diff --git a/admin/award_awardcreatedivisional.php b/admin/award_awardcreatedivisional.php index 62e8c3c8..b131a12d 100644 --- a/admin/award_awardcreatedivisional.php +++ b/admin/award_awardcreatedivisional.php @@ -113,11 +113,11 @@ if ($r->num) { ?, '1', ?-?, - '" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "', + ?, ?, ? )"); - $q->execute([$_GET['sponsors_id'],$c_category,$d_division,$ord, $config['FAIRYEAR']]); + $q->execute([$_GET['sponsors_id'],$c_category,$d_division,i18n('Best %1 projects in the %2 division', array($c_category, $d_division)),$ord, $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $award_awards_id = $pdo->lastInsertId(); diff --git a/admin/award_upload.php b/admin/award_upload.php index 77d62c9f..670fb9d8 100644 --- a/admin/award_upload.php +++ b/admin/award_upload.php @@ -69,7 +69,8 @@ function get_winners($awardid, $fairs_id) if ($awardid == -1) { /* Get all for this fair */ - $q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'"); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?"); + $q->execute([$fairs_id,$config['FAIRYEAR']]); if ($q->rowCount() == 0) { error_("Can't find award id $awardid"); return false; diff --git a/admin/cms.php b/admin/cms.php index 57feb0be..555878e8 100644 --- a/admin/cms.php +++ b/admin/cms.php @@ -207,8 +207,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, ' echo '' . i18n('Filename') . '' . i18n('Last Update') . ''; while ($r = $q->fetch(PDO::FETCH_ASSOC)) { echo '/web/$r->filename"; - $q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename='" . $r->filename . "' ORDER BY dt DESC LIMIT 1"); - + $q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename=? ORDER BY dt DESC LIMIT 1"); + $q->execute($r->filename); $r2 = $q2->fetch(PDO::FETCH_OBJ); if ($r2->dt == '0000-00-00 00:00:00') $dt = 'Never'; diff --git a/admin/communication.php b/admin/communication.php index 23e746b6..7aa7e8b0 100644 --- a/admin/communication.php +++ b/admin/communication.php @@ -668,8 +668,8 @@ case 'dialog_sender': case 'loadaddresses': if ($_GET['query'] && array_key_exists($_GET['query'], $mailqueries)) { - $q = $pdo->prepare($mailqueries[$_GET['query']]['query']); - $q->execute(); + $q = $pdo->prepare('?'); + $q->execute([$mailqueries[$_GET['query']]['query']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r->organization) $s = "($r->organization) "; diff --git a/admin/donors.php b/admin/donors.php index 80b0e2a7..ee7a7705 100644 --- a/admin/donors.php +++ b/admin/donors.php @@ -838,10 +838,10 @@ function draw_activityinfo_form() \t FROM fundraising_donor_logs AS fdl \t LEFT JOIN users ON fdl.users_id=users.id \t LEFT JOIN fundraising_campaigns ON fdl.fundraising_campaigns_id=fundraising_campaigns.id - \t WHERE sponsors_id=" . $sponsorid . ' ORDER BY dt DESC'; + \t WHERE sponsors_id=? ORDER BY dt DESC"; // echo "" . $query . ""; $q = $pdo->prepare($query); - $q->execute(); + $q->execute([$sponsorid ]); show_pdo_errors_if_any($pdo); if ($q->rowCount()) { while ($r = $q->fetch()) { @@ -872,14 +872,14 @@ function save_activityinfo($comment, $donorId, $userId, $type, $campaign_id = nu $cid = 'NULL'; $query = "INSERT INTO fundraising_donor_logs (sponsors_id, dt, users_id, log, `type`, fundraising_campaigns_id) - VALUES ($donorId, + VALUES (?, NOW(), - $userId, - '" . $comment . "', - '" . $type . "', - $cid)"; + ?, + ?, + ?, + ?)"; $q = $pdo->prepare($query); - $q->execute(); + $q->execute([$donorId,$userId,$comment,$type,$cid]); show_pdo_errors_if_any($pdo); } diff --git a/admin/donors_search.php b/admin/donors_search.php index 8d00fa70..401f00e5 100644 --- a/admin/donors_search.php +++ b/admin/donors_search.php @@ -42,10 +42,10 @@ if (count(get_value_from_array($_POST, 'donortype', []))) { } $sql .= ') '; } -$query = "SELECT * FROM sponsors WHERE 1 $sql ORDER BY organization"; +$query = "SELECT * FROM sponsors WHERE 1 ? ORDER BY organization"; // echo "query=$query"; $q = $pdo->prepare($query); -$q->execute(); +$q->execute([$sql]); get_value_from_array($_POST, 'donortype'); $thisyear = $config['FISCALYEAR']; $lastyear = $config['FISCALYEAR'] - 1; diff --git a/admin/fundraising.php b/admin/fundraising.php index 6724afd9..9c881115 100644 --- a/admin/fundraising.php +++ b/admin/fundraising.php @@ -32,8 +32,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {

prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY deadline"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY deadline"); + $q->execute([$config['FISCALYEAR']]); ?> @@ -48,8 +48,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { fetch(PDO::FETCH_OBJ)) { // lookup all donations made towards this goal - $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); - $recq->execute(); + $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=? AND status='received'"); + $recq->execute([$r->goal,$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); $recr = $recq->fetch(PDO::FETCH_OBJ); $received = $recr->received; @@ -84,15 +84,15 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?"); + $q->execute([$config['FISCALYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'"); - $goalq->execute(); + $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?"); + $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]); $goalr = $goalq->fetch(PDO::FETCH_OBJ); - $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); - $recq->execute(); + $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'"); + $recq->execute([$r->id,$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); $recr = $recq->fetch(PDO::FETCH_OBJ); $received = $recr->received; @@ -133,10 +133,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { \tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth FROM fundraising_donations WHERE thanked='no' AND status='received' - AND fiscalyear='{$config['FISCALYEAR']}' + AND fiscalyear=? ORDER BY datereceived "); - $q->execute(); + $q->execute([$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); if ($q->rowCount()) { @@ -149,8 +149,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { echo "\n"; while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'"); - $dq->execute(); + $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?"); + $dq->execute([$r->sponsors_id]); $dr = $dq->fetch(PDO::FETCH_OBJ); if ($r->twomonth) $s = 'style="background-color: ' . colour_to_percent(0) . ';"'; @@ -190,10 +190,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { \tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth FROM fundraising_donations WHERE (receiptrequired='yes' AND receiptsent='no') AND status='received' - AND fiscalyear='{$config['FISCALYEAR']}' + AND fiscalyear=? ORDER BY datereceived "); - $q->execute(); + $q->execute([$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); if ($q->rowCount()) { echo '
'; @@ -204,8 +204,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { echo "\n"; while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'"); - $dq->execute(); + $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?"); + $dq->execute([$r->sponsors_id]); $dr = $dq->fetch(PDO::FETCH_OBJ); if ($r->twomonth) $s = 'style="background-color: ' . colour_to_percent(0) . ';"'; @@ -280,8 +280,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') { exit; } else if (get_value_from_array($_POST, 'thanked')) { foreach ($_POST['thanked'] AS $t) { - $stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id='$t'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id=?"); + $stmt->execute([$t]); } } diff --git a/admin/fundraising_campaigns.php b/admin/fundraising_campaigns.php index abd63cbf..12bcf00b 100644 --- a/admin/fundraising_campaigns.php +++ b/admin/fundraising_campaigns.php @@ -465,9 +465,9 @@ case 'managelist': print_r($_POST); if (is_array($_POST['prospectremovefromlist'])) { $uidlist = implode(',', $_POST['prospectremovefromlist']); - $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid' AND users_uid IN ($uidlist)"; + $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN (?)"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$campaignid,$uidlist]); show_pdo_errors_if_any($pdo); } // if theres nobody left in the list we need to reset the filter params as well @@ -523,10 +523,10 @@ function save_campaign_info() $startdate = $_POST['startdate']; if (!$_GET['id']) { - $query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES ('" . stripslashes($_POST['name']) . "','{$config['FISCALYEAR']}')"; + $query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES (?,?)"; echo $query; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([stripslashes($_POST['name']),$config['FISCALYEAR']]); $id = $pdo->lastInsertId(); happy_('Appeal Created'); } else { @@ -534,15 +534,15 @@ function save_campaign_info() happy_('Appeal Saved'); } $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET - name='" . stripslashes($_POST['name']) . "', - `type`='" . $_POST['type'] . "', - startdate='" . $startdate . "', - followupdate='" . $_POST['followupdate'] . "', - enddate='" . $_POST['enddate'] . "', - target='" . $_POST['target'] . "', - fundraising_goal='" . $_POST['fundraising_goal'] . "' - WHERE id='$id'"); - $stmt->execute(); + name=?, + `type`=?, + startdate=?, + followupdate=?, + enddate=?, + target=?, + fundraising_goal=? + WHERE id=?"); + $stmt->execute([stripslashes($_POST['name']),$_POST['type'],$startdate,$_POST['followupdate'],$_POST['enddate'],$_POST['target'],$_POST['fundraising_goal'],$id]); } send_header('Appeal Management', diff --git a/admin/fundraising_goals_handler.inc.php b/admin/fundraising_goals_handler.inc.php index 06c0c9f7..0b38be3c 100644 --- a/admin/fundraising_goals_handler.inc.php +++ b/admin/fundraising_goals_handler.inc.php @@ -55,8 +55,8 @@ if ($_POST['action'] == 'fundedit') { } if ($_POST['action'] == 'fundadd') { if ($goal && $type && $name) { - $stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES ('$goal','$name','$description','no','$budget','{$config['FISCALYEAR']}')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES (?,?,?,'no',?,?)"); + $stmt->execute([$goal,$name,$description,$budget,$config['FISCALYEAR']]); happy_('Added new fund'); } else error_('Required fields were missing, please try again'); diff --git a/admin/fundraising_main.inc.php b/admin/fundraising_main.inc.php index f5e775f0..47f93c10 100644 --- a/admin/fundraising_main.inc.php +++ b/admin/fundraising_main.inc.php @@ -1,8 +1,8 @@ prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY system DESC,goal"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY system DESC,goal"); + $q->execute([$config['FISCALYEAR']]); echo '
