id=?");
+		
+		$stmt->execute([
+		iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['title']),
+		intval($_POST['projectdivisions_id']),
+		$_POST['projecttype'],
+		$_POST['language'],
+		$_POST['req_table'],
+		$_POST['req_electricity'],
+		$_POST['req_special'],
+		$_POST['human_participants'],
+		$_POST['animal_participants'],
+		iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['summary']),
+		$_POST['summarycountok'],
+		iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['feedback']),
+		$_POST['projectsort'],
+		intval($_POST['id'])
+		]);
+		
 	show_pdo_errors_if_any($pdo);
 	happy_('Project information successfully updated');
 

admin/reports_students.inc.php

@@ -82,8 +82,8 @@ function report_student_safety_question($report, $field, $text)
 		FROM safetyquestions
 		JOIN safety ON safetyquestions.id=safety.safetyquestions_id
 		WHERE safety.registrations_id=? 
-		ORDER BY safetyquestions.ord LIMIT ?,1");
-	$q->execute([$regid,$q_ord]);
+		ORDER BY safetyquestions.ord LIMIT $q_ord,1");
+	$q->execute([$regid]);
 
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->answer;