arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

about 150 database lines have been changed in roughly 15-18 files

Browse Source
This commit is contained in:
Muad Sakah 2025-02-03 21:34:12 +00:00
parent e86f06f141
commit a077e3fdc9
17 changed files with 264 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
admin/communication.php
View File

@ -686,17 +686,17 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
$fcid = intval($_POST['fundraising_campaigns_id']); $fcid = intval($_POST['fundraising_campaigns_id']);
$emailid = intval($_POST['emails_id']); $emailid = intval($_POST['emails_id']);
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'"); $fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$fcq->execute(); $fcq->execute([$fcid]);
$fc = $fcq->fetch(PDO::FETCH_OBJ); $fc = $fcq->fetch(PDO::FETCH_OBJ);
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'"); $emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$emailq->execute(); $emailq->execute([$emailid]);
$email = $emailq->fetch(PDO::FETCH_OBJ); $email = $emailq->fetch(PDO::FETCH_OBJ);
$recipq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link $recipq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
WHERE fundraising_campaigns_id='$fcid'"); WHERE fundraising_campaigns_id=?");
$recipq->execute(); $recipq->execute([$fcid]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$numtotal = $recipq->rowCount(); $numtotal = $recipq->rowCount();
@ -727,8 +727,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
// we only send school access codes to science heads or principals // we only send school access codes to science heads or principals
$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'"); $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=? AND `year`=?");
$acq->execute(); $acq->execute([$u['uid'],$config['FAIRYEAR']]);
$acr = $acq->fetch(PDO::FETCH_OBJ); $acr = $acq->fetch(PDO::FETCH_OBJ);
$accesscode = $acr->accesscode; $accesscode = $acr->accesscode;
@ -755,8 +755,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
$q->execute(); $q->execute();
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
} }
$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'"); $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
$q->execute(); $q->execute([$emailid]);
} }
echo 'ok'; echo 'ok';
launchQueue(); launchQueue();
@ -786,16 +786,16 @@ echo '<br />';
<? <?
if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete')) { if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete')) {
$q = $pdo->prepare("DELETE FROM emails WHERE id='" . $_GET['delete'] . "' AND `type`='user'"); $q = $pdo->prepare("DELETE FROM emails WHERE id=? AND `type`='user'");
$q->execute(); $q->execute([$_GET['delete']]);
echo happy('Email successfully deleted'); echo happy('Email successfully deleted');
} }
if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GET, 'send')) { if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GET, 'send')) {
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$q = $pdo->prepare("SELECT * FROM emails WHERE id='" . $_GET['send'] . "'"); $q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute(); $q->execute($_GET['send']);
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
@ -859,8 +859,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
// echo $str; // echo $str;
} else if (get_value_from_array($_POST, 'action') == 'reallysend' && get_value_from_array($_POST, 'reallysend') && get_value_from_array($_POST, 'to')) { } else if (get_value_from_array($_POST, 'action') == 'reallysend' && get_value_from_array($_POST, 'reallysend') && get_value_from_array($_POST, 'to')) {
$emailid = intval($_POST['reallysend']); $emailid = intval($_POST['reallysend']);
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'"); $emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$emailq->execute(); $emailq->execute([$emailid]);
$email = $emailq->fetch(PDO::FETCH_OBJ); $email = $emailq->fetch(PDO::FETCH_OBJ);
$to = $_POST['to']; $to = $_POST['to'];
@ -915,8 +915,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
} }
if ($u) { if ($u) {
// we only send school access codes to science heads or principals // we only send school access codes to science heads or principals
$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'"); $acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=?) AND `year`=?");
$acq->execute(); $acq->execute([$u['uid'],$u['uid'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$acr = $acq->fetch(PDO::FETCH_OBJ); $acr = $acq->fetch(PDO::FETCH_OBJ);
$accesscode = $acr->accesscode; $accesscode = $acr->accesscode;
@ -949,8 +949,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
} }
$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'"); $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
$q->execute(); $q->execute([$emailid]);
} }
launchQueue(); launchQueue();
echo '<br />'; echo '<br />';

4
admin/documentdownloader.php
View File

@ -25,8 +25,8 @@
require ('../common.inc.php'); require ('../common.inc.php');
require_once ('../user.inc.php'); require_once ('../user.inc.php');
user_auth_required('committee', 'admin'); user_auth_required('committee', 'admin');
$q = $pdo->prepare("SELECT * FROM documents WHERE id='" . $_GET['id'] . "'"); $q = $pdo->prepare("SELECT * FROM documents WHERE id=?");
$q->execute(); $q->execute([$_GET['id']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r = $q->fetch(PDO::FETCH_OBJ)) {
header('Content-type: ' . trim(exec("file -bi ../data/documents/$r->filename"))); header('Content-type: ' . trim(exec("file -bi ../data/documents/$r->filename")));
header('Content-disposition: inline; filename="' . $r->filename . '"'); header('Content-disposition: inline; filename="' . $r->filename . '"');

8
admin/donations.php
View File

@ -143,15 +143,15 @@ function refresh_fundraising_table() {
<? <?
// first, insert any defaults // first, insert any defaults
$q = $pdo->prepare("SELECT * FROM fundraising WHERE year='" . $config['FAIRYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM fundraising WHERE year=?");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
if (!$q->rowCount()) { if (!$q->rowCount()) {
$q = $pdo->prepare("SELECT * FROM fundraising WHERE year='-1'"); $q = $pdo->prepare("SELECT * FROM fundraising WHERE year='-1'");
$q->execute(); $q->execute();
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES ('$r->type','" . $r->name . "','" . $r->description . "','$r->system','$r->goal','" . $config['FAIRYEAR'] . "')"); $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES (?,?,?,?,?,?)");
$q->execute(); $q->execute([$r->type,$r->name,$r->description,$r->system,$r->goal,$config['FAIRYEAR']]);
} }
} }