'; while ($r = $q->fetch(PDO::FETCH_OBJ)) { @@ -28,20 +28,20 @@ if ($_GET['action'] == 'fundraisingmain') { SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability \t FROM fundraising_donations \t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id - \t WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql) - \t AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' + \t WHERE (fundraising_donations.fundraising_goal=? ?) + \t AND fundraising_donations.fiscalyear=? UNION SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability \t FROM fundraising_donations \t JOIN users ON fundraising_donations.users_uid=users.uid - \t WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql) - \t AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' + \t WHERE (fundraising_donations.fundraising_goal=? ?) + \t AND fundraising_donations.fiscalyear=? \t ORDER BY status DESC, probability DESC, name "); - $sq->execute(); + $sq->execute([$r->goal,$orsql,$config['FISCALYEAR'],$r->goal,$orsql,$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); while ($sr = $sq->fetch(PDO::FETCH_OBJ)) { echo "id\" class=\"fundraising{$sr->status}\">"; diff --git a/admin/fundraising_reports.php b/admin/fundraising_reports.php index 4e3d216f..505a43c2 100644 --- a/admin/fundraising_reports.php +++ b/admin/fundraising_reports.php @@ -84,8 +84,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { \n"; echo ' '; diff --git a/tours.class.php b/tours.class.php index 0997d84e..a333c377 100644 --- a/tours.class.php +++ b/tours.class.php @@ -114,7 +114,7 @@ class tours if ($this->id == false) { $query = "INSERT INTO tours (id) VALUES ('')"; $stmt = $pdo->prepare($query); - $stmt->execute([]); + $stmt->execute(); $this->id = $pdo->lastInsertId(); } @@ -130,11 +130,11 @@ class tours // rip off the last comma $query = substr($query, 0, -1); - $query .= " WHERE id='{$this->id}'"; + $query .= " WHERE id=?"; // echo $query; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$this->id]); } function tableEditorDelete() diff --git a/user.inc.php b/user.inc.php index 953ce8cb..dcbaf3fb 100644 --- a/user.inc.php +++ b/user.inc.php @@ -716,9 +716,9 @@ function user_dupe_row($table, $key, $val, $newval) $keys = '`' . join('`,`', array_keys($i)) . '`'; $vals = join(',', array_values($i)); - $q = "INSERT INTO $table ($keys) VALUES ($vals)"; + $q = "INSERT INTO $table (?) VALUES (?)"; $r = $pdo->prepare($q); - $r->execute(); + $r->execute([$keys,$vals]); show_pdo_errors_if_any($pdo); $id = $pdo->lastInsertId();
'; $subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE - projectdivisions_id='$div' AND year='{$config['FAIRYEAR']}' ORDER BY subdivision"); - $subq->execute(); + projectdivisions_id=? AND year=? ORDER BY subdivision"); + $subq->execute([$div,$config['FAIRYEAR']]); $sd = array(); while ($subr = $subq->fetch(PDO::FETCH_OBJ)) { if ($u['div_prefs_sub'][$subr->id] == 1) { diff --git a/admin/judges_jdiv.php b/admin/judges_jdiv.php index 32696626..8e393cd6 100644 --- a/admin/judges_jdiv.php +++ b/admin/judges_jdiv.php @@ -56,16 +56,16 @@ function newbuttonclicked(jdivs) $div = array(); $divshort = array(); -$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $divshort[$r->id] = $r->division_shortform; $div[$r->id] = $r->division; } $cat = array(); -$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $cat[$r->id] = $r->category; } @@ -74,8 +74,8 @@ $dkeys = array_keys($div); $ckeys = array_keys($cat); if ($config['filterdivisionbycategory'] == 'yes') { - $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id"); + $q->execute([$config['FAIRYEAR']]); $divcat = array(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id); @@ -133,13 +133,13 @@ function get_all_divs() * unassigned anymore */ $stmt = $pdo->prepare('INSERT INTO judges_jdiv (id, jdiv_id, projectdivisions_id, projectcategories_id, lang) ' - . " VALUES('', 0, '$y', '$x', '$z')"); - $stmt->execute(); + . " VALUES('', 0,?,?,?)"); + $stmt->execute([$y,$x,$z]); $q = $pdo->prepare('SELECT id FROM judges_jdiv WHERE ' - . " projectdivisions_id='$y' " - . " AND projectcategories_id='$x' " - . " AND lang='$z' "); - $q->execute(); + . " projectdivisions_id=?" + . " AND projectcategories_id=?" + . " AND lang=?"); + $q->execute([$y,$x,$z]); $r = $q->fetch(PDO::FETCH_OBJ); $cdl[$r->id]['id'] = $r->id; @@ -159,13 +159,13 @@ function get_all_divs() $y = $divshort[$cdl[$id]['div']]; $z = $div[$cdl[$id]['div']]; $q = $pdo->prepare('SELECT count(projects.id) AS cnt FROM projects,registrations WHERE ' - . " projectdivisions_id='{$cdl[$id]['div']}' " - . " AND projectcategories_id='{$cdl[$id]['cat']}' " - . " AND language='{$cdl[$id]['lang']}' " - . " AND registrations.year='{$config['FAIRYEAR']}'" + . " projectdivisions_id=?" + . " AND projectcategories_id=?" + . " AND language=?" + . " AND registrations.year=?" . ' AND projects.registrations_id=registrations.id' . " AND (registrations.status='complete' OR registrations.status='paymentpending')"); - $q->execute(); + $q->execute([$cdl[$id]['div'],$cdl[$id]['cat'],$cdl[$id]['lang'],$config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); show_pdo_errors_if_any($pdo); @@ -180,21 +180,21 @@ function get_all_divs() if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'jdiv_id') && count(get_value_from_array($_POST, 'cdllist', [])) > 0) { foreach ($_POST['cdllist'] AS $selectedcdl) { - $q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id='{$_POST['jdiv_id']}' WHERE " - . " id='$selectedcdl' "); - $q->execute(); + $q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=? WHERE " + . " id=?"); + $q->execute([$_POST['jdiv_id'],$selectedcdl]); } echo happy(i18n('Judging Division(s) successfully added')); } if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'cdl_id')) { - $stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id='{$_GET['cdl_id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id=?"); + $stmt->execute([$_GET['cdl_id']]); } if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'jdiv_id')) { - $stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id='{$_GET['jdiv_id']}' "); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id=?"); + $stmt->execute([$_GET['jdiv_id']]); echo happy(i18n('Emptied all divisions from Judging Division Group %1', array($_GET['jdiv_id']))); } diff --git a/admin/judges_sa.php b/admin/judges_sa.php index 84336ab6..e1b6729c 100644 --- a/admin/judges_sa.php +++ b/admin/judges_sa.php @@ -63,9 +63,9 @@ function set_status($txt) { global $pdo; TRACE("Status: $txt\n"); - $stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE + $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='judge_scheduler_activity' AND year=0"); - $stmt->execute(); + $stmt->execute([$txt]); } $set_percent_last_percent = -1; @@ -78,9 +78,9 @@ function set_percent($n) if ($p == $set_percent_last_percent) return; TRACE("Progress: $p\%\n"); - $stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE + $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='judge_scheduler_percent' AND year=0"); - $stmt->execute(); + $stmt->execute([$p]); $set_percent_last_percent = $p; } @@ -413,8 +413,8 @@ set_status('Loading Data From Database...'); TRACE("\n\n"); $div = array(); TRACE("Loading Project Divisions...\n"); -$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $divshort[$r->id] = $r->division_shortform; $div[$r->id] = $r->division; @@ -423,8 +423,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { TRACE("Loading Project Age Categories...\n"); $cat = array(); -$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $cat[$r->id] = $r->category; TRACE(" {$r->id} - {$r->category}\n"); @@ -442,14 +442,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { TRACE("Loading Judging Round time data...\n"); $round_special_awards = array(); $round = array(); -$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='{$config['FAIRYEAR']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?"); +$q->execute([$config['FAIRYEAR']]); /* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */ while ($r = $q->fetch(PDO::FETCH_ASSOC)) { TRACE(" id:{$r['id']} type:{$r['type']} name:{$r['name']}\n"); - $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'"); - $qq->execute(); + $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?"); + $qq->execute([$r['id']]); if ($qq->rowCount() == 0) { echo "ERROR: Round type:{$r['type']} name:{$r['name']} has no judging timeslots! Abort.\n"; exit; @@ -497,13 +497,13 @@ foreach ($keys as $jdiv_id) { TRACE("\t- "); TRACE($cat[$d['cat']] . ' ' . $div[$d['div']] . ' - ' . $langr[$d['lang']]); $qp = $pdo->prepare('SELECT projects.* FROM projects, registrations WHERE ' - . " projects.year='" . $config['FAIRYEAR'] . "' AND " - . " projectdivisions_id='{$d['div']}' AND " - . " projectcategories_id='{$d['cat']}' AND " - . " language='{$d['lang']}' AND " + . " projects.year=? AND " + . " projectdivisions_id=? AND " + . " projectcategories_id=? AND " + . " language=? AND " . ' registrations.id = projects.registrations_id ' . getJudgingEligibilityCode()); - $qp->execute(); + $qp->execute([$config['FAIRYEAR'],$d['div'],$d['cat'],$d['lang']]); $count = 0; while ($rp = $qp->fetch(PDO::FETCH_OBJ)) { $jdiv[$jdiv_id]['projects'][$rp->id] = array( @@ -524,37 +524,37 @@ foreach ($keys as $jdiv_id) { /* Clean out the judging teams that were autocreated in a previous run */ TRACE('Deleting autocreated divisional and special award judging teams:'); -$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year=?"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $id = $r->id; print (" $id"); /* Clean out the judges_teams_link */ - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$id,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); /* Awards */ - $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$id,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); /* Timeslots */ - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$id,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); /* Timeslots projects */ - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$id,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); } echo "\n"; /* Finally, delete all the autocreated judges teams */ -$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}"); -$stmt->execute(); +$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year=?"); +$stmt->execute([$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); /* @@ -564,14 +564,14 @@ show_pdo_errors_if_any($pdo); $q = $pdo->prepare("SELECT judges_teams_link.id, judges_teams.id AS judges_teams_id FROM judges_teams_link LEFT JOIN judges_teams ON judges_teams_link.judges_teams_id=judges_teams.id - WHERE judges_teams_link.year={$config['FAIRYEAR']}"); + WHERE judges_teams_link.year=?"); -$q->execute(); +$q->execute([$config['FAIRYEAR']]); $n = 0; while ($r = $q->fetch(PDO::FETCH_OBJ)) { if (!$r->judges_teams_id) { - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id='$r->id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id=?"); + $stmt->execute([$r->id]); $n++; } } @@ -595,9 +595,9 @@ foreach ($judges as &$j) { } $q = $pdo->prepare("SELECT users_id FROM judges_teams_link WHERE - users_id='{$j['id']}' - AND year='{$config['FAIRYEAR']}'"); - $q->execute(); + users_id=? + AND year=?"); + $q->execute([$j['id'],$config['FAIRYEAR']]); if ($q->rowCount() != 0) { TRACE(" {$j['name']} is already on a judging team, skipping.