From a077e3fdc9eeda6969fc68039828604df1c75970 Mon Sep 17 00:00:00 2001 From: Muad Sakah Date: Mon, 3 Feb 2025 21:34:12 +0000 Subject: [PATCH] about 150 database lines have been changed in roughly 15-18 files --- admin/communication.php | 40 ++++---- admin/documentdownloader.php | 4 +- admin/donations.php | 8 +- admin/donors.php | 100 ++++++++++---------- admin/donors_search.php | 8 +- admin/exhibithall_sa.php | 24 ++--- admin/export_checkin.php | 18 ++-- admin/fair_stats.php | 36 +++---- admin/fair_stats_select.php | 8 +- admin/fundraising_campaigns.php | 84 ++++++++-------- admin/fundraising_campaigns_prospecting.php | 24 ++--- admin/fundraising_common.inc.php | 4 +- admin/fundraising_goals_handler.inc.php | 24 ++--- admin/judging_score_entry.php | 12 +-- admin/project_editor.php | 74 +++++++-------- admin/registration_list.php | 56 +++++------ admin/registration_receivedforms.php | 4 +- 17 files changed, 264 insertions(+), 264 deletions(-) diff --git a/admin/communication.php b/admin/communication.php index 0bff34c0..23e746b6 100644 --- a/admin/communication.php +++ b/admin/communication.php @@ -686,17 +686,17 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') { $fcid = intval($_POST['fundraising_campaigns_id']); $emailid = intval($_POST['emails_id']); - $fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'"); - $fcq->execute(); + $fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?"); + $fcq->execute([$fcid]); $fc = $fcq->fetch(PDO::FETCH_OBJ); - $emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'"); - $emailq->execute(); + $emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?"); + $emailq->execute([$emailid]); $email = $emailq->fetch(PDO::FETCH_OBJ); $recipq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link - WHERE fundraising_campaigns_id='$fcid'"); - $recipq->execute(); + WHERE fundraising_campaigns_id=?"); + $recipq->execute([$fcid]); show_pdo_errors_if_any($pdo); $numtotal = $recipq->rowCount(); @@ -727,8 +727,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') { // we only send school access codes to science heads or principals - $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'"); - $acq->execute(); + $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=? AND `year`=?"); + $acq->execute([$u['uid'],$config['FAIRYEAR']]); $acr = $acq->fetch(PDO::FETCH_OBJ); $accesscode = $acr->accesscode; @@ -755,8 +755,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') { $q->execute(); show_pdo_errors_if_any($pdo); } - $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'"); - $q->execute(); + $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?"); + $q->execute([$emailid]); } echo 'ok'; launchQueue(); @@ -786,16 +786,16 @@ echo '
'; prepare("DELETE FROM emails WHERE id='" . $_GET['delete'] . "' AND `type`='user'"); - $q->execute(); + $q = $pdo->prepare("DELETE FROM emails WHERE id=? AND `type`='user'"); + $q->execute([$_GET['delete']]); echo happy('Email successfully deleted'); } if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GET, 'send')) { show_pdo_errors_if_any($pdo); - $q = $pdo->prepare("SELECT * FROM emails WHERE id='" . $_GET['send'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM emails WHERE id=?"); + $q->execute($_GET['send']); $r = $q->fetch(PDO::FETCH_OBJ); @@ -859,8 +859,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE // echo $str; } else if (get_value_from_array($_POST, 'action') == 'reallysend' && get_value_from_array($_POST, 'reallysend') && get_value_from_array($_POST, 'to')) { $emailid = intval($_POST['reallysend']); - $emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'"); - $emailq->execute(); + $emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?"); + $emailq->execute([$emailid]); $email = $emailq->fetch(PDO::FETCH_OBJ); $to = $_POST['to']; @@ -915,8 +915,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE } if ($u) { // we only send school access codes to science heads or principals - $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'"); - $acq->execute(); + $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=?) AND `year`=?"); + $acq->execute([$u['uid'],$u['uid'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $acr = $acq->fetch(PDO::FETCH_OBJ); $accesscode = $acr->accesscode; @@ -949,8 +949,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE show_pdo_errors_if_any($pdo); } - $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'"); - $q->execute(); + $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?"); + $q->execute([$emailid]); } launchQueue(); echo '
