diff --git a/admin/award_awardcreatedivisional.php b/admin/award_awardcreatedivisional.php index b131a12d..7810d166 100644 --- a/admin/award_awardcreatedivisional.php +++ b/admin/award_awardcreatedivisional.php @@ -130,23 +130,25 @@ if ($r->num) { echo '  ' . i18n('Prizes: '); foreach ($prizes AS $prize) { - $q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,value,prize,number,`order`,excludefromac,trophystudentkeeper,trophystudentreturn,trophyschoolkeeper,trophyschoolreturn,year) VALUES ( - '$award_awards_id', - '{$prize['cash']}', - '{$prize['scholarship']}', - '{$prize['value']}', - '{$prize['prize']}', - '{$prize['number']}', - '{$prize['order']}', - '{$prize['excludefromac']}', - '{$prize['trophystudentkeeper']}', - '{$prize['trophystudentreturn']}', - '{$prize['trophyschoolkeeper']}', - '{$prize['trophyschoolreturn']}', - '{$config['FAIRYEAR']}' - )"); + $q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id, cash, scholarship, value, prize, number, `order`, excludefromac, trophystudentkeeper, trophystudentreturn, trophyschoolkeeper, trophyschoolreturn, year) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"); + + $q->execute([ + $award_awards_id, + $prize['cash'], + $prize['scholarship'], + $prize['value'], + $prize['prize'], + $prize['number'], + $prize['order'], + $prize['excludefromac'], + $prize['trophystudentkeeper'], + $prize['trophystudentreturn'], + $prize['trophyschoolkeeper'], + $prize['trophyschoolreturn'], + $config['FAIRYEAR'] + ]); - $q->execute(); echo $prize['prize'] . ','; } diff --git a/admin/award_download.php b/admin/award_download.php index 1c1b9b53..285e6bcd 100644 --- a/admin/award_download.php +++ b/admin/award_download.php @@ -159,21 +159,33 @@ switch (get_value_from_array($_GET, 'action')) { $self_nominate = ($award['self_nominate'] == 'yes') ? 'yes' : 'no'; $schedule_judges = ($award['schedule_judges'] == 'yes') ? 'yes' : 'no'; - $q = $pdo->prepare("UPDATE award_awards SET - sponsors_id='$sponsor_id', - name='" . $award['name_en'] . "', - criteria='" . $award['criteria_en'] . "', - external_postback='" . $postback . "', - external_register_winners='" . (($award['external_register_winners'] == 1) ? 1 : 0) . "', - external_additional_materials='" . (($award['external_additional_materials'] == 1) ? 1 : 0) . "', - self_nominate='$self_nominate', - schedule_judges='$schedule_judges' - WHERE - id='$award_id' - AND external_identifier='" . $identifier . "' - AND year='$year' - "); - $q->execute(); + $q = $pdo->prepare("UPDATE award_awards SET + sponsors_id = ?, + name = ?, + criteria = ?, + external_postback = ?, + external_register_winners = ?, + external_additional_materials = ?, + self_nominate = ?, + schedule_judges = ? + WHERE id = ? + AND external_identifier = ? + AND year = ?"); + + $q->execute([ + $sponsor_id, + $award['name_en'], + $award['criteria_en'], + $postback, + ($award['external_register_winners'] == 1) ? 1 : 0, + ($award['external_additional_materials'] == 1) ? 1 : 0, + $self_nominate, + $schedule_judges, + $award_id, + $identifier, + $year + ]); + show_pdo_errors_if_any($pdo); // update the prizes @@ -218,22 +230,35 @@ switch (get_value_from_array($_GET, 'action')) { if (!array_key_exists('identifier', $prize)) $prize['identifier'] = $prize['prize_en']; - $q = $pdo->prepare("UPDATE award_prizes SET - cash='" . intval($prize['cash']) . "', - scholarship='" . intval($prize['scholarship']) . "', - value='" . intval($prize['value']) . "', - prize='" . $prize['prize_en'] . "', - number='" . intval($prize['number']) . "', - `order`='" . intval($prize['ord']) . "', - external_identifier='" . stripslashes($prize['identifier']) . "', - trophystudentkeeper='" . intval($prize['trophystudentkeeper']) . "', - trophystudentreturn='" . intval($prize['trophystudentreturn']) . "', - trophyschoolkeeper='" . intval($prize['trophyschoolkeeper ']) . "', - trophyschoolreturn='" . intval($prize['trophyschoolreturn']) . "' - WHERE - id='$prize_id'"); - - $q->execute([]); + $q = $pdo->prepare("UPDATE award_prizes SET + cash = ?, + scholarship = ?, + value = ?, + prize = ?, + number = ?, + `order` = ?, + external_identifier = ?, + trophystudentkeeper = ?, + trophystudentreturn = ?, + trophyschoolkeeper = ?, + trophyschoolreturn = ? + WHERE id = ?"); + + $q->execute([ + intval($prize['cash']), + intval($prize['scholarship']), + intval($prize['value']), + $prize['prize_en'], + intval($prize['number']), + intval($prize['ord']), + stripslashes($prize['identifier']), + intval($prize['trophystudentkeeper']), + intval($prize['trophystudentreturn']), + intval($prize['trophyschoolkeeper']), + intval($prize['trophyschoolreturn']), + $prize_id + ]); + show_pdo_errors_if_any($pdo); // FIXME: update the translations diff --git a/admin/communication.php b/admin/communication.php index 7aa7e8b0..f4d9e77a 100644 --- a/admin/communication.php +++ b/admin/communication.php @@ -701,21 +701,22 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') { $numtotal = $recipq->rowCount(); - $q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES ( - '" . $email->val . "', - '" . $email->name . "', - '" . $_SESSION['users_uid'] . "', - '" . $email->from . "', - '" . $email->subject . "', - '" . $email->body . "', - '" . $email->bodyhtml . "', - '" . $email->type . "', - $fcid, - NOW(), - NULL, - $numtotal, - 0)"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NULL, ?, 0)"); + + $q->execute([ + $email->val, + $email->name, + $_SESSION['users_uid'], + $email->from, + $email->subject, + $email->body, + $email->bodyhtml, + $email->type, + $fcid, + $numtotal + ]); + $emailqueueid = $pdo->lastInsertId(); show_pdo_errors_if_any($pdo); @@ -746,13 +747,15 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') { ); if ($u['email'] && $u['email'][0] != '*') { - $q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES ( - '$emailqueueid', - '" . $pdo->quote($u['email']) . "', - '" . $pdo->quote($u['name']) . "', - '" . $pdo->quote(json_encode($replacements) . "', - NULL)")); - $q->execute(); + $q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)"); + + $q->execute([ + $emailqueueid, + $u['email'], + $u['name'], + json_encode($replacements) + ]); + show_pdo_errors_if_any($pdo); } $q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?"); @@ -870,21 +873,20 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE } $numtotal = $recipq->rowCount(); - $q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES ( - '" . $pdo->quote($email->val) . "', - '" . $pdo->quote($email->name) . "', - '" . $pdo->quote($_SESSION['users_uid']) . "', - '" . $pdo->quote($email->from) . "', - '" . $pdo->quote($email->subject) . "', - '" . $pdo->quote($email->body) . "', - '" . $pdo->quote($email->bodyhtml) . "', - '" . $pdo->quote($email->type) . "', - NULL, - NOW(), - NULL, - $numtotal, - 0)"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) VALUES (?, ?, ?, ?, ?, ?, ?, ?, NULL, NOW(), NULL, ?, 0)"); + + $q->execute([ + $email->val, + $email->name, + $_SESSION['users_uid'], + $email->from, + $email->subject, + $email->body, + $email->bodyhtml, + $email->type, + $numtotal + ]); + $emailqueueid = lastInsertId(); show_pdo_errors_if_any($pdo); @@ -939,13 +941,15 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE } if ($toemail) { - $q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES ( - '$emailqueueid', - '" . $toemail . "', - '" . $toname . "', - '" . json_encode($replacements) . "', - NULL)"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)"); + + $q->execute([ + $emailqueueid, + $toemail, + $toname, + json_encode($replacements) + ]); + show_pdo_errors_if_any($pdo); } diff --git a/admin/donors.php b/admin/donors.php index ee7a7705..c63313ea 100644 --- a/admin/donors.php +++ b/admin/donors.php @@ -54,26 +54,31 @@ switch (get_value_from_array($_GET, 'action')) { if ($id) { $exec = 'UPDATE sponsors SET ' - . "donortype='" . stripslashes($_POST['donortype']) . "', " - . "organization='" . stripslashes($_POST['organization']) . "', " - . "address='" . stripslashes($_POST['address']) . "', " - . "address2='" . stripslashes($_POST['address2']) . "', " - . "city='" . stripslashes($_POST['city']) . "', " - . "province_code='" . stripslashes($_POST['province_code']) . "', " - . "postalcode='" . stripslashes($_POST['postalcode']) . "', " - . "phone='" . stripslashes($_POST['phone']) . "', " - . "tollfree='" . stripslashes($_POST['tollfree']) . "', " - . "fax='" . stripslashes($_POST['fax']) . "', " - . "email='" . stripslashes($_POST['email']) . "', " - . "website='" . stripslashes($_POST['website']) . "', " - . "notes='" . stripslashes($_POST['notes']) . "', " - . "donationpolicyurl='" . stripslashes($_POST['donationpolicyurl']) . "', " - . "fundingselectiondate='" . stripslashes($_POST['fundingselectiondate']) . "', " - . "proposalsubmissiondate='" . stripslashes($_POST['proposalsubmissiondate']) . "', " - . "waiveraccepted='" . stripslashes($_POST['waiveraccepted']) . "' " - . "WHERE