100
admin/donors.php
View File

@ -32,8 +32,8 @@ global $pdo;
switch (get_value_from_array($_GET, 'action')) { switch (get_value_from_array($_GET, 'action')) {
case 'organizationinfo_load': case 'organizationinfo_load':
$id = intval($_GET['id']); $id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$id'"); $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$q->execute(); $q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC); $ret = $q->fetch(PDO::FETCH_ASSOC);
echo json_encode($ret); echo json_encode($ret);
exit; exit;
@ -43,8 +43,8 @@ switch (get_value_from_array($_GET, 'action')) {
$id = intval($_POST['sponsor_id']); $id = intval($_POST['sponsor_id']);
if ($id == -1) { if ($id == -1) {
echo "INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')"; echo "INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')";
$q = $pdo->prepare("INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')"); $q = $pdo->prepare("INSERT INTO sponsors (year) VALUES (?)");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId(); $id = $pdo->lastInsertId();
echo json_encode(array('id' => $id)); echo json_encode(array('id' => $id));
save_activityinfo('Created donor/sponsor', $id, $_SESSION['users_uid'], 'System'); save_activityinfo('Created donor/sponsor', $id, $_SESSION['users_uid'], 'System');
@ -93,8 +93,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo "<table cellspacing=3 cellpadding=3>\n"; echo "<table cellspacing=3 cellpadding=3>\n";
// LAST DONATION // LAST DONATION
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id='$id' ORDER BY datereceived DESC LIMIT 1"); $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id=? ORDER BY datereceived DESC LIMIT 1");
$q->execute(); $q->execute([$id]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) if ($r = $q->fetch(PDO::FETCH_OBJ))
$lastdonation = i18n('%1 on %2', array(format_money($r->value, false), format_date($r->datereceived)), array('Donation amount', 'Donation date')); $lastdonation = i18n('%1 on %2', array(format_money($r->value, false), format_date($r->datereceived)), array('Donation amount', 'Donation date'));
else else
@ -102,11 +102,11 @@ switch (get_value_from_array($_GET, 'action')) {
// TOTAL THIS YEAR // TOTAL THIS YEAR
$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations $q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations
WHERE sponsors_id='$id' WHERE sponsors_id=?
AND status='received' AND status='received'
AND fiscalyear={$config['FISCALYEAR']} AND fiscalyear=?
"); ");
$q->execute(); $q->execute([$id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) if ($r = $q->fetch(PDO::FETCH_OBJ))
$totalthisyear = format_money($r->total, false); $totalthisyear = format_money($r->total, false);
else else
@ -115,11 +115,11 @@ switch (get_value_from_array($_GET, 'action')) {
// TOTAL LAST YEAR // TOTAL LAST YEAR
$lastyear = $config['FISCALYEAR'] - 1; $lastyear = $config['FISCALYEAR'] - 1;
$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations $q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations
WHERE sponsors_id='$id' WHERE sponsors_id=?
AND status='received' AND status='received'
AND fiscalyear=$lastyear AND fiscalyear=?
"); ");
$q->execute(); $q->execute([$id,$lastyear]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) if ($r = $q->fetch(PDO::FETCH_OBJ))
$totallastyear = format_money($r->total, false); $totallastyear = format_money($r->total, false);
@ -139,11 +139,11 @@ switch (get_value_from_array($_GET, 'action')) {
fundraising_campaigns.name AS campaignname fundraising_campaigns.name AS campaignname
FROM fundraising_donations FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
WHERE sponsors_id='$id' WHERE sponsors_id=?
AND status='received' AND status='received'
AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' AND fundraising_donations.fiscalyear=?
ORDER BY datereceived DESC"); ORDER BY datereceived DESC");
$q->execute(); $q->execute([$id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
if ($q->rowCount()) { if ($q->rowCount()) {
@ -193,10 +193,10 @@ switch (get_value_from_array($_GET, 'action')) {
fundraising_campaigns.name AS campaignname fundraising_campaigns.name AS campaignname
FROM fundraising_donations FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
WHERE sponsors_id='$id' WHERE sponsors_id=?
AND status='received' AND status='received'
ORDER BY datereceived DESC"); ORDER BY datereceived DESC");
$q->execute(); $q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<tr>\n"; echo "<tr>\n";
@ -228,13 +228,13 @@ switch (get_value_from_array($_GET, 'action')) {
FROM users FROM users
LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
WHERE WHERE
sponsors_id='$id' sponsors_id=?
AND types LIKE '%sponsor%' AND types LIKE '%sponsor%'
GROUP BY uid GROUP BY uid
HAVING deleted='no' HAVING deleted='no'
ORDER BY users_sponsor.primary DESC,lastname,firstname ORDER BY users_sponsor.primary DESC,lastname,firstname
"); ");
$query->execute(); $query->execute([$id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$uids = array(); $uids = array();
while ($r = $query->fetch(PDO::FETCH_OBJ)) { while ($r = $query->fetch(PDO::FETCH_OBJ)) {
@ -242,9 +242,9 @@ switch (get_value_from_array($_GET, 'action')) {
} }
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns $q = $pdo->prepare("SELECT * FROM fundraising_campaigns
WHERE fiscalyear='{$config['FISCALYEAR']}' WHERE fiscalyear=?
ORDER BY name"); ORDER BY name");
$q->execute(); $q->execute([$config['FISCALYEAR']]);
$str = ''; $str = '';
echo '<select id="fundraising_campaign_id" name="fundraising_campaigns_id" onchange="campaignchange()">'; echo '<select id="fundraising_campaign_id" name="fundraising_campaigns_id" onchange="campaignchange()">';
echo '<option value="">' . i18n('Choose an appeal') . "</option>\n"; echo '<option value="">' . i18n('Choose an appeal') . "</option>\n";
@ -255,10 +255,10 @@ switch (get_value_from_array($_GET, 'action')) {
if (count($uids)) { if (count($uids)) {
$tq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link $tq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
WHERE fundraising_campaigns_id='$r->id' WHERE fundraising_campaigns_id=?
AND users_uid IN (" . implode(',', $uids) . ') AND users_uid IN (" . implode(',', $uids) . ')
'); ');
$tq->execute(); $tq->execute([$r->id]);
if ($tq->rowCount()) { if ($tq->rowCount()) {
$incampaign = i18n('*In Appeal*') . ': '; $incampaign = i18n('*In Appeal*') . ': ';
} else } else
@ -284,8 +284,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo '<option value="">' . i18n('Choose a purpose') . "</option>\n"; echo '<option value="">' . i18n('Choose a purpose') . "</option>\n";
// FIXME: only show campaigns that they were included as part of // FIXME: only show campaigns that they were included as part of
// we need a campaigns_users_link or campaigns_sponsors_link or something // we need a campaigns_users_link or campaigns_sponsors_link or something
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
$q->execute(); $q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<option value=\"$r->goal\">$r->name</option>\n"; echo "<option value=\"$r->goal\">$r->name</option>\n";
} }
@ -365,8 +365,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'newcontactsearch': case 'newcontactsearch':
if ($_POST['email']) if ($_POST['email'])
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email='" . trim($_POST['email']) . "' GROUP BY uid HAVING deleted='no'"); $q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email=? GROUP BY uid HAVING deleted='no'");
$q->execute(); $q->execute([trim($_POST['email'])]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo i18n('There is an exact email address match for %1', array($_POST['email'])); echo i18n('There is an exact email address match for %1', array($_POST['email']));
echo '<ul>'; echo '<ul>';
@ -393,8 +393,8 @@ switch (get_value_from_array($_GET, 'action')) {
if ($_POST['email']) if ($_POST['email'])
$searchstr .= " AND email LIKE '%" . $_POST['email'] . "%'"; $searchstr .= " AND email LIKE '%" . $_POST['email'] . "%'";
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE $searchstr GROUP BY uid HAVING deleted='no'"); $q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE ? GROUP BY uid HAVING deleted='no'");
$q->execute(); $q->execute([$searchstr]);
$num = $q->rowCount(); $num = $q->rowCount();
if ($num == 0) { if ($num == 0) {
echo i18n('No existing users match, will create a new user'); echo i18n('No existing users match, will create a new user');
@ -453,8 +453,8 @@ switch (get_value_from_array($_GET, 'action')) {
if ($logStr = getDonationString($id)) { if ($logStr = getDonationString($id)) {
save_activityinfo("Removed donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System'); save_activityinfo("Removed donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System');
happy_('Donation/sponsorship removed'); happy_('Donation/sponsorship removed');
$q = $pdo->prepare("DELETE FROM fundraising_donations WHERE id='$id' AND sponsors_id='$sponsorid'"); $q = $pdo->prepare("DELETE FROM fundraising_donations WHERE id=? AND sponsors_id=?");
$q->execute(); $q->execute([$id,$sponsorid]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
} else { } else {
error_('Invalid donation/sponsorship to remove'); error_('Invalid donation/sponsorship to remove');
@ -474,8 +474,8 @@ function delete_contact()
global $pdo; global $pdo;
if (array_key_exists('userid', $_POST)) { if (array_key_exists('userid', $_POST)) {
$uid = $_POST['userid']; $uid = $_POST['userid'];
$data = $pdo->prepare("SELECT CONCAT_WS(' ', users.firstname, users.lastname) AS name FROM users WHERE id=" . $uid); $data = $pdo->prepare("SELECT CONCAT_WS(' ', users.firstname, users.lastname) AS name FROM users WHERE id=?");
$data->execute(); $data->execute([$uid]);
$namedata = $data->fetch(); $namedata = $data->fetch();
$name = trim($namedata['name']); $name = trim($namedata['name']);
user_delete($uid, 'sponsor'); user_delete($uid, 'sponsor');
@ -514,8 +514,8 @@ function save_contact()
// load or create the user, according to the situation // load or create the user, according to the situation
if ($_POST['recordtype'] == 'new') { if ($_POST['recordtype'] == 'new') {
if ($_POST['email']) { if ($_POST['email']) {
$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email='" . trim($_POST['email']) . "' GROUP BY uid HAVING deleted='no'"); $q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email=? GROUP BY uid HAVING deleted='no'");
$q->execute(); $q->execute([trim($_POST['email'])]);
if ($q->rowCount()) { if ($q->rowCount()) {
error_('A user with that email address already exists'); error_('A user with that email address already exists');
exit; exit;
@ -544,12 +544,12 @@ function save_contact()
FROM users_sponsor, users FROM users_sponsor, users
WHERE WHERE
users_sponsor.users_id=users.id users_sponsor.users_id=users.id
AND sponsors_id='$sponsor_id' AND sponsors_id=?
AND `primary`='yes' AND `primary`='yes'
AND year='" . $config['FAIRYEAR'] . "' AND year=?
AND users_id!='$id'"; AND users_id!=?";
$q = $pdo->prepare($query); $q = $pdo->prepare($query);
$q->execute(); $q->execute([$sponsor_id,$config['FAIRYEAR'],$id]);
if ($q->rowCount() == 0) { if ($q->rowCount() == 0) {
/* This has to be the primary since there isn't one already */ /* This has to be the primary since there isn't one already */
$p = 'yes'; $p = 'yes';
@ -557,8 +557,8 @@ function save_contact()
} else { } else {
/* Unset all other primaries */ /* Unset all other primaries */
$q = $pdo->prepare("UPDATE users_sponsor SET `primary`='no' $q = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
WHERE sponsors_id='$sponsor_id' AND users_id != '$id'"); WHERE sponsors_id=? AND users_id !=?");
$q->execute(); $q->execute([$sponsor_id,$id]);
} }
// we now know whether or not they're the primary user. Update them with that, // we now know whether or not they're the primary user. Update them with that,
@ -624,13 +624,13 @@ function draw_contactsinfo_form($contact = null)
// loop through each contact and draw a form with their data in it. // loop through each contact and draw a form with their data in it.
$query = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id $query = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
WHERE WHERE
sponsors_id='" . $sponsor_id . "' sponsors_id=?
AND types LIKE '%sponsor%' AND types LIKE '%sponsor%'
GROUP BY uid GROUP BY uid
HAVING deleted='no' HAVING deleted='no'
ORDER BY users_sponsor.primary DESC,lastname,firstname ORDER BY users_sponsor.primary DESC,lastname,firstname
"); ");
$query->execute(); $query->execute([$sponsor_id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
while ($contact = $query->fetch()) { while ($contact = $query->fetch()) {
@ -665,8 +665,8 @@ function draw_contact_form($sponsor_id, $contact = null)
global $salutations, $config, $pdo; global $salutations, $config, $pdo;
// grab the sponsor details, so we can do diff things for individual vs organization // grab the sponsor details, so we can do diff things for individual vs organization
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$sponsor_id'"); $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$q->execute(); $q->execute([$sponsor_id]);
$sponsor = $q->fetch(PDO::FETCH_OBJ); $sponsor = $q->fetch(PDO::FETCH_OBJ);
if ($contact != null) { if ($contact != null) {
@ -816,8 +816,8 @@ function draw_activityinfo_form()
</td> </td>
<td align="center"> <td align="center">
<?php <?php
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name");
$q->execute(); $q->execute([$config['FISCALYEAR']]);
echo '<select name="fundraising_campaigns_id">'; echo '<select name="fundraising_campaigns_id">';
echo '<option value="">' . i18n('Choose Appeal') . "</option>\n"; echo '<option value="">' . i18n('Choose Appeal') . "</option>\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -890,10 +890,10 @@ function getDonationString($id)
fundraising_campaigns.name AS campaignname fundraising_campaigns.name AS campaignname
FROM fundraising_donations FROM fundraising_donations
LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id
WHERE fundraising_donations.id='$id' WHERE fundraising_donations.id=?
AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' AND fundraising_donations.fiscalyear=?
"); ");
$q->execute(); $q->execute([$id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$str = ''; $str = '';
if ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r = $q->fetch(PDO::FETCH_OBJ)) {