'; diff --git a/admin/documentdownloader.php b/admin/documentdownloader.php index 3c5724f0..c69dbb2e 100644 --- a/admin/documentdownloader.php +++ b/admin/documentdownloader.php @@ -25,8 +25,8 @@ require ('../common.inc.php'); require_once ('../user.inc.php'); user_auth_required('committee', 'admin'); -$q = $pdo->prepare("SELECT * FROM documents WHERE id='" . $_GET['id'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM documents WHERE id=?"); +$q->execute([$_GET['id']]); if ($r = $q->fetch(PDO::FETCH_OBJ)) { header('Content-type: ' . trim(exec("file -bi ../data/documents/$r->filename"))); header('Content-disposition: inline; filename="' . $r->filename . '"'); diff --git a/admin/donations.php b/admin/donations.php index 98c1353d..c7890f24 100644 --- a/admin/donations.php +++ b/admin/donations.php @@ -143,15 +143,15 @@ function refresh_fundraising_table() { prepare("SELECT * FROM fundraising WHERE year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM fundraising WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); if (!$q->rowCount()) { $q = $pdo->prepare("SELECT * FROM fundraising WHERE year='-1'"); $q->execute(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES ('$r->type','" . $r->name . "','" . $r->description . "','$r->system','$r->goal','" . $config['FAIRYEAR'] . "')"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES (?,?,?,?,?,?)"); + $q->execute([$r->type,$r->name,$r->description,$r->system,$r->goal,$config['FAIRYEAR']]); } } diff --git a/admin/donors.php b/admin/donors.php index f83bdba1..80b0e2a7 100644 --- a/admin/donors.php +++ b/admin/donors.php @@ -32,8 +32,8 @@ global $pdo; switch (get_value_from_array($_GET, 'action')) { case 'organizationinfo_load': $id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?"); + $q->execute([$id]); $ret = $q->fetch(PDO::FETCH_ASSOC); echo json_encode($ret); exit; @@ -43,8 +43,8 @@ switch (get_value_from_array($_GET, 'action')) { $id = intval($_POST['sponsor_id']); if ($id == -1) { echo "INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')"; - $q = $pdo->prepare("INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO sponsors (year) VALUES (?)"); + $q->execute([$config['FAIRYEAR']]); $id = $pdo->lastInsertId(); echo json_encode(array('id' => $id)); save_activityinfo('Created donor/sponsor', $id, $_SESSION['users_uid'], 'System'); @@ -93,8 +93,8 @@ switch (get_value_from_array($_GET, 'action')) { echo "\n"; // LAST DONATION - $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id='$id' ORDER BY datereceived DESC LIMIT 1"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id=? ORDER BY datereceived DESC LIMIT 1"); + $q->execute([$id]); if ($r = $q->fetch(PDO::FETCH_OBJ)) $lastdonation = i18n('%1 on %2', array(format_money($r->value, false), format_date($r->datereceived)), array('Donation amount', 'Donation date')); else @@ -102,11 +102,11 @@ switch (get_value_from_array($_GET, 'action')) { // TOTAL THIS YEAR $q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations - WHERE sponsors_id='$id' + WHERE sponsors_id=? AND status='received' - AND fiscalyear={$config['FISCALYEAR']} + AND fiscalyear=? "); - $q->execute(); + $q->execute([$id,$config['FISCALYEAR']]); if ($r = $q->fetch(PDO::FETCH_OBJ)) $totalthisyear = format_money($r->total, false); else @@ -115,11 +115,11 @@ switch (get_value_from_array($_GET, 'action')) { // TOTAL LAST YEAR $lastyear = $config['FISCALYEAR'] - 1; $q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations - WHERE sponsors_id='$id' + WHERE sponsors_id=? AND status='received' - AND fiscalyear=$lastyear + AND fiscalyear=? "); - $q->execute(); + $q->execute([$id,$lastyear]); if ($r = $q->fetch(PDO::FETCH_OBJ)) $totallastyear = format_money($r->total, false); @@ -139,11 +139,11 @@ switch (get_value_from_array($_GET, 'action')) { fundraising_campaigns.name AS campaignname FROM fundraising_donations LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id - WHERE sponsors_id='$id' + WHERE sponsors_id=? AND status='received' - AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' + AND fundraising_donations.fiscalyear=? ORDER BY datereceived DESC"); - $q->execute(); + $q->execute([$id,$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); if ($q->rowCount()) { @@ -193,10 +193,10 @@ switch (get_value_from_array($_GET, 'action')) { fundraising_campaigns.name AS campaignname FROM fundraising_donations LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id - WHERE sponsors_id='$id' + WHERE sponsors_id=? AND status='received' ORDER BY datereceived DESC"); - $q->execute(); + $q->execute([$id]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { echo "\n"; @@ -228,13 +228,13 @@ switch (get_value_from_array($_GET, 'action')) { FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id WHERE - sponsors_id='$id' + sponsors_id=? AND