\n"); unset($judges[$j['id']]); @@ -605,8 +605,8 @@ foreach ($judges as &$j) { } if ($config['judges_availability_enable'] == 'yes') { /* Load the judge time availability */ - $q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='{$j['id']}' ORDER BY `start`"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`"); + $q->execute([$j['id']]); if ($q->rowCount() == 0) { TRACE(" {$j['name']} hasn't selected any time availability, POTENTIAL BUG (they shouldn't be marked as complete).\n"); TRACE(" Ignoring this judge.\n"); @@ -624,9 +624,9 @@ foreach ($judges as &$j) { judges_specialaward_sel,award_awards WHERE award_awards.id=judges_specialaward_sel.award_awards_id - AND judges_specialaward_sel.users_id='{$j['id']}' - AND award_awards.year='{$config['FAIRYEAR']}'"); - $q->execute(); + AND judges_specialaward_sel.users_id=? + AND award_awards.year=?"); + $q->execute([$j['id'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); if ($j['special_award_only'] == 'yes') { @@ -676,8 +676,8 @@ if (count($judges) == 0) { * Load the numbers for any user-defined judge teams that already exist, * these numbers will be off-limits for auto-assigning numbers */ -$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year={$config['FAIRYEAR']}"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); $used_judges_teams_numbers = array(); while ($i = $q->fetch(PDO::FETCH_ASSOC)) { $used_judges_teams_numbers[] = $i['num']; @@ -727,9 +727,9 @@ function judge_team_add_judge($team_id, $users_id) global $config, $judges; $stmt = $pdo->prepare("INSERT INTO judges_teams_link \t (users_id,judges_teams_id,captain,year) - \t VALUES ('$users_id','$team_id','{$judges[$users_id]['willing_chair']}', - '{$config['FAIRYEAR']}')"); - $stmt->execute(); + \t VALUES (?,?,?, + ?)"); + $stmt->execute([$users_id,$team_id,$judges[$users_id]['willing_chair'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); } @@ -919,20 +919,20 @@ for ($x = 1; $x < count($jteam); $x++) { award_awards_projectcategories, award_awards_projectdivisions WHERE - award_awards.year='{$config['FAIRYEAR']}' + award_awards.year=? AND award_awards.id=award_awards_projectcategories.award_awards_id AND award_awards.id=award_awards_projectdivisions.award_awards_id - AND award_awards_projectcategories.projectcategories_id='{$cfg['cat']}' - AND award_awards_projectdivisions.projectdivisions_id='{$cfg['div']}' + AND award_awards_projectcategories.projectcategories_id=? + AND award_awards_projectdivisions.projectdivisions_id=? AND award_awards.award_types_id='1' "); - $q->execute(); + $q->execute([$config['FAIRYEAR'],$cfg['cat'],$cfg['div']]); if ($q->rowCount() != 1) { echo error(i18n('Cannot find award for %1 - %2', array($cat[$cfg['cat']], $div[$cfg['div']]))); } else { $r = $q->fetch(PDO::FETCH_OBJ); - $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','{$config['FAIRYEAR']}')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)"); + $stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]); /* Add the award ID to the jdiv, if it's not already there */ if (!in_array($r->id, $jdiv[$t['jdiv_id']]['award_ids'])) { $jdiv[$t['jdiv_id']]['award_ids'][] = $r->id; @@ -1008,8 +1008,8 @@ if ($round_divisional2 == NULL) { /* Assign all the awards in this jdiv */ foreach ($jd['award_ids'] as $aid) { - $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$aid','$team_id','{$config['FAIRYEAR']}')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)"); + $stmt->execute([$aid,$team_id,$config['FAIRYEAR']]); } } } @@ -1134,14 +1134,14 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') { /* Load special awards */ $q = "SELECT award_awards.name,award_awards.id FROM award_awards,award_types WHERE - award_awards.year='{$config['FAIRYEAR']}' + award_awards.year=? AND award_types.id=award_awards.award_types_id AND award_awards.schedule_judges='yes' - AND award_types.year='{$config['FAIRYEAR']}' + AND award_types.year=? AND award_types.type='Special' "; $r = $pdo->prepare($q); - $r->execute(); + $r->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]); print ($pdo->errorInfo()); /* sa_jteam for leftover judges, if any */ $sa_jteam = array(); @@ -1179,8 +1179,8 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') { /* Link the award to this team */ $stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) - VALUES ('{$i->id}','{$sa_jteam[$x]['id']}','{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,?)"); + $stmt->execute([$i->id,$sa_jteam[$x]['id'],$config['FAIRYEAR']]); TRACE("Created Team: {$i->name}, " . count($projects) . " projects => $min judges needed (db id:{$sa_jteam[$x]['id']}) \n"); $x++; @@ -1397,16 +1397,16 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') { /* Do timeslot and project timeslot assignment */ $stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year) - VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,?)"); + $stmt->execute([$t['id'],$r['timeslots'][0]['id'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); foreach ($t['projects'] as $proj) { $pid = $proj['id']; $stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) - VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '$pid', '{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,?,?)"); + $stmt->execute([$t['id'],$r['timeslots'][0]['id'],$pid,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); } $ids = $a->bucket[$x]; @@ -1437,11 +1437,11 @@ TRACE("Loading Divisional1 Timeslot Data\n"); $available_timeslots = array(); $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE - round_id='{$round_divisional1['id']}' - AND year='{$config['FAIRYEAR']}' + round_id=? + AND year=? AND type='timeslot' ORDER BY date,starttime"); -$q->execute(); +$q->execute([$round_divisional1['id'],$config['FAIRYEAR']]); $x = 0; while ($r = $q->fetch(PDO::FETCH_OBJ)) { $available_timeslots[] = array('id' => $r->id, @@ -1622,17 +1622,17 @@ for ($k = 0; $k < $keys_count; $k++) { /* if jteam_id isn't 0, instert it into the db */ $stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_link ' . ' (judges_teams_id,judges_timeslots_id,year)' - . " VALUES ('{$jteam[$jteam_id]['team_id']}', " - . " '{$available_timeslots[$y]['id']}', " - . " '{$config['FAIRYEAR']}')"); - $stmt->execute(); + . " VALUES (?, " + . " ?, " + . " ?)"); + $stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$config['FAIRYEAR']]); $stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_projects_link ' . ' (judges_teams_id,judges_timeslots_id,projects_id,year) ' - . " VALUES ('{$jteam[$jteam_id]['team_id']}', " - . " '{$available_timeslots[$y]['id']}', " - . " '$pid', '{$config['FAIRYEAR']}')"); - $stmt->execute(); + . " VALUES (?, " + . " ?, " + . " ?,?)"); + $stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$pid,$config['FAIRYEAR']]); } printf("\n"); } diff --git a/admin/judges_schedulerconfig_check.inc.php b/admin/judges_schedulerconfig_check.inc.php index 2d835d9d..6e1f83a1 100644 --- a/admin/judges_schedulerconfig_check.inc.php +++ b/admin/judges_schedulerconfig_check.inc.php @@ -5,13 +5,13 @@ function judges_scheduler_check_timeslots() global $config, $pdo; $q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE ' - . " year='" . $config['FAIRYEAR'] . "'" + . " year=?" . " AND `type`='divisional1'"); - $q->execute(); + $q->execute([$config['FAIRYEAR']]); if ($q->rowCount()) { $round = $q->fetch(PDO::FETCH_OBJ); - $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'"); + $q->execute([$round->id]); return $q->rowCount(); } else return 0; @@ -23,13 +23,13 @@ function judges_scheduler_check_timeslots_sa() $rows = 0; $q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE ' - . " year='" . $config['FAIRYEAR'] . "'" + . " year=?" . " AND `type`='special'"); - $q->execute(); + $q->execute([$config['FAIRYEAR']]); if ($q->rowCount()) { while (($round = $q->fetch(PDO::FETCH_OBJ))) { - $rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'"); - $rq->execute(); + $rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'"); + $rq->execute([$round->id]); $rows += $rq->rowCount(); } } @@ -40,13 +40,13 @@ function judges_scheduler_check_awards() { global $config, $pdo; - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $div[$r->id] = $r->division; - $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $cat[$r->id] = $r->category; @@ -54,8 +54,8 @@ function judges_scheduler_check_awards() $ckeys = array_keys($cat); if ($config['filterdivisionbycategory'] == 'yes') { - $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id"); + $q->execute([$config['FAIRYEAR']]); $divcat = array(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id); @@ -78,16 +78,16 @@ function judges_scheduler_check_awards() award_awards_projectcategories, award_awards_projectdivisions WHERE - award_awards.year='{$config['FAIRYEAR']}' - AND award_awards_projectcategories.year='{$config['FAIRYEAR']}' - AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}' + award_awards.year=? + AND award_awards_projectcategories.year=? + AND award_awards_projectdivisions.year=? AND award_awards.id=award_awards_projectcategories.award_awards_id AND award_awards.id=award_awards_projectdivisions.award_awards_id - AND award_awards_projectcategories.projectcategories_id='$c' - AND award_awards_projectdivisions.projectdivisions_id='$d' + AND award_awards_projectcategories.projectcategories_id=? + AND award_awards_projectdivisions.projectdivisions_id=? AND award_awards.award_types_id='1' "); - $q->execute(); + $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$c,$d]); show_pdo_errors_if_any($pdo); if ($q->rowCount() != 1) { $missing_awards[] = "{$cat[$c]} - {$div[$d]} (" . i18n('%1 found', array($q->rowCount())) . ')'; @@ -128,13 +128,13 @@ function judges_scheduler_check_judges() $l = $r->lang; $qp = $pdo->prepare('SELECT COUNT(projects.id) as cnt FROM projects, registrations WHERE ' - . " projects.year='" . $config['FAIRYEAR'] . "' AND " - . " projectdivisions_id='$d' AND " - . " projectcategories_id='$c' AND " - . " language='$l' AND " + . " projects.year=? AND " + . " projectdivisions_id=? AND " + . " projectcategories_id=? AND " + . " language=? AND " . ' registrations.id = projects.registrations_id ' . getJudgingEligibilityCode()); - $qp->execute(); + $qp->execute([$config['FAIRYEAR'],$d,$c,$l]); $qr = $qp->fetch(PDO::FETCH_OBJ); // if (get_value_from_3d_array($jdiv, $r->jdiv_id, 'num_projects', 'total') !