8
admin/donors_search.php
View File

@ -52,12 +52,12 @@ $lastyear = $config['FISCALYEAR'] - 1;
$rows = array(); $rows = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='$r->id' AND status='received' AND fiscalyear='$thisyear'"); $cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
$cq->execute(); $cq->execute([$r->id,$thisyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ); $cr = $cq->fetch(PDO::FETCH_OBJ);
$thisyeartotal = $cr->total; $thisyeartotal = $cr->total;
$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='$r->id' AND status='received' AND fiscalyear='$lastyear'"); $cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
$cq->execute(); $cq->execute([$r->id,$lastyear]);
$cr = $cq->fetch(PDO::FETCH_OBJ); $cr = $cq->fetch(PDO::FETCH_OBJ);
$lastyeartotal = $cr->total; $lastyeartotal = $cr->total;
if ($lastyeartotal) if ($lastyeartotal)

24
admin/exhibithall_sa.php
View File

@ -236,8 +236,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
TRACE("Loading Project Age Categories...\n"); TRACE("Loading Project Age Categories...\n");
$cat = array(); $cat = array();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id"); $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$catshort[$r->id] = $r->category_shortform; $catshort[$r->id] = $r->category_shortform;
$cat[$r->id] = $r->category; $cat[$r->id] = $r->category;
@ -248,13 +248,13 @@ TRACE("Loading Projects...\n");
$projects = array(); $projects = array();
$q = $pdo->prepare("SELECT projects.* FROM projects, registrations $q = $pdo->prepare("SELECT projects.* FROM projects, registrations
WHERE WHERE
projects.year='{$config['FAIRYEAR']}' projects.year=?
AND registrations.id = projects.registrations_id AND registrations.id = projects.registrations_id
" . getJudgingEligibilityCode()); " . getJudgingEligibilityCode());
$q->execute(); $q->execute([$config['FAIRYEAR']]);
while ($p = $q->fetch(PDO::FETCH_OBJ)) { while ($p = $q->fetch(PDO::FETCH_OBJ)) {
$qq = $pdo->prepare("SELECT grade,schools_id FROM students WHERE registrations_id='{$p->registrations_id}'"); $qq = $pdo->prepare("SELECT grade,schools_id FROM students WHERE registrations_id=?");
$qq->execute(); $qq->execute([$p->registrations_id]);
$num_students = $qq->rowCouunt(); $num_students = $qq->rowCouunt();
$grade = 0; $grade = 0;
$schools_id = 0; $schools_id = 0;
@ -286,8 +286,8 @@ if ($action == 'pn') {
$n = sprintf('%03d', $p['floornumber']); $n = sprintf('%03d', $p['floornumber']);
$pn = "$c $n $d"; $pn = "$c $n $d";
TRACE("Project {$p['projects_id']} at loc {$p['floornumber']}: $pn\n"); TRACE("Project {$p['projects_id']} at loc {$p['floornumber']}: $pn\n");
$q = $pdo->prepare("UPDATE projects SET projectnumber='$pn' WHERE id='{$p['projects_id']}'"); $q = $pdo->prepare("UPDATE projects SET projectnumber=? WHERE id=?");
$q->execute(); $q->execute([$pn,$p['projects_id']]);
} }
TRACE("Done.\n"); TRACE("Done.\n");
exit; exit;
@ -629,12 +629,12 @@ for ($x = 0; $x < $a->num_buckets; $x++) {
print_r($projects); print_r($projects);
/* Assign floor numbers */ /* Assign floor numbers */
$q = $pdo->prepare("UPDATE projects SET floornumber=0 WHERE year='{$config['FAIRYEAR']}'"); $q = $pdo->prepare("UPDATE projects SET floornumber=0 WHERE year=?");
$q->execute(); $q->execute($config['FAIRYEAR']);
foreach ($projects as $pid => $p) { foreach ($projects as $pid => $p) {
$q = $pdo->prepare("UPDATE projects SET floornumber='{$p['floornumber']}' WHERE id='$pid'"); $q = $pdo->prepare("UPDATE projects SET floornumber=? WHERE id=?");
$q->execute(); $q->execute([$p['floornumber'],$pid]);
TRACE("Project $pid => Floor number {$p['floornumber']}\n"); TRACE("Project $pid => Floor number {$p['floornumber']}\n");
} }