types LIKE '%sponsor%' GROUP BY uid HAVING deleted='no' ORDER BY users_sponsor.primary DESC,lastname,firstname "); - $query->execute(); + $query->execute([$id]); show_pdo_errors_if_any($pdo); $uids = array(); while ($r = $query->fetch(PDO::FETCH_OBJ)) { @@ -242,9 +242,9 @@ switch (get_value_from_array($_GET, 'action')) { } $q = $pdo->prepare("SELECT * FROM fundraising_campaigns - WHERE fiscalyear='{$config['FISCALYEAR']}' + WHERE fiscalyear=? ORDER BY name"); - $q->execute(); + $q->execute([$config['FISCALYEAR']]); $str = ''; echo 'prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?"); + $q->execute([$config['FISCALYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'"); - $goalq->execute(); + $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?"); + $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]); $goalr = $goalq->fetch(PDO::FETCH_OBJ); - $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); - $recq->execute(); + $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'"); + $recq->execute([$r->id,$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); $recr = $recq->fetch(PDO::FETCH_OBJ); $received = $recr->received; @@ -139,8 +139,8 @@ case 'managelist': exit; } $id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?"); + $q->execute([$id]); $campaign = $q->fetch(PDO::FETCH_OBJ); echo "

$campaign->name

\n"; ?> @@ -171,12 +171,12 @@ case 'managelist': case 'manage_tab_overview': $campaign_id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?"); + $q->execute([$campaign_id,$config['FISCALYEAR']]); if ($r = $q->fetch(PDO::FETCH_OBJ)) { $goalr = getGoal($r->fundraising_goal); - $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); - $recq->execute(); + $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'"); + $recq->execute([$r->id,$config['FISCALYEAR']]); show_pdo_errors_if_any($pdo); $recr = recq->fetch(PDO::FETCH_OBJ); $received = $recr->received; @@ -209,8 +209,8 @@ case 'managelist': case 'manage_tab_donations': $campaign_id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?"); + $q->execute([$campaign_id,$config['FISCALYEAR']]); if ($campaign = $q->fetch(PDO::FETCH_OBJ)) { echo '
prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name"); + $q->execute([$config['FISCALYEAR']]); echo '
'; echo ''; @@ -227,8 +227,8 @@ case 'managelist': \t\t\tAND status='received' ORDER BY datereceived DESC"); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $goal = getGoal($r->fundraising_goal); - $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$r->sponsors_id}'"); - $sq->execute(); + $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?"); + $sq->execute([$r->sponsors_id]); $sponsor = $sq->fetch(PDO::FETCH_OBJ); echo '\n"; echo ' \n"; @@ -258,8 +258,8 @@ case 'managelist': 'mentor' => 'Mentor (not implemented)', ); $campaign_id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?"); + $q->execute([$campaign_id,$config['FISCALYEAR']]); $campaign = $q->fetch(PDO::FETCH_OBJ); if ($campaign->filterparameters) { echo '

' . i18n('User List') . "

\n"; @@ -307,8 +307,8 @@ case 'managelist': echo '
'; echo "\n"; echo "\n"; - $q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaign_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?"); + $q->execute([$campaign_id]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $u = user_load_by_uid($r->users_uid); // hopefully this never returns false, but who knows.. @@ -359,8 +359,8 @@ case 'managelist':
' . format_date($r->datereceived) . "' . $sponsor->organization . "
: prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY min"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY min"); + $q->execute([$config['FISCALYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { echo "
\n"; } @@ -408,8 +408,8 @@ case 'managelist': case 'manage_tab_communications': $campaign_id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?"); + $q->execute([$campaign_id,$config['FISCALYEAR']]); if ($r = $q->fetch(PDO::FETCH_OBJ)) { } $communications = array('initial' => 'Initial Communication', @@ -418,8 +418,8 @@ case 'managelist': foreach ($communications as $key => $name) { echo '

' . i18n($name) . "

\n"; // check if they have one in the emails database - $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$campaign_id' AND val='$key'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?"); + $q->execute([$campaign_id,$key]); if ($email = $q->fetch(PDO::FETCH_OBJ)) { echo '