id='$id'"; + . "donortype=?, " + . "organization=?, " + . "address=?, " + . "address2=?, " + . "city=?, " + . "province_code=?, " + . "postalcode=?, " + . "phone=?, " + . "tollfree=?, " + . "fax=?, " + . "email=?, " + . "website=?, " + . "notes=?, " + . "donationpolicyurl=?, " + . "fundingselectiondate=?, " + . "proposalsubmissiondate=?, " + . "waiveraccepted=? " + . "WHERE id=?"; $q = $pdo->prepare($exec); - $q->execute(); + $q->execute([stripslashes($_POST['donortype']),stripslashes($_POST['organization']),stripslashes($_POST['address']), + stripslashes($_POST['address2']),stripslashes($_POST['city']),stripslashes($_POST['province_code']), + stripslashes($_POST['postalcode']),stripslashes($_POST['phone']),stripslashes($_POST['tollfree']), + stripslashes($_POST['fax']),stripslashes($_POST['email']),stripslashes($_POST['website']), + stripslashes($_POST['notes']),stripslashes($_POST['donationpolicyurl']),stripslashes($_POST['fundingselectiondate']), + stripslashes($_POST['proposalsubmissiondate']),stripslashes($_POST['waiveraccepted']),$id]); echo $q->errorInfo(); // FIXME accept the logo @@ -422,18 +427,18 @@ switch (get_value_from_array($_GET, 'action')) { if ($goal && $value && $supporttype) { $q = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_goal,fundraising_campaigns_id,value,status,probability,fiscalyear,thanked,datereceived,supporttype) VALUES ( - '$sponsorid', - '" . $goal . "', - '$campaignid', - '$value', + ?, + ?, + ?, + ?, 'received', '100', - '{$config['FISCALYEAR']}', + ?, 'no', - '" . $datereceived . "', - '" . $supporttype . "' + ?, + ? )"); - $q->execute(); + $q->execute([$sponsorid,$goal,$campaignid,$value,$config['FISCALYEAR'],$datereceived,$supporttype]); $id = $pdo->lastInsertId(); $logStr = getDonationString($id); save_activityinfo("Added donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System'); diff --git a/admin/judges_teams_projects.php b/admin/judges_teams_projects.php index 1dde4495..c3427b83 100644 --- a/admin/judges_teams_projects.php +++ b/admin/judges_teams_projects.php @@ -81,20 +81,20 @@ if (get_value_from_array($_GET, 'judges_projects_list_eligible')) $_SESSION['viewstate']['judges_projects_list_eligible'] = $_GET['judges_projects_list_eligible']; if (get_value_from_array($_GET, 'action') == 'delete' && $_GET['delete'] && $_GET['edit']) { - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id='" . $_GET['delete'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id=?"); + $stmt->execute([$_GET['delete']]); echo happy(i18n('Judging team project successfully removed')); $action = 'edit'; } if (get_value_from_array($_POST, 'action') == 'assign' && $_POST['edit'] && $_POST['timeslot'] && $_POST['project_id']) { - $stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES ('" . $_POST['edit'] . "','" . $_POST['timeslot'] . "','" . $_POST['project_id'] . "','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES (?,?,?,?)"); + $stmt->execute([$_POST['edit'],$_POST['timeslot'],$_POST['project_id'],$config['FAIRYEAR']]); echo happy(i18n('Project assigned to team timeslot')); } -$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); if ($q->rowCount() > 1) $show_date = true; else @@ -155,13 +155,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) { judges_teams, judges_teams_timeslots_link WHERE - judges_teams.id='" . $team['id'] . "' AND + judges_teams.id=? AND judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id ORDER BY date,starttime "); - $q->execute(); + $q->execute([$team['id']]); $numslots = $q - rowCount(); if ($numslots) { @@ -201,7 +201,7 @@ if (($action == 'edit' || $action == 'assign') && $edit) { projectnumber is not null ' . getJudgingEligibilityCode() . " AND projects.registrations_id=registrations.id AND - projects.year='" . $config['FAIRYEAR'] . "' + projects.year=? ORDER BY projectnumber"; } else if ($_SESSION['viewstate']['judges_projects_list_show'] == 'unassigned') { @@ -219,13 +219,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) { ' . getJudgingEligibilityCode(). ' AND projects.registrations_id=registrations.id AND judges_teams_timeslots_projects_link.projects_id IS NULL AND - projects.year='" . $config['FAIRYEAR'] . "' + projects.year=? ORDER BY projectnumber"; } $pq = $pdo->prepare($querystr); - $pq->execute(); + $pq->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $eligibleprojects = getProjectsEligibleOrNominatedForAwards($award_ids); @@ -284,14 +284,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) { projects, judges_teams_timeslots_projects_link WHERE - judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND - judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND + judges_teams_timeslots_projects_link.judges_timeslots_id=? AND + judges_teams_timeslots_projects_link.judges_teams_id=? AND judges_teams_timeslots_projects_link.projects_id=projects.id AND - judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "' + judges_teams_timeslots_projects_link.year=? ORDER BY projectnumber "); - $projq->execute(); + $projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); while ($proj = $projq->fetch(PDO::FETCH_OBJ)) { @@ -357,13 +357,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) { judges_teams, judges_teams_timeslots_link WHERE - judges_teams.id='" . $team['id'] . "' AND + judges_teams.id=? AND judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id ORDER BY date,starttime "); - $q->execute(); + $q->execute([$team['id']]); $numslots = $q->rowCount(); echo '' . i18n('Edit team project assignments') . ''; @@ -391,14 +391,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) { projects, judges_teams_timeslots_projects_link WHERE - judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND - judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND + judges_teams_timeslots_projects_link.judges_timeslots_id=? AND + judges_teams_timeslots_projects_link.judges_teams_id=? AND judges_teams_timeslots_projects_link.projects_id=projects.id AND - judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "' + judges_teams_timeslots_projects_link.year=? ORDER BY projectnumber "); - $projq->execute(); + $projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); while ($proj = $projq->fetch(PDO::FETCH_OBJ)) { diff --git a/admin/judges_teams_timeslots.php b/admin/judges_teams_timeslots.php index 49ff8398..8c0c8e15 100644 --- a/admin/judges_teams_timeslots.php +++ b/admin/judges_teams_timeslots.php @@ -42,15 +42,15 @@ if (array_key_exists('action', $_POST)) if (get_value_from_array($_GET, 'action') && $action == 'delete') { $id = intval($_GET['delete']); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id='$id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id=?"); + $stmt->execute([$id]); message_push(happy(i18n('Judging team timeslot successfully removed'))); } if (array_key_exists('empty', $_GET) && $action == 'empty') { $id = intval($_GET['empty']); - $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=?"); + $stmt->execute([$id]); message_push(happy(i18n('Judging team timeslots successfully removed'))); } @@ -61,8 +61,8 @@ if ($action == 'assign') { foreach ($_POST['teams'] AS $tm) { foreach ($_POST['timeslots'] AS $ts) { $stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year) - VALUES ('$tm','$ts','{$config['FAIRYEAR']}')"); - $stmt->execute(); + VALUES (?,?,?)"); + $stmt->execute([$tm,$ts,$config['FAIRYEAR']]); } } message_push(happy(i18n('%1 Timeslots assigned to %2 teams', array(count($_POST['timeslots']), count($_POST['teams']))))); @@ -126,8 +126,8 @@ echo 'select none'; echo ' | '; echo 'invert selection'; -$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?"); +$q->execute([$config['FAIRYEAR']]); if ($q->rowCount() > 1) $show_date = true; else @@ -143,16 +143,16 @@ echo '' . i18n('End Time') . ''; echo "\n"; $q = $pdo->prepare("SELECT * FROM judges_timeslots - WHERE year='{$config['FAIRYEAR']}' + WHERE year=? AND round_id='0' ORDER BY date,starttime"); -$q->execute(); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { echo ''; $span = $show_date ? 