18
admin/export_checkin.php
View File

@ -28,8 +28,8 @@ require_once ('../user.inc.php');
user_auth_required('committee', 'admin'); user_auth_required('committee', 'admin');
require ('../lpdf.php'); require ('../lpdf.php');
$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $_GET['cat'] . "'"); $catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? AND id=?");
$catq->execute(); $catq->execute([$config['FAIRYEAR'],$_GET['cat']]);
if ($catr = $catq->fetch(PDO::FETCH_OBJ)) { if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
$pdf = new lpdf(i18n($config['fairname']), $pdf = new lpdf(i18n($config['fairname']),
i18n('Checkin List') . ' - ' . i18n($catr->category), i18n('Checkin List') . ' - ' . i18n($catr->category),
@ -47,13 +47,13 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
registrations registrations
left outer join projects on projects.registrations_id=registrations.id left outer join projects on projects.registrations_id=registrations.id
WHERE WHERE
registrations.year='" . $config['FAIRYEAR'] . "' registrations.year=?
AND ( registrations.status='complete' OR registrations.status='paymentpending' ) AND ( registrations.status='complete' OR registrations.status='paymentpending' )
AND projects.projectcategories_id='$catr->id' AND projects.projectcategories_id=?
ORDER BY ORDER BY
projects.title projects.title
"); ");
$q->execute(); $q->execute([$config['FAIRYEAR'],$catr->id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$table = array(); $table = array();
@ -69,8 +69,8 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
$table['dataalign'] = array('left', 'left', 'left', 'center'); $table['dataalign'] = array('left', 'left', 'left', 'center');
} }
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divq = $pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $r->projectdivisions_id . "'"); $divq = $pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year=? AND id=?");
$divq->execute(); $divq->execute([$config['FAIRYEAR'],$r->projectdivisions_id]);
$divr = $divq->fetch(PDO::FETCH_OBJ); $divr = $divq->fetch(PDO::FETCH_OBJ);
$sq = $pdo->prepare("SELECT students.firstname, $sq = $pdo->prepare("SELECT students.firstname,
@ -78,9 +78,9 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
FROM FROM
students students
WHERE WHERE
students.registrations_id='$r->reg_id' students.registrations_id=?
"); ");
$sq->execute(); $sq->execute([$r->reg_id]);
$students = ''; $students = '';
$studnum = 0; $studnum = 0;

36
admin/fair_stats.php
View File

@ -96,8 +96,8 @@ else
$fairs_id = -1; $fairs_id = -1;
if ($fairs_id != -1) { if ($fairs_id != -1) {
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'"); $q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute(); $q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC); $fair = $q->fetch(PDO::FETCH_ASSOC);
} }
@ -225,8 +225,8 @@ if (is_array(get_value_from_array($data, 'stats'))) {
/* And now, overwrite all the stuff we pulled down with stats we can compute */ /* And now, overwrite all the stuff we pulled down with stats we can compute */
// number of schools // number of schools
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year='$year'"); $q = $pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year=?");
$q->execute(); $q->execute([$year]);
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
$stats['schools_total'] = $r->num; $stats['schools_total'] = $r->num;
@ -235,10 +235,10 @@ $q = $pdo->prepare("SELECT DISTINCT(students.schools_id) AS sid, schools.*
\t\t \tFROM students \t\t \tFROM students
LEFT JOIN registrations ON students.registrations_id=registrations.id LEFT JOIN registrations ON students.registrations_id=registrations.id
LEFT JOIN schools ON students.schools_id=schools.id LEFT JOIN schools ON students.schools_id=schools.id
WHERE students.year='$year' WHERE students.year=?
AND registrations.year='$year' AND registrations.year=?
AND (registrations.status='complete' OR registrations.status='paymentpending')"); AND (registrations.status='complete' OR registrations.status='paymentpending')");
$q->execute(); $q->execute([$year,$year]);
$stats['schools_active'] = $q->rowCount(); $stats['schools_active'] = $q->rowCount();
$stats['schools_public'] = 0; $stats['schools_public'] = 0;
$stats['schools_private'] = 0; $stats['schools_private'] = 0;
@ -262,10 +262,10 @@ $q = $pdo->prepare("SELECT students.*,schools.*
\t \t\tFROM students \t \t\tFROM students
LEFT JOIN registrations ON students.registrations_id=registrations.id LEFT JOIN registrations ON students.registrations_id=registrations.id
LEFT JOIN schools on students.schools_id=schools.id LEFT JOIN schools on students.schools_id=schools.id
WHERE students.year='$year' WHERE students.year=?
AND registrations.year='$year' AND registrations.year=?
AND (registrations.status='complete' OR registrations.status='paymentpending')"); AND (registrations.status='complete' OR registrations.status='paymentpending')");
$q->execute(); $q->execute([$year,$year]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$stats['students_total'] = $q->rowCount(); $stats['students_total'] = $q->rowCount();
$stats['students_public'] = 0; $stats['students_public'] = 0;
@ -304,12 +304,12 @@ foreach ($unknown as $g => $a) {
$q = $pdo->prepare("SELECT MAX(students.grade) AS grade FROM students $q = $pdo->prepare("SELECT MAX(students.grade) AS grade FROM students
\t \t\tLEFT JOIN registrations ON students.registrations_id=registrations.id \t \t\tLEFT JOIN registrations ON students.registrations_id=registrations.id
LEFT JOIN projects ON projects.registrations_id=registrations.id LEFT JOIN projects ON projects.registrations_id=registrations.id
WHERE students.year='$year' WHERE students.year=?
AND registrations.year='$year' AND registrations.year=?
AND projects.year='$year' AND projects.year=?
AND (registrations.status='complete' OR registrations.status='paymentpending') AND (registrations.status='complete' OR registrations.status='paymentpending')
GROUP BY projects.id"); GROUP BY projects.id");
$q->execute(); $q->execute([$year,$year,$year]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) { while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$stats["projects_{$grademap[$r['grade']]}"]++; $stats["projects_{$grademap[$r['grade']]}"]++;
@ -318,20 +318,20 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM users $q = $pdo->prepare("SELECT COUNT(id) AS num FROM users
\t\t\t\tLEFT JOIN users_committee ON users_committee.users_id=users.id \t\t\t\tLEFT JOIN users_committee ON users_committee.users_id=users.id
\t \t\tWHERE types LIKE '%committee%' \t \t\tWHERE types LIKE '%committee%'
AND year='$year' AND year=?
AND users_committee.committee_active='yes' AND users_committee.committee_active='yes'
AND deleted='no'"); AND deleted='no'");
$q->execute(); $q->execute([$year]);
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
$stats['committee_members'] = $r->num; $stats['committee_members'] = $r->num;
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM users LEFT JOIN users_judge ON users_judge.users_id=users.id $q = $pdo->prepare("SELECT COUNT(id) AS num FROM users LEFT JOIN users_judge ON users_judge.users_id=users.id
\t\t\t\t\tWHERE users.year='$year' \t\t\t\t\tWHERE users.year=?
AND users.types LIKE '%judge%' AND users.types LIKE '%judge%'
AND users.deleted='no' AND users.deleted='no'
AND users_judge.judge_complete='yes' AND users_judge.judge_complete='yes'
AND users_judge.judge_active='yes'"); AND users_judge.judge_active='yes'");
$q->execute(); $q->execute([$year]);
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
$stats['judges'] = $r->num; $stats['judges'] = $r->num;

