diff --git a/admin/communication.php b/admin/communication.php
index 0bff34c0..23e746b6 100644
--- a/admin/communication.php
+++ b/admin/communication.php
@@ -686,17 +686,17 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
$fcid = intval($_POST['fundraising_campaigns_id']);
$emailid = intval($_POST['emails_id']);
- $fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
- $fcq->execute();
+ $fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
+ $fcq->execute([$fcid]);
$fc = $fcq->fetch(PDO::FETCH_OBJ);
- $emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
- $emailq->execute();
+ $emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+ $emailq->execute([$emailid]);
$email = $emailq->fetch(PDO::FETCH_OBJ);
$recipq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
- WHERE fundraising_campaigns_id='$fcid'");
- $recipq->execute();
+ WHERE fundraising_campaigns_id=?");
+ $recipq->execute([$fcid]);
show_pdo_errors_if_any($pdo);
$numtotal = $recipq->rowCount();
@@ -727,8 +727,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
// we only send school access codes to science heads or principals
- $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'");
- $acq->execute();
+ $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=? AND `year`=?");
+ $acq->execute([$u['uid'],$config['FAIRYEAR']]);
$acr = $acq->fetch(PDO::FETCH_OBJ);
$accesscode = $acr->accesscode;
@@ -755,8 +755,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
$q->execute();
show_pdo_errors_if_any($pdo);
}
- $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'");
- $q->execute();
+ $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
+ $q->execute([$emailid]);
}
echo 'ok';
launchQueue();
@@ -786,16 +786,16 @@ echo ' ';
prepare("DELETE FROM emails WHERE id='" . $_GET['delete'] . "' AND `type`='user'");
- $q->execute();
+ $q = $pdo->prepare("DELETE FROM emails WHERE id=? AND `type`='user'");
+ $q->execute([$_GET['delete']]);
echo happy('Email successfully deleted');
}
if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GET, 'send')) {
show_pdo_errors_if_any($pdo);
- $q = $pdo->prepare("SELECT * FROM emails WHERE id='" . $_GET['send'] . "'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+ $q->execute($_GET['send']);
$r = $q->fetch(PDO::FETCH_OBJ);
@@ -859,8 +859,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
// echo $str;
} else if (get_value_from_array($_POST, 'action') == 'reallysend' && get_value_from_array($_POST, 'reallysend') && get_value_from_array($_POST, 'to')) {
$emailid = intval($_POST['reallysend']);
- $emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
- $emailq->execute();
+ $emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+ $emailq->execute([$emailid]);
$email = $emailq->fetch(PDO::FETCH_OBJ);
$to = $_POST['to'];
@@ -915,8 +915,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
}
if ($u) {
// we only send school access codes to science heads or principals
- $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'");
- $acq->execute();
+ $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=?) AND `year`=?");
+ $acq->execute([$u['uid'],$u['uid'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$acr = $acq->fetch(PDO::FETCH_OBJ);
$accesscode = $acr->accesscode;
@@ -949,8 +949,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
show_pdo_errors_if_any($pdo);
}
- $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'");
- $q->execute();
+ $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
+ $q->execute([$emailid]);
}
launchQueue();
echo ' ';
diff --git a/admin/documentdownloader.php b/admin/documentdownloader.php
index 3c5724f0..c69dbb2e 100644
--- a/admin/documentdownloader.php
+++ b/admin/documentdownloader.php
@@ -25,8 +25,8 @@
require ('../common.inc.php');
require_once ('../user.inc.php');
user_auth_required('committee', 'admin');
-$q = $pdo->prepare("SELECT * FROM documents WHERE id='" . $_GET['id'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM documents WHERE id=?");
+$q->execute([$_GET['id']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
header('Content-type: ' . trim(exec("file -bi ../data/documents/$r->filename")));
header('Content-disposition: inline; filename="' . $r->filename . '"');
diff --git a/admin/donations.php b/admin/donations.php
index 98c1353d..c7890f24 100644
--- a/admin/donations.php
+++ b/admin/donations.php
@@ -143,15 +143,15 @@ function refresh_fundraising_table() {