== null){ diff --git a/admin/judges_teams_members.php b/admin/judges_teams_members.php index b5f95f52..d33d313f 100644 --- a/admin/judges_teams_members.php +++ b/admin/judges_teams_members.php @@ -108,8 +108,8 @@ jQuery(document).ready(function(){ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'team_num') && count(get_value_from_array($_POST, 'judgelist', [])) > 0) { // first check if this team exists. - $q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num='" . $_POST['team_num'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num=? AND year=?"); + $q->execute([$_POST['team_num'],$config['FAIRYEAR']]); if ($q->rowCount()) { $r = $q->fetch(PDO::FETCH_OBJ); $team_id = $r->id; @@ -127,14 +127,14 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO foreach ($_POST['judgelist'] AS $selectedjudge) { // before we insert them, we need to make sure they dont already belong to this team. We can not have the same judge assigned to the same team multiple times. - $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id='$selectedjudge' AND judges_teams_id='$team_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id=? AND judges_teams_id=?"); + $q->execute([$selectedjudge,$team_id]); if ($q->rowCount()) { echo notice(i18n('Judge (%1) already belongs to judging team: %2', array($selectedjudge, $team_name))); } else { // lets make the first one we add a captain, the rest, non-captains :) - $stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$selectedjudge','$team_id','$captain','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,?,?)"); + $stmt->execute([$selectedjudge,$team_id,$captain,$config['FAIRYEAR']]); $added++; } // if this is alreayd no, then who cares, but if its the first one that is going into the new team, then @@ -151,13 +151,13 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO } if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id') && get_value_from_array($_GET, 'users_id')) { - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='" . $_GET['users_id'] . "' AND judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=? AND judges_teams_id=? AND year=?"); + $stmt->execute([$_GET['users_id'],$_GET['team_id'],$config['FAIRYEAR']]); echo happy(i18n('Removed judge from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name']))); // if there is still members left in the team, make sure we have a captain still - $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id=? AND year=?"); + $q->execute([$_GET['team_id'],$config['FAIRYEAR']]); if ($q->rowCount()) { // make sure the team still has a captain! // FIXME: this might best come from the "i am willing to be a team captain" question under the judges profile @@ -176,24 +176,24 @@ if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET } if (!$gotcaptain) { // make the first judge the captain - $stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='$firstjudge' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=? AND year=?"); + $stmt->execute([$_GET['team_id'],$firstjudge,$config['FAIRYEAR']]); echo notice(i18n('Team captain was removed. A new team captain has been automatically assigned')); } } } if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id')) { - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?"); + $stmt->execute([$_GET['team_id'],$config['FAIRYEAR']]); echo happy(i18n('Emptied all judges from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name']))); } if (get_value_from_array($_POST, 'action') == 'saveteamnames') { if (count($_POST['team_names'])) { foreach ($_POST['team_names'] AS $team_id => $team_name) { - $stmt = $pdo->prepare("UPDATE judges_teams SET name='" . stripslashes($team_name) . "' WHERE id='$team_id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE judges_teams SET name=? WHERE id=?"); + $stmt->execute([stripslashes($team_name),$team_id]); } echo happy(i18n('Team names successfully saved')); } @@ -201,20 +201,20 @@ if (get_value_from_array($_POST, 'action') == 'saveteamnames') { if (get_value_from_array($_GET, 'action') == 'addcaptain') { // teams can have as many captains as they want, so just add it. - $stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=?"); + $stmt->execute([ $_GET['team_id'],$_GET['judge_id']]); echo happy(i18n('Team captain assigned')); } if (get_value_from_array($_GET, 'action') == 'removecaptain') { // teams must always have at least one captain, so if we only have one, and we are trying to remove it, dont let them! - $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id='" . $_GET['team_id'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id=?"); + $q->execute([$_GET['team_id']]); if ($q->rowCount() < 2) { echo error(i18n('A judge team must always have at least one captain')); } else { - $pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'"); - $pdo->execute(); + $pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id=? AND users_id=?"); + $pdo->execute([$_GET['team_id'],$_GET['judge_id']]); echo happy(i18n('Team captain removed')); } } @@ -225,16 +225,16 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') { /* Load all the teams */ $teams = array(); - $q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); while ($i = $q->fetch(PDO::FETCH_ASSOC)) { $teams[$i['id']] = $i; } /* And the links */ $links = array(); - $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); while ($i = $q->fetch(PDO::FETCH_ASSOC)) { $judgelist[$i['users_id']]['teams_links'][] = $i; } @@ -254,12 +254,12 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') { foreach ($j['special_award_selected'] AS $awardid) { echo "Looking for a team for award $awardid
"; // find the award id linked to a team - $q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id='{$awardid}' AND year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id=? AND year=?"); + $q->execute([$awardid,$config['FAIRYEAR']]); if ($q->rowCount()) { while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$jid','$r->judges_teams_id','yes','{$config['FAIRYEAR']}')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,'yes',?)"); + $stmt->execute([$jid,$r->judges_teams_id,$config['FAIRYEAR']]); echo happy(i18n('%1 %2 to their special award(s) team(s)', array($j['firstname'], $j['lastname']))); } } else { @@ -308,16 +308,16 @@ $judgelist = judges_load_all(); /* Load all the teams */ $teams = array(); -$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); while ($i = $q->fetch(PDO::FETCH_ASSOC)) { $teams[$i['id']] = $i; } /* And the links */ $links = array(); -$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); while ($i = $q->fetch(PDO::FETCH_ASSOC)) { $judgelist[$i['users_id']]['teams_links'][] = $i; } diff --git a/config_editor.inc.php b/config_editor.inc.php index 196fdba3..898fc400 100644 --- a/config_editor.inc.php +++ b/config_editor.inc.php @@ -124,16 +124,16 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL) $v = $r2->fetch(PDO::FETCH_ASSOC); $r3 = $pdo->prepare('INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES ( - ' . $pdo->quote($v['var']) . ', - ' . $pdo->quote($v['val']) . ', - ' . $pdo->quote($v['category']) . ', - ' . $pdo->quote($v['type']) . ', - ' . $pdo->quote($v['type_values']) . ', - ' . $pdo->quote($v['ord']) . ', - ' . $pdo->quote($v['description']) . ", - '$fairyear')"); + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?)'); - $r3->execute(); + $r3->execute([$pdo->quote($v['var']),$pdo->quote($v['val']),$pdo->quote($v['category']),$pdo->quote($v['type']),$pdo->quote($v['type_values']),$pdo->quote($v['ord']),$pdo->quote($v['description']),$fairyear]); show_pdo_errors_if_any($pdo); } } diff --git a/db/db.update.118.php b/db/db.update.118.php index cee9765b..79fc7d6b 100644 --- a/db/db.update.118.php +++ b/db/db.update.118.php @@ -77,14 +77,14 @@ function db_update_118_post() echo " Linking $user_id to users_sponsor record\n"; $stmt = $pdo->prepare("INSERT INTO users_sponsor (`users_id`,`sponsors_id`,`sponsor_complete`,`sponsor_active`,`primary`,`position`,`notes`) VALUES ( - '" . $user_id . "', - '" . $r->award_sponsors_id . "', - '$complete', - '$active', - '" . $r->primary . "', - '" . $r->position . "', - '" . $r->notes . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?, + ?, + ?)"); + $stmt->execute([$user_id,$r->award_sponsors_id,$complete,$active,$r->primary,$r->position,$r->notes]); show_pdo_errors_if_any($pdo); } } diff --git a/db/db.update.129.user.inc.php b/db/db.update.129.user.inc.php index 37ca6271..a3d51270 100644 --- a/db/db.update.129.user.inc.php +++ b/db/db.update.129.user.inc.php @@ -296,9 +296,9 @@ function db129_user_save_type_list($u, $db, $fields) $set .= "`$f`='$data'"; } if ($set != '') { - $query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'"; + $query = "UPDATE ? SET ? WHERE users_id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$db,$set,$u['id']]); if ($pdo->errorInfo()) { show_pdo_errors_if_any($pdo); echo error("Full query: $query"); @@ -372,9 +372,9 @@ function db129_user_save($u) // print_r($u); // echo ""; if ($set != '') { - $query = "UPDATE users SET $set WHERE id='{$u['id']}'"; + $query = "UPDATE users SET ? WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$set,$u['id']]); // echo "query=[$query]"; show_pdo_errors_if_any($pdo); } @@ -395,8 +395,8 @@ function db129_user_save($u) function db129_user_delete_committee($u) { - $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?"); + $stmt->execute([$u['uid']]); } function db129_user_delete_volunteer($u) {} @@ -405,10 +405,10 @@ function db129_user_delete_judge($u) { global $config; $id = $u['id']; - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?"); + $stmt->execute([$id]); + $stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?"); + $stmt->execute([$id]); } function db129_user_delete_fair($u) {} @@ -442,8 +442,8 @@ function db129_user_delete($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types,$u['id']]); } else { $finish_delete = true; } @@ -455,8 +455,8 @@ function db129_user_delete($u, $type = false) $finish_delete = true; } if ($finish_delete == true) { - $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -491,8 +491,8 @@ function db129_user_purge($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types,$u['id']]); } else { $finish_purge = true; } @@ -503,21 +503,21 @@ function db129_user_purge($u, $type = false) */ call_user_func("db129_user_delete_$type", $u); // call_user_func("user_purge_$type", $u); - $stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?"); + $stmt->execute([$type,$u['id']]); } else { /* Delete the whole user */ foreach ($u['types'] as $t) { call_user_func("db129_user_delete_$t", $u); // call_user_func("user_purge_$t", $u); - $stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?"); + $stmt->execute([$t,$u['id']]); } $finish_purge = true; } if ($finish_purge == true) { - $stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -526,8 +526,8 @@ function db129_user_dupe_row($db, $key, $val, $newval) { global $config; $nullfields = array('deleteddatetime'); /* Fields that can be null */ - $q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM ? WHERE ?