8
admin/fair_stats_select.php
View File

@ -52,8 +52,8 @@
} }
} }
$s = join(',', $_POST['stats']); $s = join(',', $_POST['stats']);
$q = $pdo->prepare("UPDATE fairs SET gather_stats='$s' WHERE id='$id'"); $q = $pdo->prepare("UPDATE fairs SET gather_stats=? WHERE id=?");
$q->execute(); $q->execute([$s,$id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
echo "UPDATE fairs SET gather_stats='$s' WHERE id='$id'"; echo "UPDATE fairs SET gather_stats='$s' WHERE id='$id'";
happy_("Saved"); happy_("Saved");
@ -63,8 +63,8 @@
/* Load the user we're editting */ /* Load the user we're editting */
$u = user_load($_SESSION['embed_edit_id']); $u = user_load($_SESSION['embed_edit_id']);
/* Load the fair attached to the user */ /* Load the fair attached to the user */
$q = $pdo->prepare("SELECT * FROM fairs WHERE id={$u['fairs_id']}"); $q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute(); $q->execute([$u['fairs_id']]);
$f = $q->fetch(PDO::FETCH_ASSOC); $f = $q->fetch(PDO::FETCH_ASSOC);
?> ?>

84
admin/fundraising_campaigns.php
View File

@ -35,8 +35,8 @@ switch (get_value_from_array($_GET, 'action')) {
case 'modify': case 'modify':
echo "<div id=\"campaignaccordion\" style=\"width: 780px;\">\n"; echo "<div id=\"campaignaccordion\" style=\"width: 780px;\">\n";
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name");
$q->execute(); $q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo '<h3><a href="#">' . htmlspecialchars($r->name) . "</a></h3>\n"; echo '<h3><a href="#">' . htmlspecialchars($r->name) . "</a></h3>\n";
echo "<div id=\"campaign_{$r->id}\">\n"; echo "<div id=\"campaign_{$r->id}\">\n";
@ -92,14 +92,14 @@ case 'managelist':
</tr> </tr>
</thead> </thead>
<? <?
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
$q->execute(); $q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'"); $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
$goalq->execute(); $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
$goalr = $goalq->fetch(PDO::FETCH_OBJ); $goalr = $goalq->fetch(PDO::FETCH_OBJ);
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
$recq->execute(); $recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$recr = $recq->fetch(PDO::FETCH_OBJ); $recr = $recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received; $received = $recr->received;
@ -139,8 +139,8 @@ case 'managelist':
exit; exit;
} }
$id = intval($_GET['id']); $id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$id'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$q->execute(); $q->execute([$id]);
$campaign = $q->fetch(PDO::FETCH_OBJ); $campaign = $q->fetch(PDO::FETCH_OBJ);
echo "<h3>$campaign->name</h3>\n"; echo "<h3>$campaign->name</h3>\n";
?> ?>
@ -171,12 +171,12 @@ case 'managelist':
case 'manage_tab_overview': case 'manage_tab_overview':
$campaign_id = intval($_GET['id']); $campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute(); $q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goalr = getGoal($r->fundraising_goal); $goalr = getGoal($r->fundraising_goal);
$recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
$recq->execute(); $recq->execute([$r->id,$config['FISCALYEAR']]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$recr = recq->fetch(PDO::FETCH_OBJ); $recr = recq->fetch(PDO::FETCH_OBJ);
$received = $recr->received; $received = $recr->received;
@ -209,8 +209,8 @@ case 'managelist':
case 'manage_tab_donations': case 'manage_tab_donations':
$campaign_id = intval($_GET['id']); $campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute(); $q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($campaign = $q->fetch(PDO::FETCH_OBJ)) { if ($campaign = $q->fetch(PDO::FETCH_OBJ)) {
echo '<table class="tableview">'; echo '<table class="tableview">';
echo '<thead>'; echo '<thead>';
@ -227,8 +227,8 @@ case 'managelist':
\t\t\tAND status='received' ORDER BY datereceived DESC"); \t\t\tAND status='received' ORDER BY datereceived DESC");
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$goal = getGoal($r->fundraising_goal); $goal = getGoal($r->fundraising_goal);
$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$r->sponsors_id}'"); $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$sq->execute(); $sq->execute([$r->sponsors_id]);
$sponsor = $sq->fetch(PDO::FETCH_OBJ); $sponsor = $sq->fetch(PDO::FETCH_OBJ);
echo '<tr><td>' . format_date($r->datereceived) . "</td>\n"; echo '<tr><td>' . format_date($r->datereceived) . "</td>\n";
echo ' <td>' . $sponsor->organization . "</td>\n"; echo ' <td>' . $sponsor->organization . "</td>\n";
@ -258,8 +258,8 @@ case 'managelist':
'mentor' => 'Mentor (not implemented)', 'mentor' => 'Mentor (not implemented)',
); );
$campaign_id = intval($_GET['id']); $campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute(); $q->execute([$campaign_id,$config['FISCALYEAR']]);
$campaign = $q->fetch(PDO::FETCH_OBJ); $campaign = $q->fetch(PDO::FETCH_OBJ);
if ($campaign->filterparameters) { if ($campaign->filterparameters) {
echo '<h4>' . i18n('User List') . "</h4>\n"; echo '<h4>' . i18n('User List') . "</h4>\n";
@ -307,8 +307,8 @@ case 'managelist':
echo '<br />'; echo '<br />';
echo "<form id=\"prospectremoveform\" onsubmit=\"return removeselectedprospects()\">\n"; echo "<form id=\"prospectremoveform\" onsubmit=\"return removeselectedprospects()\">\n";
echo "<input type=\"hidden\" name=\"fundraising_campaigns_id\" value=\"$campaign_id\" />\n"; echo "<input type=\"hidden\" name=\"fundraising_campaigns_id\" value=\"$campaign_id\" />\n";
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaign_id'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute(); $q->execute([$campaign_id]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$u = user_load_by_uid($r->users_uid); $u = user_load_by_uid($r->users_uid);
// hopefully this never returns false, but who knows.. // hopefully this never returns false, but who knows..
@ -359,8 +359,8 @@ case 'managelist':
</td></tr> </td></tr>
<tr><td><?= i18n('Donation Level') ?>:</td><td> <tr><td><?= i18n('Donation Level') ?>:</td><td>
<? <?
$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY min"); $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY min");
$q->execute(); $q->execute([$config['FISCALYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
echo "<label><input onchange=\"return prospect_search()\" disabled=\"disabled\" type=\"checkbox\" name=\"donationlevel[]\" value=\"$r->level\" >" . i18n($r->level) . ' (' . format_money($r->min, false) . ' - ' . format_money($r->max, false) . ")</label><br />\n"; echo "<label><input onchange=\"return prospect_search()\" disabled=\"disabled\" type=\"checkbox\" name=\"donationlevel[]\" value=\"$r->level\" >" . i18n($r->level) . ' (' . format_money($r->min, false) . ' - ' . format_money($r->max, false) . ")</label><br />\n";
} }
@ -408,8 +408,8 @@ case 'managelist':
case 'manage_tab_communications': case 'manage_tab_communications':
$campaign_id = intval($_GET['id']); $campaign_id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
$q->execute(); $q->execute([$campaign_id,$config['FISCALYEAR']]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r = $q->fetch(PDO::FETCH_OBJ)) {
} }
$communications = array('initial' => 'Initial Communication', $communications = array('initial' => 'Initial Communication',
@ -418,8 +418,8 @@ case 'managelist':
foreach ($communications as $key => $name) { foreach ($communications as $key => $name) {
echo '<h4>' . i18n($name) . "</h4>\n"; echo '<h4>' . i18n($name) . "</h4>\n";
// check if they have one in the emails database // check if they have one in the emails database
$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$campaign_id' AND val='$key'"); $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
$q->execute(); $q->execute([$campaign_id,$key]);
if ($email = $q->fetch(PDO::FETCH_OBJ)) { if ($email = $q->fetch(PDO::FETCH_OBJ)) {
echo '<div style="float: right; margin-right: 15px;">'; echo '<div style="float: right; margin-right: 15px;">';
echo "<a title=\"Edit\" href=\"#\" onclick=\"return opencommunicationeditor(null,$email->id,$campaign_id)\"><img src=\"" . $config['SFIABDIRECTORY'] . '/images/16/edit.' . $config['icon_extension'] . '" border=0></a>'; echo "<a title=\"Edit\" href=\"#\" onclick=\"return opencommunicationeditor(null,$email->id,$campaign_id)\"><img src=\"" . $config['SFIABDIRECTORY'] . '/images/16/edit.' . $config['icon_extension'] . '" border=0></a>';
@ -471,12 +471,12 @@ case 'managelist':
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
} }
// if theres nobody left in the list we need to reset the filter params as well // if theres nobody left in the list we need to reset the filter params as well
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'"); $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute(); $q->execute([$campaignid]);
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
if ($r->num == 0) { if ($r->num == 0) {
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'"); $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
$stmt->execute(); $stmt->execute([$campaignid]);
} }
happy_('Selected users removed from list'); happy_('Selected users removed from list');
@ -485,10 +485,10 @@ case 'managelist':
case 'prospect_removeall': case 'prospect_removeall':
$campaignid = intval($_POST['fundraising_campaigns_id']); $campaignid = intval($_POST['fundraising_campaigns_id']);
$stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'"); $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$stmt->execute(); $stmt->execute([$campaignid]);
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'"); $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
$stmt->execute(); $stmt->execute([$campaignid]);
happy_('All users removed from list'); happy_('All users removed from list');
exit; exit;
break; break;
@ -496,14 +496,14 @@ case 'managelist':
case 'communication_remove': case 'communication_remove':
$emails_id = $_POST['id']; $emails_id = $_POST['id'];
// check if its been sent, if so, it cannot be deleted, sorry! // check if its been sent, if so, it cannot be deleted, sorry!
$q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'"); $q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute(); $q->execute([$emails_id]);
$e = $q->fetch(PDO::FETCH_OBJ); $e = $q->fetch(PDO::FETCH_OBJ);
if ($e->lastsent) { if ($e->lastsent) {
error_('Cannot remove an email that has already been sent'); error_('Cannot remove an email that has already been sent');
} else { } else {
$stmt = $pdo->prepare("DELETE FROM emails WHERE id='$emails_id'"); $stmt = $pdo->prepare("DELETE FROM emails WHERE id=?");
$stmt->execute(); $stmt->execute([$emails_id]);
happy_('Communicaton removed'); happy_('Communicaton removed');
} }
@ -800,8 +800,8 @@ function display_campaign_form($r = null)
<td><?= i18n('Target') ?></td><td>$<input type="text" id="target" name="target" size="10" value="<?= get_value_property_or_default($r, 'target') ?>" /></td> <td><?= i18n('Target') ?></td><td>$<input type="text" id="target" name="target" size="10" value="<?= get_value_property_or_default($r, 'target') ?>" /></td>
<td><?= i18n('Default Purpose') ?></td><td colspan="3"> <td><?= i18n('Default Purpose') ?></td><td colspan="3">
<? <?
$fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); $fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
$fgq->execute(); $fgq->execute([$config['FISCALYEAR']]);
echo '<select name="fundraising_goal">'; echo '<select name="fundraising_goal">';
echo '<option value="">' . i18n('Choose Default Purpose') . "</option>\n"; echo '<option value="">' . i18n('Choose Default Purpose') . "</option>\n";
while ($fgr = $fgq->fetch(PDO::FETCH_OBJ)) { while ($fgr = $fgq->fetch(PDO::FETCH_OBJ)) {