'; echo "id,$campaign_id)\">'; @@ -471,12 +471,12 @@ case 'managelist': show_pdo_errors_if_any($pdo); } // if theres nobody left in the list we need to reset the filter params as well - $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'"); - $q->execute(); + $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?"); + $q->execute([$campaignid]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->num == 0) { - $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?"); + $stmt->execute([$campaignid]); } happy_('Selected users removed from list'); @@ -485,10 +485,10 @@ case 'managelist': case 'prospect_removeall': $campaignid = intval($_POST['fundraising_campaigns_id']); - $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'"); - $stmt->execute(); - $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?"); + $stmt->execute([$campaignid]); + $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?"); + $stmt->execute([$campaignid]); happy_('All users removed from list'); exit; break; @@ -496,14 +496,14 @@ case 'managelist': case 'communication_remove': $emails_id = $_POST['id']; // check if its been sent, if so, it cannot be deleted, sorry! - $q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM emails WHERE id=?"); + $q->execute([$emails_id]); $e = $q->fetch(PDO::FETCH_OBJ); if ($e->lastsent) { error_('Cannot remove an email that has already been sent'); } else { - $stmt = $pdo->prepare("DELETE FROM emails WHERE id='$emails_id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM emails WHERE id=?"); + $stmt->execute([$emails_id]); happy_('Communicaton removed'); } @@ -800,8 +800,8 @@ function display_campaign_form($r = null)
$ prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); - $fgq->execute(); + $fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name"); + $fgq->execute([$config['FISCALYEAR']]); echo ''; echo '\n"; diff --git a/admin/registration_list.php b/admin/registration_list.php index f4604ffd..3e01d971 100644 --- a/admin/registration_list.php +++ b/admin/registration_list.php @@ -39,14 +39,14 @@ if (get_value_from_array($_GET, 'year')) else $year = $config['FAIRYEAR']; -$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); +$q->execute([$year]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $cats[$r->id] = $r->category; -$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); +$q->execute([$year]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $divs[$r->id] = $r->division; @@ -62,34 +62,34 @@ switch ($action) { case 'delete': $regid = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='$regid'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=?"); + $q->execute([$regid]); if ($q->rowCount()) { $p = $q->fetch(PDO::FETCH_ASSOC); - $stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id='{$p['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id=?"); + $stmt->execute([$p['id']]); } - $stmt = $pdo->prepare("DELETE FROM registrations WHERE id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM registrations WHERE id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); - $stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); - $stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); - $stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); - $stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); - $stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); - $stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=? AND year=?"); + $stmt->execute([$regid,$config['FAIRYEAR']]); happy_('Registration and all related data successfully deleted'); exit; } @@ -459,14 +459,14 @@ function list_query($year, $wherestatus, $reg_id) left outer join projects on projects.registrations_id=registrations.id WHERE 1 - AND registrations.year='$year' - $wherestatus - $reg $fair + AND registrations.year=? + ? + ? ? ORDER BY registrations.status DESC, projects.title "); - $q->execute(); + $q->execute([$year,$wherestatus,$reg,$fair]); // FIXME show_pdo_errors_if_any($pdo); @@ -516,11 +516,11 @@ function print_row($r) FROM students,schools WHERE - students.registrations_id='$r->reg_id' + students.registrations_id=? AND students.schools_id=schools.id "); - $sq->execute(); + $sq->execute([$r->reg_id]); show_pdo_errors_if_any($pdo); $studnum = 1; diff --git a/admin/registration_receivedforms.php b/admin/registration_receivedforms.php index f5d3380a..cc32bef8 100644 --- a/admin/registration_receivedforms.php +++ b/admin/registration_receivedforms.php @@ -41,8 +41,8 @@ echo '
'; $showformatbottom = true; if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array($_POST, 'registration_number')) { - $q = $pdo->prepare("SELECT * FROM registrations WHERE num='" . $_POST['registration_number'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?"); + $q->execute([$_POST['registration_number'],$config['FAIRYEAR']]); if ($q->rowCount() == 1) { $r = $q->fetch(PDO::FETCH_OBJ); $reg_id = $r->id;