=?"); + $q->execute([$db,$key,$val]); if ($q->rowCount() != 1) { echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n"; exit; @@ -547,10 +547,10 @@ function db129_user_dupe_row($db, $key, $val, $newval) $keys = '`' . join('`,`', array_keys($i)) . '`'; $vals = join(',', array_values($i)); - $q = "INSERT INTO $db ($keys) VALUES ($vals)"; + $q = "INSERT INTO ? (?) VALUES (?)"; // echo "Dupe Query: [$q]"; $r = $pdo->prepare($q); - $r->execute(); + $r->execute([$db,$keys,$vals]); show_pdo_errors_if_any($pdo); $id = $pdo->lastInsertId(); @@ -570,9 +570,9 @@ function db129_user_dupe($u, $new_year) */ /* Find the last entry */ - $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}' + $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=? ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q->execute([$u['uid']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->deleted == 'yes') { echo "Cannot duplicate user ID {$u['id']}, they are deleted. Undelete them first.\n"; @@ -584,8 +584,8 @@ function db129_user_dupe($u, $new_year) } $id = db129_user_dupe_row('users', 'id', $u['id'], NULL); - $q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("UPDATE users SET year=? WHERE id=?"); + $q->execute([$new_year,$id]); /* Load the new user */ $u2 = db129_user_load($id); @@ -630,12 +630,12 @@ function db129_user_create($type, $username, $u = NULL) global $config; if (!is_array($u)) { $stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) - VALUES ('$type', '$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,'0000-00-00', NOW(),?)"); + $stmt->execute([$type,$username,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $uid = $pdo->lastInsertId(); - $stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?"); + $stmt->execute([$uid,$uid]); db129_user_set_password($uid, NULL); } else { /* @@ -649,34 +649,34 @@ function db129_user_create($type, $username, $u = NULL) exit; } $new_types = implode(',', $u['types']) . ',' . $type; - $stmt = $pdo->prepare("UPDATE users SET types='$new_types' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$new_types,$uid]); } switch ($type) { case 'volunteer': - $stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`, `volunteer_active`) VALUES ('$uid', 'yes')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`, `volunteer_active`) VALUES (?, 'yes')"); + $stmt->execute([$uid]); break; case 'student': - // $stmt = $pdo->prepare("INSERT INTO users_student(`users_id`, `student_active`) VALUES ('$uid', 'yes')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_student(`users_id`, `student_active`) VALUES (?, 'yes')"); + $stmt->execute([$uid]); break; case 'judge': - $stmt = $pdo->prepare("INSERT INTO users_judge(`users_id`, `judge_active`) VALUES ('$uid', 'yes')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_judge(`users_id`, `judge_active`) VALUES (?, 'yes')"); + $stmt->execute([$uid]); break; case 'fair': - $stmt = $pdo->prepare("INSERT INTO users_fair(`users_id`, `fair_active`) VALUES ('$uid', 'yes')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_fair(`users_id`, `fair_active`) VALUES (?, 'yes')"); + $stmt->execute([$uid]); break; case 'committee': - $stmt = $pdo->prepare("INSERT INTO users_committee(`users_id`, `committee_active`) VALUES ('$uid', 'yes')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_committee(`users_id`, `committee_active`) VALUES (?, 'yes')"); + $stmt->execute([$uid]); break; case 'sponsor': - $stmt = $pdo->prepare("INSERT INTO users_sponsor(`users_id`) VALUES ('$uid')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_sponsor(`users_id`) VALUES (?)"); + $stmt->execute([$uid]); break; } return db129_user_load($uid); diff --git a/db/db.update.131.php b/db/db.update.131.php index 6c6ebcd3..fed88c41 100644 --- a/db/db.update.131.php +++ b/db/db.update.131.php @@ -12,11 +12,11 @@ function db_update_131_pre() $q->execute(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $total = 0; - $awardq = $pdo->prepare("SELECT * FROM award_awards WHERE sponsors_id='$r->id' AND year='$year'"); - $awardq->execute(); + $awardq = $pdo->prepare("SELECT * FROM award_awards WHERE sponsors_id=? AND year=?"); + $awardq->execute([$r->id,$year]); while ($awardr = $awardq->fetch(PDO::FETCH_OBJ)) { - $prizeq = $pdo->prepare("SELECT cash,scholarship,value,number FROM award_prizes WHERE award_awards_id='$awardr->id'"); - $prizeq->execute(); + $prizeq = $pdo->prepare("SELECT cash,scholarship,value,number FROM award_prizes WHERE award_awards_id=?"); + $prizeq->execute([$awardr->id]); while ($prizer = $prizeq->fetch(PDO::FETCH_OBJ)) { // some people never set the value for some reason, i dunno why.. $realvalue = max($prizer->cash + $prizer->scholarship, $prizer->value); @@ -26,15 +26,15 @@ function db_update_131_pre() } echo "Creating sponsorship for ID: $r->id value: $total\n"; $pdo->prepare("INSERT INTO sponsorships (sponsors_id,fundraising_type,value,status,probability,year) VALUES ( - '$r->id', + ?, 'sfawards', - '$total', + ?, 'pending', '25', - '$year')"); - $pdo->execute(); - $stmt = $pdo->prepare("INSERT INTO sponsors_logs (sponsors_id,dt,users_id,log) VALUES ('$r->id',NOW(),0,'Automatically created sponsorship from existing sponsor. type=award, value=\$$total, status=pending, probability=25%')"); - $stmt->execute(); + ?)"); + $pdo->execute([$r->id,$total,$year]); + $stmt = $pdo->prepare("INSERT INTO sponsors_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),0,'Automatically created sponsorship from existing sponsor. type=award, value=\$?, status=pending, probability=25%')"); + $stmt->execute([$r->id,$total]); } } diff --git a/db/db.update.136.php b/db/db.update.136.php index b01e00c3..9b51e3ba 100644 --- a/db/db.update.136.php +++ b/db/db.update.136.php @@ -9,12 +9,12 @@ function db_update_136_pre() `enable_stats` = 'yes', `enable_awards` = 'yes', `enable_winners` = 'yes', - `username` = '{$config['ysf_region_id']}', - `password` = '{$config['ysf_region_password']}' + `username` =?, + `password` =? WHERE `url`='https://secure.ysf-fsj.ca/awarddownloader/index.php'"); - $stmt->execute(); + $stmt->execute([$config['ysf_region_id'],$config['ysf_region_password']]); $stmt = $pdo->prepare("UPDATE fairs SET `abbrv` = 'STO', `website` = 'http://www.scitechontario.org/awarddownloader/help.php', diff --git a/db/db.update.142.php b/db/db.update.142.php index 4381a12c..b356b6ec 100644 --- a/db/db.update.142.php +++ b/db/db.update.142.php @@ -15,8 +15,8 @@ function db_update_142_post() $fiscalyearsuggest = date('Y') + 1; else $fiscalyearsuggest = date('Y'); - $stmt = $pdo->prepare("INSERT INTO `config` ( `var` , `val` , `category` , `type` , `type_values` , `ord` , `description` , `year`) VALUES ( 'FISCALYEAR', '$fiscalyearsuggest', 'Special', '', '', '0', 'The current fiscal year that the fundraising module is using', '0')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO `config` ( `var` , `val` , `category` , `type` , `type_values` , `ord` , `description` , `year`) VALUES ( 'FISCALYEAR',?, 'Special', '', '', '0', 'The current fiscal year that the fundraising module is using', '0')"); + $stmt->execute([$fiscalyearsuggest]); } } diff --git a/db/db.update.146.php b/db/db.update.146.php index 4e089e08..ec62406d 100644 --- a/db/db.update.146.php +++ b/db/db.update.146.php @@ -38,8 +38,8 @@ function db_update_146_handle($name, $email, $phone, $type) function db_update_146_post() { global $config, $pdo; - $q = $pdo->prepare("SELECT * FROM schools WHERE year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); while ($s = $q->fetch(PDO::FETCH_ASSOC)) { /* Science head */ if (trim($s['sciencehead']) != '') { @@ -48,8 +48,8 @@ function db_update_146_post() $s['scienceheadphone'], 'teacher'); if ($u != false) { - $stmt = $pdo->prepare("UPDATE schools SET sciencehead_uid='{$u['uid']}' WHERE id='{$s['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE schools SET sciencehead_uid=? WHERE id=?"); + $stmt->execute([$u['uid'],$s['id']]); } } @@ -60,8 +60,8 @@ function db_update_146_post() $s['phone'], 'principal'); if ($u != false) { - $stmt = $pdo->prepare("UPDATE schools SET principal_uid='{$u['uid']}' WHERE id='{$s['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE schools SET principal_uid=? WHERE id=?"); + $stmt->execute([$u['uid'],$s['id']]); } } } diff --git a/db/db.update.146.user.inc.php b/db/db.update.146.user.inc.php index 54561519..d38bac6d 100644 --- a/db/db.update.146.user.inc.php +++ b/db/db.update.146.user.inc.php @@ -141,8 +141,8 @@ function db146_user_load_sponsor(&$u) $u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no'; $u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no'; if ($u['sponsors_id']) { - $q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'"); - $q->execute(0); + $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?"); + $q->execute([0,$u['sponsors_id']]); $u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC); } return true; @@ -279,8 +279,8 @@ function db146_user_load_by_email($email) { /* Find the most recent uid for the email, regardless of deleted status */ $e = $email; - $q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1"); + $q->execute([$e,$e]); if ($q->rowCount() == 1) { $i = $q->fetch(PDO::FETCH_ASSOC); @@ -291,8 +291,8 @@ function db146_user_load_by_email($email) function db146_user_load_by_uid_year($uid, $year) { - $q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <=?"); + $q->execute([$uid,$year]); if (!$q->rowCount()) return false; $i = $q->fetch(PDO::FETCH_ASSOC); @@ -304,8 +304,8 @@ function db146_user_set_password($id, $password = NULL) /* pass $u by reference so we can update it */ $save_old = false; if ($password == NULL) { - $q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?"); + $q->execute([$id]); $u = $q->fetch(PDO::FETCH_ASSOC); /* Generate a new password */ $password = db146_user_generate_password(12); @@ -324,9 +324,9 @@ function db146_user_set_password($id, $password = NULL) $set = ($save_old == true) ? 'oldpassword=password, ' : ''; $set .= "password='$p', passwordset=$save_set "; - $query = "UPDATE users SET $set WHERE id='$id'"; + $query = "UPDATE users SET ? WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$set,$id]); show_pdo_errors_if_any($pdo); return $password; @@ -360,9 +360,9 @@ function db146_user_save_type_list($u, $db, $fields) $set .