24
admin/fundraising_campaigns_prospecting.php
View File

@ -140,8 +140,8 @@ $thisyearlist = $userslist;
foreach ($neverlist AS $uid => $u) { foreach ($neverlist AS $uid => $u) {
if ($u['sponsors_id']) { if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=?");
$q->execute(); $q->execute([$u['sponsors_id']]);
if ($q->rowCount()) { if ($q->rowCount()) {
// echo "removing $uid because they have donated in the past <br />"; // echo "removing $uid because they have donated in the past <br />";
unset($neverlist[$uid]); unset($neverlist[$uid]);
@ -155,8 +155,8 @@ foreach ($neverlist AS $uid => $u) {
foreach ($pastlist AS $uid => $u) { foreach ($pastlist AS $uid => $u) {
if ($u['sponsors_id']) { if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=?");
$q->execute(); $q->execute([$u['sponsors_id']]);
if (!$q->rowCount()) { if (!$q->rowCount()) {
// echo "removing $uid because they have NOT donated in the past <br />"; // echo "removing $uid because they have NOT donated in the past <br />";
unset($pastlist[$uid]); unset($pastlist[$uid]);
@ -171,8 +171,8 @@ $lastyear = $config['FISCALYEAR'] - 1;
foreach ($lastyearlist AS $uid => $u) { foreach ($lastyearlist AS $uid => $u) {
if ($u['sponsors_id']) { if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='$lastyear'"); $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=? AND fiscalyear=?");
$q->execute(); $q->execute([$u['sponsors_id'],$lastyear]);
if (!$q->rowCount()) { if (!$q->rowCount()) {
// echo "removing $uid because they have NOT donated last year <br />"; // echo "removing $uid because they have NOT donated last year <br />";
unset($lastyearlist[$uid]); unset($lastyearlist[$uid]);
@ -185,8 +185,8 @@ foreach ($lastyearlist AS $uid => $u) {
foreach ($thisyearlist AS $uid => $u) { foreach ($thisyearlist AS $uid => $u) {
if ($u['sponsors_id']) { if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='{$config['FISCALYEAR']}'"); $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=? AND fiscalyear=?");
$q->execcute(); $q->execute([$u['sponsors_id'],$config['FISCALYEAR']]);
if (!$q->rowCount()) { if (!$q->rowCount()) {
// echo "removing $uid because they have NOT donated this year <br />"; // echo "removing $uid because they have NOT donated this year <br />";
unset($thisyearlist[$uid]); unset($thisyearlist[$uid]);
@ -216,12 +216,12 @@ if ($_GET['generatelist']) {
$campaignid = $_POST['fundraising_campaigns_id']; $campaignid = $_POST['fundraising_campaigns_id'];
$params = serialize($_POST); $params = serialize($_POST);
echo "params=$params"; echo "params=$params";
$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters='{$params}' WHERE id='$campaignid'"); $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=? WHERE id=?");
$stmt->execute(); $stmt->execute([$params,$campaignid]);
$uids = array_keys($userslist); $uids = array_keys($userslist);
foreach ($uids AS $u) { foreach ($uids AS $u) {
$stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES ('$campaignid','$u')"); $stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES (?,?)");
$stmt->execute(); $stmt->execute([$campaignid,$u]);
} }
echo 'List created'; echo 'List created';

4
admin/fundraising_common.inc.php
View File

@ -5,8 +5,8 @@ $salutations = array('Mr.', 'Mrs.', 'Ms', 'Dr.', 'Professor');
function getGoal($goal) function getGoal($goal)
{ {
global $config, $pdo; global $config, $pdo;
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}' LIMIT 1"); $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=? LIMIT 1");
$q->execute(); $q->execute([$goal,$config['FISCALYEAR']]);
return $q->fetch(PDO::FETCH_OBJ); return $q->fetch(PDO::FETCH_OBJ);
} }