prepare("SELECT * FROM fundraising WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM fundraising WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
if (!$q->rowCount()) {
$q = $pdo->prepare("SELECT * FROM fundraising WHERE year='-1'");
$q->execute();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
- $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES ('$r->type','" . $r->name . "','" . $r->description . "','$r->system','$r->goal','" . $config['FAIRYEAR'] . "')");
- $q->execute();
+ $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES (?,?,?,?,?,?)");
+ $q->execute([$r->type,$r->name,$r->description,$r->system,$r->goal,$config['FAIRYEAR']]);
}
}
diff --git a/admin/donors.php b/admin/donors.php
index f83bdba1..80b0e2a7 100644
--- a/admin/donors.php
+++ b/admin/donors.php
@@ -32,8 +32,8 @@ global $pdo;
switch (get_value_from_array($_GET, 'action')) {
case 'organizationinfo_load':
$id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+ $q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
echo json_encode($ret);
exit;
@@ -43,8 +43,8 @@ switch (get_value_from_array($_GET, 'action')) {
$id = intval($_POST['sponsor_id']);
if ($id == -1) {
echo "INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')";
- $q = $pdo->prepare("INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')");
- $q->execute();
+ $q = $pdo->prepare("INSERT INTO sponsors (year) VALUES (?)");
+ $q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId();
echo json_encode(array('id' => $id));
save_activityinfo('Created donor/sponsor', $id, $_SESSION['users_uid'], 'System');
@@ -93,8 +93,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo "
\n";
// LAST DONATION
- $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id='$id' ORDER BY datereceived DESC LIMIT 1");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id=? ORDER BY datereceived DESC LIMIT 1");
+ $q->execute([$id]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$lastdonation = i18n('%1 on %2', array(format_money($r->value, false), format_date($r->datereceived)), array('Donation amount', 'Donation date'));
else
@@ -102,11 +102,11 @@ switch (get_value_from_array($_GET, 'action')) {
// TOTAL THIS YEAR
$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations
- WHERE sponsors_id='$id'
+ WHERE sponsors_id=?
AND status='received'
- AND fiscalyear={$config['FISCALYEAR']}
+ AND fiscalyear=?
");
- $q->execute();
+ $q->execute([$id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$totalthisyear = format_money($r->total, false);
else
@@ -115,11 +115,11 @@ switch (get_value_from_array($_GET, 'action')) {
// TOTAL LAST YEAR
$lastyear = $config['FISCALYEAR'] - 1;
$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations
- WHERE sponsors_id='$id'
+ WHERE sponsors_id=?
AND status='received'
- AND fiscalyear=$lastyear
+ AND fiscalyear=?
");
- $q->execute();
+ $q->execute([$id,$lastyear]);
if ($r = $q->fetch(PDO::FETCH_OBJ))
$totallastyear = format_money($r->total, false);
@@ -139,11 +139,11 @@ switch (get_value_from_array($_GET, 'action')) {
fundraising_campaigns.name AS campaignname
FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
- WHERE sponsors_id='$id'
+ WHERE sponsors_id=?
AND status='received'
- AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
+ AND fundraising_donations.fiscalyear=?
ORDER BY datereceived DESC");
- $q->execute();
+ $q->execute([$id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
@@ -193,10 +193,10 @@ switch (get_value_from_array($_GET, 'action')) {
fundraising_campaigns.name AS campaignname
FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
- WHERE sponsors_id='$id'
+ WHERE sponsors_id=?
AND status='received'
ORDER BY datereceived DESC");
- $q->execute();
+ $q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "
\n";
@@ -228,13 +228,13 @@ switch (get_value_from_array($_GET, 'action')) {
FROM users
LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
WHERE
- sponsors_id='$id'
+ sponsors_id=?
AND types LIKE '%sponsor%'
GROUP BY uid
HAVING deleted='no'
ORDER BY users_sponsor.primary DESC,lastname,firstname
");
- $query->execute();
+ $query->execute([$id]);
show_pdo_errors_if_any($pdo);
$uids = array();
while ($r = $query->fetch(PDO::FETCH_OBJ)) {
@@ -242,9 +242,9 @@ switch (get_value_from_array($_GET, 'action')) {
}
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns
- WHERE fiscalyear='{$config['FISCALYEAR']}'
+ WHERE fiscalyear=?