= "`$f`='$data'"; } if ($set != '') { - $query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'"; + $query = "UPDATE ? SET ? WHERE users_id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$db,$set,$u['id']]); if ($pdo->errorInfo()) { show_pdo_errors_if_any($pdo); echo error("Full query: $query"); @@ -430,8 +430,8 @@ function db146_user_save(&$u) exit; } // give em a record, the primary key on the table takes care of uniqueness - $q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO users_? (users_id) VALUES (?)"); + $q->execute([$t,$u['id']]); } $fields = array('salutation', 'firstname', 'lastname', 'username', @@ -459,9 +459,9 @@ function db146_user_save(&$u) // print_r($u); // echo ""; if ($set != '') { - $query = "UPDATE users SET $set WHERE id='{$u['id']}'"; + $query = "UPDATE users SET ? WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$set,$u['id']]); // echo "query=[$query]"; show_pdo_errors_if_any($pdo); } @@ -491,8 +491,8 @@ function db146_user_save(&$u) function db146_user_delete_committee($u) { - $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?"); + $stmt->execute([$u['uid']]); } function db146_user_delete_volunteer($u) {} @@ -501,10 +501,10 @@ function db146_user_delete_judge($u) { global $config; $id = $u['id']; - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?"); + $stmt->execute([$id]); + $stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?"); + $stmt->execute([$id]); } function db146_user_delete_fair($u) {} @@ -548,8 +548,8 @@ function db146_user_delete($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types,$u['id']]); } else { $finish_delete = true; } @@ -563,8 +563,8 @@ function db146_user_delete($u, $type = false) $finish_delete = true; } if ($finish_delete == true) { - $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -599,8 +599,8 @@ function db146_user_purge($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types,$u['id']]); } else { $finish_purge = true; } @@ -611,21 +611,21 @@ function db146_user_purge($u, $type = false) */ call_user_func("db146_user_delete_$type", $u); // call_user_func("user_purge_$type", $u); - $stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?"); + $stmt->execute([$type,$u['id']]); } else { /* Delete the whole user */ foreach ($u['types'] as $t) { call_user_func("db146_user_delete_$t", $u); // call_user_func("user_purge_$t", $u); - $stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?"); + $stmt->execute([$t,$u['id']]); } $finish_purge = true; } if ($finish_purge == true) { - $stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -634,8 +634,8 @@ function db146_user_dupe_row($db, $key, $val, $newval) { global $config; $nullfields = array('deleteddatetime'); /* Fields that can be null */ - $q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM ? WHERE ?=?"); + $q->execute([$db,$key,$val]); if ($q->rowCount() != 1) { echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n"; exit; @@ -655,10 +655,10 @@ function db146_user_dupe_row($db, $key, $val, $newval) $keys = '`' . join('`,`', array_keys($i)) . '`'; $vals = join(',', array_values($i)); - $q = "INSERT INTO $db ($keys) VALUES ($vals)"; + $q = "INSERT INTO ? (?) VALUES (?)"; // echo "Dupe Query: [$q]"; $r = $pdo->prepare($q); - $r->execute(); + $r->execute([$db,$keys,$vals]); show_pdo_errors_if_any($pdo); $id = $pdo->lastInsertId(); @@ -678,9 +678,9 @@ function db146_user_dupe($u, $new_year) */ /* Find the last entry */ - $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}' + $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=? ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q->execute([$u['uid']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->deleted == 'yes') { echo "Cannot duplicate user ID {$u['id']}, they are deleted. Undelete them first.\n"; @@ -692,9 +692,9 @@ function db146_user_dupe($u, $new_year) } $id = db146_user_dupe_row('users', 'id', $u['id'], NULL); - $q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'"); + $q = $pdo->prepare("UPDATE users SET year=? WHERE id=?"); - $q->execute(); + $q->execute([$new_year,$id]); /* Load the new user */ $u2 = db146_user_load($id); @@ -743,17 +743,17 @@ function db146_user_create($type, $username, $u = NULL) global $config; if (!is_array($u)) { $stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) - VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,'0000-00-00', NOW(),?)"); + $stmt->execute([$type,$username,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $uid = $pdo->lastInsertId(); if (db146_user_valid_email($username)) { - $stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?"); + $stmt->execute([$username,$uid]); } - $stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?"); + $stmt->execute([$uid,$uid]); show_pdo_errors_if_any($pdo); db146_user_set_password($uid, NULL); @@ -761,8 +761,8 @@ function db146_user_create($type, $username, $u = NULL) * Since the user already has a type, user_save won't create this * entry for us, so do it here */ - $stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)"); + $stmt->execute([$type,$uid]); show_pdo_errors_if_any($pdo); /* Load the complete user */ $u = db146_user_load($uid); diff --git a/db/db.update.149.user.inc.php b/db/db.update.149.user.inc.php index 05a4dbca..bf35bdde 100644 --- a/db/db.update.149.user.inc.php +++ b/db/db.update.149.user.inc.php @@ -141,8 +141,8 @@ function db149_user_load_sponsor(&$u) $u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no'; $u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no'; if ($u['sponsors_id']) { - $q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?"); + $q->execute([$u['sponsors_id']]); $u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC); } return true; @@ -194,13 +194,13 @@ function db149_user_load($user, $uid = false) WHERE '; if ($uid != false) { $uid = intval($uid); - $query .= "`users`.`uid`='$uid' ORDER BY `users`.`year` DESC LIMIT 1"; + $query .= "`users`.`uid`=? ORDER BY `users`.`year` DESC LIMIT 1"; } else { $id = intval($user); - $query .= " `users`.`id`='$id'"; + $query .= " `users`.`id`=?"; } $q = $pdo->prepare($query); - $q->execute(); + $q->execute([$uid,$id]); if ($q->rowCount() != 1) { // echo "Query [$query] returned ".$q->rowCount()." rows\n"; // echo "
";
@@ -278,8 +278,8 @@ function db149_user_load_by_email($email)
 {
 	/* Find the most recent uid for the email, regardless of deleted status */
 	$e = $email;
-	$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
+	$q->execute([$e,$e]);
 
 	if ($q->rowCount() == 1) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
@@ -290,8 +290,8 @@ function db149_user_load_by_email($email)
 
 function db149_user_load_by_uid_year($uid, $year)
 {
-	$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <=?");
+	$q->execute([$uid,$year]);
 	if (!$q->rowCount())
 		return false;
 	$i = $q->fetch(PDO::FETCH_ASSOC);
@@ -303,8 +303,8 @@ function db149_user_set_password($id, $password = NULL)
 	/* pass $u by reference so we can update it */
 	$save_old = false;
 	if ($password == NULL) {
-		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
+		$q->execute([$id]);
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		/* Generate a new password */
 		$password = db149_user_generate_password(12);
@@ -323,9 +323,9 @@ function db149_user_set_password($id, $password = NULL)
 	$set = ($save_old == true) ? 'oldpassword=password, ' : '';
 	$set .= "password='$p', passwordset=$save_set ";
 
-	$query = "UPDATE users SET $set WHERE id='$id'";
+	$query = "UPDATE users SET ? WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$set,$id]);
 	show_pdo_errors_if_any($pdo);
 
 	return $password;
@@ -359,9 +359,9 @@ function db149_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@@ -429,8 +429,8 @@ function db149_user_save(&$u)
 			exit;
 		}
 		// give em a record, the primary key on the table takes care of uniqueness
-		$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')");
-		$q->execute();
+		$q = $pdo->prepare("INSERT INTO users_? (users_id) VALUES (?)");
+		$q->execute([$t,$u['id']]);
 	}
 
 	$fields = array('salutation', 'firstname', 'lastname', 'username',
@@ -458,9 +458,9 @@ function db149_user_save(&$u)
 	//	print_r($u);
 	//	echo "
"; if ($set != '') { - $query = "UPDATE users SET $set WHERE id='{$u['id']}'"; + $query = "UPDATE users SET ? WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$set,$u['id']]); // echo "query=[$query]"; show_pdo_errors_if_any($pdo); } @@ -490,8 +490,8 @@ function db149_user_save(&$u) function db149_user_delete_committee($u) { - $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?"); + $stmt->execute([$u['uid']]); } function db149_user_delete_volunteer($u) {} @@ -500,10 +500,10 @@ function db149_user_delete_judge($u) { global $config; $id = $u['id']; - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?"); + $stmt->execute([$id]); + $stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?"); + $stmt->execute([$id]); } function db149_user_delete_fair($u) {} @@ -547,8 +547,8 @@ function db149_user_delete($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types,$u['id']]); } else { $finish_delete = true; } @@ -562,8 +562,8 @@ function db149_user_delete($u, $type = false) $finish_delete = true; } if ($finish_delete == true) { - $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -598,8 +598,8 @@ function db149_user_purge($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types,$u['id']]); } else { $finish_purge = true; } @@ -610,21 +610,21 @@ function db149_user_purge($u, $type = false) */ call_user_func("db149_user_delete_$type", $u); // call_user_func("user_purge_$type", $u); - $stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?"); + $stmt->execute([$type,$u['id']]); } else { /* Delete the whole user */ foreach ($u['types'] as $t) { call_user_func("db149_user_delete_$t", $u); // call_user_func("user_purge_$t", $u); - $stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?"); + $stmt->execute([$t,$u['id']]); } $finish_purge = true; } if ($finish_purge == true) { - $stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -633,8 +633,8 @@ function db149_user_dupe_row($db, $key, $val, $newval) { global $config; $nullfields = array('deleteddatetime'); /* Fields that can be null */ - $q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'"); - $q->exectue(); + $q = $pdo->prepare("SELECT * FROM ? WHERE ?=?"); + $q->exectue([$db,$key,$val]); if ($q->rowCount() != 1) { echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n"; exit; @@ -654,10 +654,10 @@ function db149_user_dupe_row($db, $key, $val, $newval) $keys = '`' . join('`,`', array_keys($i)) . '`'; $vals = join(',', array_values($i)); - $q = "INSERT INTO $db ($keys) VALUES ($vals)"; + $q = "INSERT INTO ? (?) VALUES (?)"; // echo "Dupe Query: [$q]"; $r = $pdo->prepare($q); - $r->execute(0); + $r->execute([0,$db,$keys,$vals]); show_pdo_errors_if_any($pdo); $id = $pdo->lastInsertId(); @@ -677,9 +677,9 @@ function db149_user_dupe($u, $new_year) */ /* Find the last entry */ - $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}' + $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=? ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q->execute([$u['uid']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->deleted == 'yes') { echo "Cannot duplicate user ID {$u['id']}, they are deleted. Undelete them first.