24
admin/fundraising_goals_handler.inc.php
View File

@ -2,16 +2,16 @@
if ($_POST['action'] == 'funddelete' && $_POST['delete']) { if ($_POST['action'] == 'funddelete' && $_POST['delete']) {
// first lookup all the sponsorships inside the fund // first lookup all the sponsorships inside the fund
$id = intval($_POST['delete']); $id = intval($_POST['delete']);
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND year='" . $config['FISCALYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=? AND year=?");
$q->execute(); $q->execute([$id,$config['FISCALYEAR']]);
$f = $q->fetch(PDO::FETCH_OBJ); $f = $q->fetch(PDO::FETCH_OBJ);
// hold yer horses, no deleting system funds! // hold yer horses, no deleting system funds!
if ($f) { if ($f) {
if ($f->system == 'no') { if ($f->system == 'no') {
$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal='" . $f->type . "' AND fiscalyear='" . $config['FISCALYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=?");
$stmt->execute(); $stmt->execute([$f->type,$config['FISCALYEAR']]);
$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id'"); $stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id=?");
$stmt->execute(); $stmt->execute([$id]);
if ($pdo->rowCount()) if ($pdo->rowCount())
happy_('Successfully removed fund %1', array($f->name)); happy_('Successfully removed fund %1', array($f->name));
} else { } else {
@ -23,8 +23,8 @@ if ($_POST['action'] == 'funddelete' && $_POST['delete']) {
if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') { if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') {
$fundraising_id = intval($_POST['fundraising_id']); $fundraising_id = intval($_POST['fundraising_id']);
if ($fundraising_id) { if ($fundraising_id) {
$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$fundraising_id'"); $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=?");
$q->execute(); $q->execute([$fundraising_id]);
$f = $q->fetch(PDO::FETCH_OBJ); $f = $q->fetch(PDO::FETCH_OBJ);
$system = $f->system; $system = $f->system;
} }
@ -37,11 +37,11 @@ if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') {
if ($_POST['action'] == 'fundedit') { if ($_POST['action'] == 'fundedit') {
if (($system == 'yes' && $budget) || ($system == 'no' && $budget && $goal && $name)) { if (($system == 'yes' && $budget) || ($system == 'no' && $budget && $goal && $name)) {
if ($system == 'yes') { if ($system == 'yes') {
$stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description' WHERE id='$fundraising_id'"); $stmt = $pdo->prepare("UPDATE fundraising SET budget=?, description=? WHERE id=?");
$stmt->execute(); $stmt->execute([$budget,$description,$fundraising_id]);
} else { } else {
$stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description', goal='$goal', name='$name' WHERE id='$fundraising_id'"); $stmt = $pdo->prepare("UPDATE fundraising SET budget=?, description=?, goal=?, name=? WHERE id=?");
$stmt->execute(); $stmt->execute([$budget,$description,$goal,$name,$fundraising_id]);
} }
if ($pdo->errorInfo()) if ($pdo->errorInfo())

12
admin/judging_score_entry.php
View File

@ -44,13 +44,13 @@ if ($_GET['csv'] == 'yes') {
} }
?> ?>
<? <?
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute(); $q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) while ($r = $q->fetch(PDO::FETCH_OBJ))
$cats[$r->id] = $r->category; $cats[$r->id] = $r->category;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute(); $q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) while ($r = $q->fetch(PDO::FETCH_OBJ))
$divs[$r->id] = $r->division; $divs[$r->id] = $r->division;
@ -74,13 +74,13 @@ $q = $pdo->prepare("SELECT registrations.id AS reg_id,
left outer join projects on projects.registrations_id=registrations.id left outer join projects on projects.registrations_id=registrations.id
left outer join judges_teams_timeslots_projects_link on projects.id=judges_teams_timeslots_projects_link.projects_id left outer join judges_teams_timeslots_projects_link on projects.id=judges_teams_timeslots_projects_link.projects_id
WHERE WHERE
registrations.year='$year' " registrations.year=?"
. getJudgingEligibilityCode() . " . getJudgingEligibilityCode() . "
GROUP BY projectid GROUP BY projectid
ORDER BY ORDER BY
$ORDERBY $ORDERBY
"); ");
$q->execute(); $q->execute([$year]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
if ($_GET['csv'] != 'yes') { if ($_GET['csv'] != 'yes') {