ORDER BY name");
- $q->execute();
+ $q->execute([$config['FISCALYEAR']]);
$str = '';
echo '
prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
+ $q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
- $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'");
- $goalq->execute();
+ $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
+ $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
$goalr = $goalq->fetch(PDO::FETCH_OBJ);
- $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
- $recq->execute();
+ $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
+ $recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$recr = $recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received;
@@ -139,8 +139,8 @@ case 'managelist':
exit;
}
$id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
+ $q->execute([$id]);
$campaign = $q->fetch(PDO::FETCH_OBJ);
echo "
$campaign->name
\n";
?>
@@ -171,12 +171,12 @@ case 'managelist':
case 'manage_tab_overview':
$campaign_id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+ $q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goalr = getGoal($r->fundraising_goal);
- $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
- $recq->execute();
+ $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
+ $recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo);
$recr = recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received;
@@ -209,8 +209,8 @@ case 'managelist':
case 'manage_tab_donations':
$campaign_id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+ $q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($campaign = $q->fetch(PDO::FETCH_OBJ)) {
echo '
';
echo '';
@@ -227,8 +227,8 @@ case 'managelist':
\t\t\tAND status='received' ORDER BY datereceived DESC");
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goal = getGoal($r->fundraising_goal);
- $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$r->sponsors_id}'");
- $sq->execute();
+ $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+ $sq->execute([$r->sponsors_id]);
$sponsor = $sq->fetch(PDO::FETCH_OBJ);
echo '
' . format_date($r->datereceived) . "
\n";
echo '
' . $sponsor->organization . "
\n";
@@ -258,8 +258,8 @@ case 'managelist':
'mentor' => 'Mentor (not implemented)',
);
$campaign_id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+ $q->execute([$campaign_id,$config['FISCALYEAR']]);
$campaign = $q->fetch(PDO::FETCH_OBJ);
if ($campaign->filterparameters) {
echo '
prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY min");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY min");
+ $q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo " \n";
}
@@ -408,8 +408,8 @@ case 'managelist':
case 'manage_tab_communications':
$campaign_id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+ $q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
}
$communications = array('initial' => 'Initial Communication',
@@ -418,8 +418,8 @@ case 'managelist':
foreach ($communications as $key => $name) {
echo '
' . i18n($name) . "
\n";
// check if they have one in the emails database
- $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$campaign_id' AND val='$key'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
+ $q->execute([$campaign_id,$key]);
if ($email = $q->fetch(PDO::FETCH_OBJ)) {
echo '
';
echo "id,$campaign_id)\">';
@@ -471,12 +471,12 @@ case 'managelist':
show_pdo_errors_if_any($pdo);
}
// if theres nobody left in the list we need to reset the filter params as well
- $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'");
- $q->execute();
+ $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+ $q->execute([$campaignid]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->num == 0) {
- $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'");
- $stmt->execute();
+ $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
+ $stmt->execute([$campaignid]);
}
happy_('Selected users removed from list');
@@ -485,10 +485,10 @@ case 'managelist':
case 'prospect_removeall':
$campaignid = intval($_POST['fundraising_campaigns_id']);
- $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'");
- $stmt->execute();
- $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+ $stmt->execute([$campaignid]);
+ $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
+ $stmt->execute([$campaignid]);
happy_('All users removed from list');
exit;
break;
@@ -496,14 +496,14 @@ case 'managelist':
case 'communication_remove':
$emails_id = $_POST['id'];
// check if its been sent, if so, it cannot be deleted, sorry!
- $q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+ $q->execute([$emails_id]);
$e = $q->fetch(PDO::FETCH_OBJ);
if ($e->lastsent) {
error_('Cannot remove an email that has already been sent');
} else {
- $stmt = $pdo->prepare("DELETE FROM emails WHERE id='$emails_id'");
- $stmt->execute();
+ $stmt = $pdo->prepare("DELETE FROM emails WHERE id=?");
+ $stmt->execute([$emails_id]);
happy_('Communicaton removed');
}
@@ -800,8 +800,8 @@ function display_campaign_form($r = null)
$
prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
- $fgq->execute();
+ $fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
+ $fgq->execute([$config['FISCALYEAR']]);
echo '