\n"; @@ -691,8 +691,8 @@ function db149_user_dupe($u, $new_year) } $id = db149_user_dupe_row('users', 'id', $u['id'], NULL); - $q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("UPDATE users SET year=? WHERE id=?"); + $q->execute([$new_year,$id]); /* Load the new user */ $u2 = db149_user_load($id); @@ -743,16 +743,16 @@ function db149_user_create($type, $username, $u = NULL) $stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) - VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,'0000-00-00', NOW(),?)"); + $stmt->execute([$type,$username,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $uid = $pdo->lastInsertId(); if (db149_user_valid_email($username)) { - $stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'"); + $stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?"); } - $stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?"); + $stmt->execute([$username,$uid,$uid,$uid]); show_pdo_errors_if_any($pdo); @@ -762,8 +762,8 @@ function db149_user_create($type, $username, $u = NULL) * Since the user already has a type, user_save won't create this * entry for us, so do it here */ - $stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)"); + $stmt->execute([$type,$uid]); show_pdo_errors_if_any($pdo); diff --git a/db/db.update.155.php b/db/db.update.155.php index 5c484b22..fd71acdd 100644 --- a/db/db.update.155.php +++ b/db/db.update.155.php @@ -9,11 +9,11 @@ function db_update_155_post() while ($r = $q->fetch(PDO::FETCH_OBJ)) { echo "Updating email id $r->id\n"; $stmt = $pdo->prepare("UPDATE emails SET - body='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->body) . "' , - bodyhtml='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->bodyhtml) . "' , - subject='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->subject) . "' + body=?, + bodyhtml=?, + subject=? WHERE id='$r->id'"); - $stmt->execute(); + $stmt->execute([iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->body),iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->bodyhtml),iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->subject)]); } } diff --git a/db/db.update.174.php b/db/db.update.174.php index 414a03b6..4da744b2 100644 --- a/db/db.update.174.php +++ b/db/db.update.174.php @@ -5,9 +5,9 @@ function db_update_174_post() $q = $pdo->prepare("SELECT * FROM users WHERE deleted = 'yes'"); while ($row = $q->fetch(PDO::FETCH_ASSOC)) { - echo 'Flagging user records prior to ' . $row['year'] . ' for user ' . $row['uid'] . ' as deleted - '; - $stmt = $pdo->prepare("UPDATE users SET deleted = 'yes' WHERE uid = " . $row['uid'] . ' AND year < ' . $row['year']); - $stmt->execute(); + echo 'Flagging user records prior to ? for user ? as deleted - '; + $stmt = $pdo->prepare("UPDATE users SET deleted = 'yes' WHERE uid = ? AND year < ?"); + $stmt->execute([$row['year'],$row['uid'],$row['uid'],$row['year']]); echo $pdo->rowCount() . " rows affected.\n"; } } diff --git a/db/db.update.75.php b/db/db.update.75.php index cb34deb6..7cb5ae20 100644 --- a/db/db.update.75.php +++ b/db/db.update.75.php @@ -18,8 +18,8 @@ function db_update_75_post() foreach ($sid as $s) { if ($s > 0) { $qq = $pdo->prepare("SELECT id FROM reports WHERE - system_report_id='$s'"); - $qq->execute(); + system_report_id=?"); + $qq->execute([$s]); $ii = $qq->fetch(PDO::FETCH_OBJ); $rid[$x] = $ii->id; } else { @@ -30,31 +30,32 @@ function db_update_75_post() /* Find all committee members */ $qq = "INSERT INTO `reports_committee` (`id`, `users_id`, `reports_id`, `category`, `comment`, `format`, `stock`) VALUES - (NULL, $uid, {$rid[0]}, '1. Fair Day', 'Checkin Lists for the Front Desk', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[1]}, '2. Old Custom Reports', 'School Access Codes and Passwords', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[2]}, '2. Old Custom Reports', 'Mailing Label Generator', '', ''), - (NULL, $uid, {$rid[3]}, '2. Old Custom Reports', 'Project Summary Details', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[4]}, '2. Old Custom Reports', 'Student emergency contact names and numbers', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[5]}, '2. Old Custom Reports', 'Students/Projects From Each School', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[6]}, '2. Old Custom Reports', 'Project Logistical Requirements (tables, electricity)', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[7]}, '2. Old Custom Reports', 'Project Table Labels', 'label', 'fullpage_landscape'), - (NULL, $uid, {$rid[8]}, '2. Old Custom Reports', 'Student Nametags', 'label', 'nametag'), - (NULL, $uid, {$rid[9]}, '2. Old Custom Reports', 'Judge Nametags', 'label', 'nametag'), - (NULL, $uid, {$rid[10]}, '2. Old Custom Reports', 'Committee Member Nametags', 'label', 'nametag'), - (NULL, $uid, {$rid[11]}, '2. Old Custom Reports', 'Judges List', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[12]}, '2. Old Custom Reports', 'Judging Teams', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[13]}, '2. Old Custom Reports', 'Awards each Judging Team will judge for', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[14]}, '2. Old Custom Reports', 'Judging Teams Project Assignments', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[15]}, '2. Old Custom Reports', 'Projects Judging Team Assignments', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[16]}, '2. Old Custom Reports', 'Project Identification Labels (for judging sheets)', 'label', '5961'), - (NULL, $uid, {$rid[17]}, '2. Old Custom Reports', 'Award List for Award Ceremony Program', 'pdf', 'fullpage'), - (NULL, $uid, {$rid[18]}, '2. Old Custom Reports', 'Winners for each award', 'pdf', 'fullpage');"; + (NULL, ?, ?, '1. Fair Day', 'Checkin Lists for the Front Desk', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'School Access Codes and Passwords', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Mailing Label Generator', '', ''), + (NULL, ?, ?, '2. Old Custom Reports', 'Project Summary Details', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Student emergency contact names and numbers', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Students/Projects From Each School', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Project Logistical Requirements (tables, electricity)', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Project Table Labels', 'label', 'fullpage_landscape'), + (NULL, ?, ?, '2. Old Custom Reports', 'Student Nametags', 'label', 'nametag'), + (NULL, ?, ?, '2. Old Custom Reports', 'Judge Nametags', 'label', 'nametag'), + (NULL, ?, ?, '2. Old Custom Reports', 'Committee Member Nametags', 'label', 'nametag'), + (NULL, ?, ?, '2. Old Custom Reports', 'Judges List', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Judging Teams', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Awards each Judging Team will judge for', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Judging Teams Project Assignments', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Projects Judging Team Assignments', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Project Identification Labels (for judging sheets)', 'label', '5961'), + (NULL, ?, ?, '2. Old Custom Reports', 'Award List for Award Ceremony Program', 'pdf', 'fullpage'), + (NULL, ?, ?, '2. Old Custom Reports', 'Winners for each award', 'pdf', 'fullpage');"; echo $qq; echo "\n\n"; $stmt = $pdo->prepare($qq); - $stmt->execute(); + $stmt->execute([$uid,$rid[0],$uid,$rid[1],$uid,$rid[2],$uid,$rid[3],$uid,$rid[4],$uid,$rid[5],$uid,$rid[6],$uid,$rid[7],$uid,$rid[8],$uid,$rid[9],$uid,$rid[10],$uid,$rid[11],$uid,$rid[12],$uid,$rid[13],$uid,$rid[14],$uid,$rid[15],$uid,$rid[16],$uid,$rid[17],$uid,$rid[18]]); + } } diff --git a/db/db.update.76.php b/db/db.update.76.php index dca7da65..93a35849 100644 --- a/db/db.update.76.php +++ b/db/db.update.76.php @@ -15,8 +15,8 @@ function db_update_76_pre() if ($user == '') continue; - $qq = $pdo->prepare("SELECT * FROM users WHERE username='$user'"); - $qq->execute(); + $qq = $pdo->prepare("SELECT * FROM users WHERE username=?"); + $qq->execute([$user]); if ($qq->rowCount() <= 1) continue; @@ -60,16 +60,16 @@ function db_update_76_pre() } } - $query = "UPDATE users SET $query WHERE id='$cid'"; + $query = "UPDATE users SET ? WHERE id=?"; echo "$query\n"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$query,$cid]); /* Now fix the volunteers links */ - $query = "UPDATE volunteer_positions_signup SET users_id='$cid' WHERE users_id='$vid'"; + $query = "UPDATE volunteer_positions_signup SET users_id=? WHERE users_id=?"; echo "$query\n"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$cid,$vid]); /* * The user_volunteer table is empty, we should just delete it, @@ -77,10 +77,10 @@ function db_update_76_pre() */ /* Delete the old user */ - $query = "DELETE FROM users WHERE id='$vid'"; + $query = "DELETE FROM users WHERE id=?"; echo "$query\n"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$vid]); } } diff --git a/fair_stats.php b/fair_stats.php index aaee63df..0dc44d76 100644 --- a/fair_stats.php +++ b/fair_stats.php @@ -61,8 +61,8 @@ switch (get_value_from_array($_GET, 'action')) { ':fairs_id' => $u['fairs_id'], ':year' => $year ]); - $stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,?) VALUES ('',?)"); + $stmt->execute([$keys,$vals]); happy_('Fair Information Saved.'); exit; diff --git a/judge.inc.php b/judge.inc.php index 60b3180e..c830ed75 100644 --- a/judge.inc.php +++ b/judge.inc.php @@ -85,7 +85,7 @@ function judge_status_questions($u) */ global $config, $pdo; // get the questions we're looking for - $q = $pdo->prepare('SELECT id FROM questions WHERE year=?'"AND required='yes'"); + $q = $pdo->prepare('SELECT id FROM questions WHERE year=? AND required=yes'); $q->execute([$config['FAIRYEAR']]); $idList = array(); while ($row = $q->fetch(PDO::FETCH_ASSOC)) @@ -149,7 +149,8 @@ function judge_status_availability(&$u) return 'complete'; $q = $pdo->prepare("SELECT id FROM judges_availability - WHERE users_id=\"{$u['id']}\""); + WHERE users_id=\"?