74
admin/project_editor.php
View File

@ -47,11 +47,11 @@ if ($auth_type == 'fair') {
/* Make sure they have permission to laod this student, check /* Make sure they have permission to laod this student, check
the master copy of the fairs_id in the project */ the master copy of the fairs_id in the project */
$q = $pdo->prepare("SELECT * FROM projects WHERE $q = $pdo->prepare("SELECT * FROM projects WHERE
registrations_id='$registrations_id' registrations_id=?
AND year='{$config['FAIRYEAR']}' AND year=?
AND fairs_id=$fairs_id"); AND fairs_id=?");
$q->execute(); $q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
if ($q->rowCount() != 1) { if ($q->rowCount() != 1) {
echo 'permission denied.'; echo 'permission denied.';
exit; exit;
@ -69,22 +69,22 @@ switch ($action) {
project_save(); project_save();
/* Now generate */ /* Now generate */
$q = $pdo->prepare("SELECT id FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'"); $q = $pdo->prepare("SELECT id FROM projects WHERE registrations_id=? AND year=?");
$q->execute(); $q->execute([$registrations_id,$config['FAIRYEAR']]);
$i = $q->fetch(PDO::FETCH_ASSOC); $i = $q->fetch(PDO::FETCH_ASSOC);
$id = $i['id']; $id = $i['id'];
$stmt = $pdo->prepare("UPDATE projects SET projectnumber=NULL,projectsort=NULL, $stmt = $pdo->prepare("UPDATE projects SET projectnumber=NULL,projectsort=NULL,
projectnumber_seq='0',projectsort_seq='0' projectnumber_seq='0',projectsort_seq='0'
WHERE id='$id'"); WHERE id=?");
$stmt->execute(); $stmt->execute([$id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
list($pn, $ps, $pns, $pss) = generateProjectNumber($registrations_id); list($pn, $ps, $pns, $pss) = generateProjectNumber($registrations_id);
// print("Generated Project Number [$pn]"); // print("Generated Project Number [$pn]");
$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$pn',projectsort='$ps', $stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,projectsort=?,
projectnumber_seq='$pns',projectsort_seq='$pss' projectnumber_seq=?,projectsort_seq=?
WHERE id='$id'"); WHERE id=?");
$stmt->execute(); $stmt->execute([$pn,$ps,$pns,$pss,$id]);
happy_("Generated and Saved Project Number: $pn"); happy_("Generated and Saved Project Number: $pn");
break; break;
@ -102,8 +102,8 @@ function project_save()
global $registrations_id, $config, $pdo; global $registrations_id, $config, $pdo;
// first, lets make sure this project really does belong to them // first, lets make sure this project really does belong to them
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'"); $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute(); $q->execute([$registrations_id,$config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ); $projectinfo = $q->fetch(PDO::FETCH_OBJ);
if (!projectinfo) { if (!projectinfo) {
echo error(i18n('Invalid project to update')); echo error(i18n('Invalid project to update'));
@ -121,13 +121,13 @@ function project_save()
if (empty($_POST['feedback'])) { if (empty($_POST['feedback'])) {
$stmt = $pdo->prepare('UPDATE projects SET ' $stmt = $pdo->prepare('UPDATE projects SET '
. "flagged='0'" . "flagged='0'"
. "WHERE id='" . intval($_POST['id']) . "'"); . "WHERE id=?");
$stmt->execute(); $stmt->execute([intval($_POST['id'])]);
} else { } else {
$stmt = $pdo->prepare('UPDATE projects SET ' $stmt = $pdo->prepare('UPDATE projects SET '
. "flagged='1'" . "flagged='1'"
. "WHERE id='" . intval($_POST['id']) . "'"); . "WHERE id=?");
$stmt->execute(); $stmt->execute([intval($_POST['id'])]);
} }
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
happy_('Flagging process successfully updated'); happy_('Flagging process successfully updated');
@ -159,15 +159,15 @@ function project_save()
// check if they changed the project number // check if they changed the project number
if ($_POST['projectnumber'] != $projectinfo->projectnumber) { if ($_POST['projectnumber'] != $projectinfo->projectnumber) {
// check if hte new one is available // check if hte new one is available
$q = $pdo->prepare("SELECT * FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber='" . $_POST['projectnumber'] . "'"); $q = $pdo->prepare("SELECT * FROM projects WHERE year=?' AND projectnumber=?");
$q->execute(); $q->execute([$config['FAIRYEAR'],$_POST['projectnumber']]);
if ($q->rowCount()) { if ($q->rowCount()) {
error_('Could not change project number. %1 is already in use', array($_POST['projectnumber'])); error_('Could not change project number. %1 is already in use', array($_POST['projectnumber']));
} else { } else {
$stmt = $pdo->prepare("UPDATE projects SET $stmt = $pdo->prepare("UPDATE projects SET
projectnumber='" . $_POST['projectnumber'] . "' projectnumber=?
WHERE id='" . $_POST['id'] . "'"); WHERE id=?");
$stmt->execute(); $stmt->execute([$_POST['projectnumber'],$_POST['id']]);
happy_('Project number successfully changed to %1', array($_POST['projectnumber'])); happy_('Project number successfully changed to %1', array($_POST['projectnumber']));
} }
} }
@ -178,13 +178,13 @@ function project_load()
global $registrations_id, $config, $pdo, $projectcategories_id; global $registrations_id, $config, $pdo, $projectcategories_id;
// $projectcategories_id=null; // $projectcategories_id=null;
// now lets find out their MAX grade, so we can pre-set the Age Category // now lets find out their MAX grade, so we can pre-set the Age Category
$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='" . $registrations_id . "'"); $q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id=?");
$q->execute(); $q->execute([$registrations_id]);
$gradeinfo = $q->fetch(PDO::FETCH_OBJ); $gradeinfo = $q->fetch(PDO::FETCH_OBJ);
// now lets grab all the age categories, so we can choose one based on the max grade // now lets grab all the age categories, so we can choose one based on the max grade
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) { while ($r = $q->fetch(PDO::FETCH_OBJ)) {
// save these in an array, just incase we need them later (FIXME: remove this array if we dont need it) // save these in an array, just incase we need them later (FIXME: remove this array if we dont need it)
$agecategories[$r->id]['category'] = $r->category; $agecategories[$r->id]['category'] = $r->category;
@ -196,24 +196,24 @@ function project_load()
} }
// now select their project info // now select their project info
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $registrations_id . "' AND year='" . $config['FAIRYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
// check if it exists, if we didnt find any record, lets insert one // check if it exists, if we didnt find any record, lets insert one
$q->execute(); $q->execute([$registrations_id,$config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ); $projectinfo = $q->fetch(PDO::FETCH_OBJ);
if (!$projectinfo) { if (!$projectinfo) {
$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $registrations_id . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')"); $stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES (?,?,?)");
// and then pull it back out // and then pull it back out
$stmt->execute(); $stmt->execute([$registrations_id,$projectcategories_id,$config['FAIRYEAR']]);
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $registrations_id . "' AND year='" . $config['FAIRYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute(); $q->execute([ $registrations_id,$config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ); $projectinfo = $q->fetch(PDO::FETCH_OBJ);
} }
// make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly // make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly
if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) { if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) {
echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category']))); echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category'])));
$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'"); $stmt = $pdo->prepare("UPDATE projects SET projectcategories_id=? WHERE id=?");
$stmt->execute(); $stmt->execute([$projectcategories_id,$projectinfo->id]);
} }
// output the current status // output the current status
@ -298,8 +298,8 @@ function countwords()
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
// ### // ###
} else } else
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division"); $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
$q->execute(); $q->execute([$config['FAIRYEAR']]);
echo '<select name="projectdivisions_id">'; echo '<select name="projectdivisions_id">';
echo '<option value="">' . i18n('Select a division') . "</option>\n"; echo '<option value="">' . i18n('Select a division') . "</option>\n";

56
admin/registration_list.php
View File

@ -39,14 +39,14 @@ if (get_value_from_array($_GET, 'year'))
else else
$year = $config['FAIRYEAR']; $year = $config['FAIRYEAR'];
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute(); $q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) while ($r = $q->fetch(PDO::FETCH_OBJ))
$cats[$r->id] = $r->category; $cats[$r->id] = $r->category;
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute(); $q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) while ($r = $q->fetch(PDO::FETCH_OBJ))
$divs[$r->id] = $r->division; $divs[$r->id] = $r->division;
@ -62,34 +62,34 @@ switch ($action) {
case 'delete': case 'delete':
$regid = intval($_GET['id']); $regid = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='$regid'"); $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
$q->execute(); $q->execute([$regid]);
if ($q->rowCount()) { if ($q->rowCount()) {
$p = $q->fetch(PDO::FETCH_ASSOC); $p = $q->fetch(PDO::FETCH_ASSOC);
$stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id='{$p['id']}'"); $stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id=?");
$stmt->execute(); $stmt->execute([$p['id']]);
} }
$stmt = $pdo->prepare("DELETE FROM registrations WHERE id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM registrations WHERE id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'"); $stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=? AND year=?");
$stmt->execute(); $stmt->execute([$regid,$config['FAIRYEAR']]);
happy_('Registration and all related data successfully deleted'); happy_('Registration and all related data successfully deleted');
exit; exit;
} }
@ -459,14 +459,14 @@ function list_query($year, $wherestatus, $reg_id)
left outer join projects on projects.registrations_id=registrations.id left outer join projects on projects.registrations_id=registrations.id
WHERE WHERE
1 1
AND registrations.year='$year' AND registrations.year=?
$wherestatus ?
$reg $fair ? ?
ORDER BY ORDER BY
registrations.status DESC, projects.title registrations.status DESC, projects.title
"); ");
$q->execute(); $q->execute([$year,$wherestatus,$reg,$fair]);
// FIXME // FIXME
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
@ -516,11 +516,11 @@ function print_row($r)
FROM FROM
students,schools students,schools
WHERE WHERE
students.registrations_id='$r->reg_id' students.registrations_id=?
AND AND
students.schools_id=schools.id students.schools_id=schools.id
"); ");
$sq->execute(); $sq->execute([$r->reg_id]);
show_pdo_errors_if_any($pdo); show_pdo_errors_if_any($pdo);
$studnum = 1; $studnum = 1;

4
admin/registration_receivedforms.php
View File

@ -41,8 +41,8 @@ echo '<br />';
$showformatbottom = true; $showformatbottom = true;
if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array($_POST, 'registration_number')) { if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array($_POST, 'registration_number')) {
$q = $pdo->prepare("SELECT * FROM registrations WHERE num='" . $_POST['registration_number'] . "' AND year='" . $config['FAIRYEAR'] . "'"); $q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
$q->execute(); $q->execute([$_POST['registration_number'],$config['FAIRYEAR']]);
if ($q->rowCount() == 1) { if ($q->rowCount() == 1) {
$r = $q->fetch(PDO::FETCH_OBJ); $r = $q->fetch(PDO::FETCH_OBJ);
$reg_id = $r->id; $reg_id = $r->id;