From 843aa38ce65074677551fe910dfd1d213f6fc5f8 Mon Sep 17 00:00:00 2001 From: Muad Sakah Date: Fri, 7 Feb 2025 04:02:06 +0000 Subject: [PATCH] use prepare statements for these final 4 files where possible --- admin/donors.php | 4 +-- admin/donors_search.php | 4 +-- admin/project_editor.php | 49 +++++++++++++++++++++++----------- admin/reports_students.inc.php | 4 +-- 4 files changed, 39 insertions(+), 22 deletions(-) diff --git a/admin/donors.php b/admin/donors.php index c63313ea..dc32e018 100644 --- a/admin/donors.php +++ b/admin/donors.php @@ -398,8 +398,8 @@ switch (get_value_from_array($_GET, 'action')) { if ($_POST['email']) $searchstr .= " AND email LIKE '%" . $_POST['email'] . "%'"; - $q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE ? GROUP BY uid HAVING deleted='no'"); - $q->execute([$searchstr]); + $q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE '$searchstr' GROUP BY uid HAVING deleted='no'"); + $q->execute(); $num = $q->rowCount(); if ($num == 0) { echo i18n('No existing users match, will create a new user'); diff --git a/admin/donors_search.php b/admin/donors_search.php index 401f00e5..8d00fa70 100644 --- a/admin/donors_search.php +++ b/admin/donors_search.php @@ -42,10 +42,10 @@ if (count(get_value_from_array($_POST, 'donortype', []))) { } $sql .= ') '; } -$query = "SELECT * FROM sponsors WHERE 1 ? ORDER BY organization"; +$query = "SELECT * FROM sponsors WHERE 1 $sql ORDER BY organization"; // echo "query=$query"; $q = $pdo->prepare($query); -$q->execute([$sql]); +$q->execute(); get_value_from_array($_POST, 'donortype'); $thisyear = $config['FISCALYEAR']; $lastyear = $config['FISCALYEAR'] - 1; diff --git a/admin/project_editor.php b/admin/project_editor.php index 922463fa..0ce453c9 100644 --- a/admin/project_editor.php +++ b/admin/project_editor.php @@ -138,22 +138,39 @@ function project_save() } else $title = stripslashes($_POST['title']); - $stmt = $pdo->prepare('UPDATE projects SET ' - . "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT','?') . "', " - . "projectdivisions_id=?, " - . "projecttype=?, " - . "language=?, " - . "req_table=?, " - . "req_electricity=?, " - . "req_special=?, " - . "human_participants=?, " - . "animal_participants=?, " - . "summary=?, " - . "summarycountok=?," - . "feedback=?, " - . "projectsort=?" - . "WHERE id=?"); - $stmt->execute([$title,intval($_POST['projectdivisions_id'],stripslashes($_POST['projecttype']),stripslashes($_POST['language']),stripslashes($_POST['req_table']),stripslashes($_POST['req_electricity']),stripslashes($_POST['human_participants']),stripslashes($_POST['animal_participants']),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])),$summarycountok,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])),stripslashes($_POST['projectsort']),intval($_POST['id']))]); + $stmt = $pdo->prepare("UPDATE projects SET + title=?, + projectdivisions_id=?, + projecttype=?, + language=?, + req_table=?, + req_electricity=?, + req_special=?, + human_participants=?, + animal_participants=?, + summary=?, + summarycountok=?, + feedback=?, + projectsort=? + WHERE id=?"); + + $stmt->execute([ + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['title']), + intval($_POST['projectdivisions_id']), + $_POST['projecttype'], + $_POST['language'], + $_POST['req_table'], + $_POST['req_electricity'], + $_POST['req_special'], + $_POST['human_participants'], + $_POST['animal_participants'], + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['summary']), + $_POST['summarycountok'], + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['feedback']), + $_POST['projectsort'], + intval($_POST['id']) + ]); + show_pdo_errors_if_any($pdo); happy_('Project information successfully updated'); diff --git a/admin/reports_students.inc.php b/admin/reports_students.inc.php index 9daab67d..6bfe34e7 100644 --- a/admin/reports_students.inc.php +++ b/admin/reports_students.inc.php @@ -82,8 +82,8 @@ function report_student_safety_question($report, $field, $text) FROM safetyquestions JOIN safety ON safetyquestions.id=safety.safetyquestions_id WHERE safety.registrations_id=? - ORDER BY safetyquestions.ord LIMIT ?,1"); - $q->execute([$regid,$q_ord]); + ORDER BY safetyquestions.ord LIMIT $q_ord,1"); + $q->execute([$regid]); $r = $q->fetch(PDO::FETCH_OBJ); return $r->answer;