\""); + $q->execute([$u['id']]); if ($q->rowCount() > 0) return 'complete'; diff --git a/judge_availability.php b/judge_availability.php index 701bc16f..70cc726c 100644 --- a/judge_availability.php +++ b/judge_availability.php @@ -81,10 +81,10 @@ switch (get_value_from_array($_GET, 'action')) { continue; $stmt = $pdo->prepare("INSERT INTO judges_availability (users_id, `date`,`start`,`end`) - VALUES ('{$u['id']}', - '{$times[$x]['date']}', - '{$times[$x]['starttime']}','{$times[$x]['endtime']}')"); - $stmt->execute(); + VALUES (?, + ?, + ?,?)"); + $stmt->execute([$u['id'],$times[$x]['date'],$times[$x]['starttime'],$times[$x]['endtime']]); } } happy_('Time Availability preferences successfully saved'); diff --git a/questions.inc.php b/questions.inc.php index 47d25b4e..3ef2ec07 100644 --- a/questions.inc.php +++ b/questions.inc.php @@ -185,8 +185,8 @@ function questions_update_question($qs) `db_heading`=?, `required`=?, `ord`=? - WHERE id=?")); - $stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord'], $qs['id']]); + WHERE id=?"); + $stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord']), $qs['id']]); show_pdo_errors_if_any($pdo); } @@ -195,14 +195,14 @@ function questions_save_new_question($qs, $year) global $pdo; $stmt = $pdo->prepare('INSERT INTO questions ' . '(question,type,section,db_heading,required,ord,year) VALUES (' - . "'" . $qs['question'] . "'," - . "'" . $qs['type'] . "'," - . "'" . $qs['section'] . "'," - . "'" . $qs['db_heading'] . "'," - . "'" . $qs['required'] . "'," - . "'" . $qs['ord'] . "'," - . "'$year' )"); - $stmt->execute(); + ?," + ?," + ?," + ?," + ?," + ?," + ?")"); + $stmt->execute([$qs['question'],$qs['type'],$qs['section'],$qs['db_heading'],$qs['required'],$year]); show_pdo_errors_if_any($pdo); } @@ -274,14 +274,14 @@ function questions_editor($section, $year, $array_name, $self) $x++; $stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES ( - '', '$year', - '" . $r->section . "', - '" . $r->db_heading . "', - '" . $r->question . "', - '" . $r->type . "', - '" . $r->required . "', - '" . $r->ord) . "')"; - $stmt->execute(); + '',?, + '" ?, + '" ?, + '" ?, + '" ?, + '" ?, + '" ?))"; + $stmt->execute([$year,$r->section,$r->question,$r->type,$r->required,$r->ord]); } echo happy(i18n('%1 question(s) successfully imported', diff --git a/register_participants.php b/register_participants.php index ba984583..77a74977 100644 --- a/register_participants.php +++ b/register_participants.php @@ -33,14 +33,14 @@ $q = $pdo->query("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()< $datecheck = $q->fetch(PDO::FETCH_OBJ); if (get_value_from_array($_POST, 'action') == 'new') { - $q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email='" . $_SESSION['email'] . "' AND num='" . $_POST['regnum'] . "' AND year=" . $config['FAIRYEAR']); - $q->execute(); + $q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?"); + $q->execute([$_SESSION['email'],$_POST['regnum'],$config['FAIRYEAR']]); if ($q->rowCount()) { $r = $q->fetch(PDO::FETCH_OBJ); $_SESSION['registration_number'] = $r->num; $_SESSION['registration_id'] = $r->id; - $stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES ('$r->id','" . $_SESSION['email'] . "','" . $r->schools_id . "','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)"); + $stmt->execute([$r->id,$_SESSION['email'],$r->schools_id,$config['FAIRYEAR']]); $stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?"); $stmt->execute([$r->id]); diff --git a/register_participants_emergencycontact.php b/register_participants_emergencycontact.php index abd4c50c..c77befa8 100644 --- a/register_participants_emergencycontact.php +++ b/register_participants_emergencycontact.php @@ -40,12 +40,13 @@ if (!$_SESSION['registration_number']) { global $pdo; $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ' - . "WHERE students.email='" . $_SESSION['email'] . "' " - . "AND registrations.num='" . $_SESSION['registration_number'] . "' " - . "AND registrations.id='" . $_SESSION['registration_id'] . "' " + . "WHERE students.email=?" + . "AND registrations.num=?" + . "AND registrations.id=?" . 'AND students.registrations_id=registrations.id ' - . 'AND registrations.year=' . $config['FAIRYEAR'] . ' ' - . 'AND students.year=' . $config['FAIRYEAR']); + . 'AND registrations.year=?' + . 'AND students.year=?'); +$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); if ($q->rowCount() == 0) { @@ -100,16 +101,16 @@ if ($_POST['action'] == 'save') { } $stmt = $pdo->prepare('UPDATE emergencycontact SET ' - . "firstname='" . stripslashes($_POST['firstname'][$id]) . "', " - . "lastname='" . stripslashes($_POST['lastname'][$id]) . "', " - . "relation='" . stripslashes($_POST['relation'][$id]) . "', " - . "phone1='" . stripslashes($_POST['phone1'][$id]) . "', " - . "phone2='" . stripslashes($_POST['phone2'][$id]) . "', " - . "phone3='" . stripslashes($_POST['phone3'][$id]) . "', " - . "phone4='" . stripslashes($_POST['phone4'][$id]) . "', " - . "email='" . stripslashes($_POST['email'][$id]) . "' " - . "WHERE id='$id'"); - $stmt->execute(); + . "firstname=?, " + . "lastname=?, " + . "relation=?, " + . "phone1=?, " + . "phone2=?, " + . "phone3=?, " + . "phone4=?, " + . "email=? " + . "WHERE id=?"); + $stmt->execute([stripslashes($_POST['firstname'][$id]),stripslashes($_POST['lastname'][$id]),stripslashes($_POST['relation'][$id]),stripslashes($_POST['phone1'][$id]),stripslashes($_POST['phone2'][$id]),stripslashes($_POST['phone3'][$id]),stripslashes($_POST['phone4'][$id]),stripslashes($_POST['email'][$id]),$id]); show_pdo_errors_if_any($pdo); echo notice(i18n('Emergency contact information successfully updated')); } else { diff --git a/register_participants_isefforms.php b/register_participants_isefforms.php index 7d681997..5d0dce03 100644 --- a/register_participants_isefforms.php +++ b/register_participants_isefforms.php @@ -39,13 +39,13 @@ } $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ". - "WHERE students.email='".$_SESSION['email']."' ". - "AND registrations.num='".$_SESSION['registration_number']."' ". - "AND registrations.id='".$_SESSION['registration_id']."' ". + "WHERE students.email=?" + "AND registrations.num=?" + "AND registrations.id=?" "AND students.registrations_id=registrations.id ". - "AND registrations.year=".$config['FAIRYEAR']." ". - "AND students.year=".$config['FAIRYEAR']); -$q->execute([]); + "AND registrations.year=?" + "AND students.year=?"); +$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); if($q->rowCount()==0) @@ -80,13 +80,13 @@ show_pdo_errors_if_any($pdo); { $stmt = $pdo->prepare("INSERT INTO TC_ProjectForms (`FormID`,`ProjectID`,`uploaded`,`dt`,`year`) VALUES ( - '$k', - '$r->id', + ?, + ?, '0', NOW(), - '$CURRENT_FAIRYEAR' + ? )"); - $stmt->execute(); + $stmt->execute([$k,$r->id,$CURRENT_FAIRYEAR]); } diff --git a/register_participants_namecheck.php b/register_participants_namecheck.php index 260f1534..d98b78fa 100644 --- a/register_participants_namecheck.php +++ b/register_participants_namecheck.php @@ -39,7 +39,8 @@ if (!$_SESSION['registration_number']) { global $pdo; -$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='{$_SESSION['registration_id']}'"); +$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=?"); +$q->execute([$_SESSION['registration_id']]); show_pdo_errors_if_any($pdo); if ($q->rowCount() == 0) { diff --git a/register_participants_project.php b/register_participants_project.php index 39946807..1bdabda7 100644 --- a/register_participants_project.php +++ b/register_participants_project.php @@ -150,8 +150,8 @@ $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?") $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); // check if it exists, if we didnt find any record, lets insert one if ($q->rowCount() == 0) { - $stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $_SESSION['registration_id'] . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES (?,?,?)"); + $stmt->execute([$_SESSION['registration_id'],$projectcategories_id,$config['FAIRYEAR']]); // now query the one we just inserted $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?"); diff --git a/register_participants_safety.php b/register_participants_safety.php index 3d289be9..0ef8515e 100644 --- a/register_participants_safety.php +++ b/register_participants_safety.php @@ -73,8 +73,8 @@ if (get_value_from_array($_POST, 'action') == 'save') { if (is_array($_POST['safety'])) { $safetyids = array_keys($_POST['safety']); foreach ($safetyids AS $key => $val) { - $stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (' . $pdo->quote($_SESSION['registration_id']) . ', ' . $pdo->quote($val) . ', ' . $pdo->quote($config['FAIRYEAR']) . ', ' . $pdo->quote(stripslashes($_POST['safety'][$val]))) . ')'; - $stmt->execute([]); + $stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (?,?,?,?) '); + $stmt->execute([$pdo->quote($_SESSION['registration_id']),$pdo->quote($val),$pdo->quote($config['FAIRYEAR']),$pdo->quote(stripslashes($_POST['safety'][$val]))]); show_pdo_errors_if_any($pdo); } } diff --git a/register_participants_signature.php b/register_participants_signature.php index d015934c..ba0497aa 100644 --- a/register_participants_signature.php +++ b/register_participants_signature.php @@ -106,12 +106,12 @@ if ($_GET['sample']) { FROM projects JOIN projectdivisions ON projects.projectdivisions_id=projectdivisions.id JOIN projectcategories ON projects.projectcategories_id=projectcategories.id - WHERE registrations_id='" . $_SESSION['registration_id'] . "' - AND projects.year='" . $config['FAIRYEAR'] . "' - AND projectdivisions.year='" . $config['FAIRYEAR'] . "' - AND projectcategories.year='" . $config['FAIRYEAR'] . "' + WHERE registrations_id=? + AND projects.year=? + AND projectdivisions.year=? + AND projectcategories.year=? "); - $q->execute(); + $q->execute([$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]); $projectinfo = $q->fetch(PDO::FETCH_OBJ); $q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); diff --git a/register_participants_signature_tcpdf.php b/register_participants_signature_tcpdf.php index 768da7fb..fa739acd 100644 --- a/register_participants_signature_tcpdf.php +++ b/register_participants_signature_tcpdf.php @@ -91,12 +91,12 @@ if ($_GET['sample']) { FROM projects JOIN projectdivisions ON projects.projectdivisions_id=projectdivisions.id JOIN projectcategories ON projects.projectcategories_id=projectcategories.id - WHERE registrations_id='" . $_SESSION['registration_id'] . "' - AND projects.year='" . $config['FAIRYEAR'] . "' - AND projectdivisions.year='" . $config['FAIRYEAR'] . "' - AND projectcategories.year='" . $config['FAIRYEAR'] . "' + WHERE registrations_id=? + AND projects.year=? + AND projectdivisions.year=? + AND projectcategories.year=? "); - $q->execute(); + $q->execute([$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]); $projectinfo = $q->fetch(PDO::FETCH_OBJ); $q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); diff --git a/register_participants_spawards.php b/register_participants_spawards.php index 0c89cfd0..2310fe4a 100644 --- a/register_participants_spawards.php +++ b/register_participants_spawards.php @@ -40,13 +40,13 @@ if (!$_SESSION['registration_number']) { } $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ' - . "WHERE students.email='" . $_SESSION['email'] . "' " - . "AND registrations.num='" . $_SESSION['registration_number'] . "' " - . "AND registrations.id='" . $_SESSION['registration_id'] . "' " + . "WHERE students.email=?" + . "AND registrations.num=?" + . "AND registrations.id=?" . 'AND students.registrations_id=registrations.id ' - . 'AND registrations.year=' . $config['FAIRYEAR'] . ' ' - . 'AND students.year=' . $config['FAIRYEAR']); -$q->execute(); + . 'AND registrations.year=?' + . 'AND students.year=?'); +$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); if ($q->rowCount() == 0) { diff --git a/register_participants_students.php b/register_participants_students.php index 1be3e5c9..fac1f88b 100644 --- a/register_participants_students.php +++ b/register_participants_students.php @@ -437,8 +437,8 @@ for ($x = 1; $x <= $numtoshow; $x++) { echo "
' . i18n('School') . ''; if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) { - $schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school"); - $schoolq->execute([]); + $schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school"); + $schoolq->execute([$config['FAIRYEAR']]); echo "' . $this->format_time($r->$f) . '