4 : 3; echo "{$r->name} (" . $round_str[$r->type] . ')'; $qq = $pdo->prepare("SELECT * FROM judges_timeslots - WHERE round_id='{$r->id}' ORDER BY date,starttime"); - $qq->execute(); + WHERE round_id=? ORDER BY date,starttime"); + $qq->execute([$r->id]); while ($rr = $qq->fetch(PDO::FETCH_OBJ)) { echo ''; echo "id}\" />"; @@ -213,13 +213,13 @@ foreach ($teams AS $team) { judges_teams, judges_teams_timeslots_link WHERE - judges_teams.id='" . $team['id'] . "' AND + judges_teams.id=? AND judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id ORDER BY date,starttime "); - $q->execute(); + $q->execute([$team['id']]); $numslots = $q->rowCount(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { diff --git a/admin/judges_timeslots.php b/admin/judges_timeslots.php index 1a79a1aa..d012f7be 100644 --- a/admin/judges_timeslots.php +++ b/admin/judges_timeslots.php @@ -188,9 +188,9 @@ if ($action == 'savemultiple') { $tt = $duration + $break; for ($x = 0; $x < $addnum; $x++) { - $q = $pdo->prepare("SELECT \tDATE_ADD('$date $hr:$min:00', INTERVAL $duration MINUTE) AS endtime, - DATE_ADD('$date $hr:$min:00', INTERVAL $tt MINUTE) AS startnext "); - $q->execute(); + $q = $pdo->prepare("SELECT \tDATE_ADD(? ?:?:00', INTERVAL ? MINUTE) AS endtime, + DATE_ADD(? ?:?:00', INTERVAL ? MINUTE) AS startnext "); + $q->execute([$date,$hr,$min,$duration,$date,$hr,$min,$tt]); show_pdo_errors_if_any($pdo); $r = $q->fetch(PDO::FETCH_OBJ); list($ed, $et) = split(' ', $r->endtime); @@ -199,10 +199,10 @@ if ($action == 'savemultiple') { $starttime = sprintf('%02d:%02d:00', $hr, $min); $stmt = $pdo->prepare("INSERT INTO judges_timeslots (date,type,round_id,starttime,endtime,year) VALUES ( - '$date','timeslot','{$round_data['id']}', - '$starttime', '$et', - '{$config['FAIRYEAR']}')"); - $stmt->execute(); + ?,'timeslot',?, + ?,?, + ?)"); + $stmt->execute([$date,$round_data['id'],$starttime,$et,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $date = $nd; list($s_h, $s_m, $s_s) = split(':', $nt); diff --git a/admin/project_editor.php b/admin/project_editor.php index 0e548632..922463fa 100644 --- a/admin/project_editor.php +++ b/admin/project_editor.php @@ -139,20 +139,21 @@ function project_save() $title = stripslashes($_POST['title']); $stmt = $pdo->prepare('UPDATE projects SET ' - . "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $title) . "', " - . "projectdivisions_id='" . intval($_POST['projectdivisions_id'] . "', " - . "projecttype='" . stripslashes($_POST['projecttype']) . "', " - . "language='" . stripslashes($_POST['language']) . "', " - . "req_table='" . stripslashes($_POST['req_table']) . "', " - . "req_electricity='" . stripslashes($_POST['req_electricity']) . "', " - . "req_special='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['req_special'])) . "', " - . "human_participants='" . stripslashes($_POST['human_participants']) . "', " - . "animal_participants='" . stripslashes($_POST['animal_participants']) . "', " - . "summary='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])) . "', " - . "summarycountok='$summarycountok'," - . "feedback='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])) . "', " - . "projectsort='" . stripslashes($_POST['projectsort']) . "'" - . "WHERE id='" . intval($_POST['id'])) . "'"); + . "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT','?') . "', " + . "projectdivisions_id=?, " + . "projecttype=?, " + . "language=?, " + . "req_table=?, " + . "req_electricity=?, " + . "req_special=?, " + . "human_participants=?, " + . "animal_participants=?, " + . "summary=?, " + . "summarycountok=?," + . "feedback=?, " + . "projectsort=?" + . "WHERE id=?"); + $stmt->execute([$title,intval($_POST['projectdivisions_id'],stripslashes($_POST['projecttype']),stripslashes($_POST['language']),stripslashes($_POST['req_table']),stripslashes($_POST['req_electricity']),stripslashes($_POST['human_participants']),stripslashes($_POST['animal_participants']),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])),$summarycountok,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])),stripslashes($_POST['projectsort']),intval($_POST['id']))]); show_pdo_errors_if_any($pdo); happy_('Project information successfully updated'); diff --git a/admin/rerollprizes.php b/admin/rerollprizes.php index 7b3ddf1a..8349ac8d 100644 --- a/admin/rerollprizes.php +++ b/admin/rerollprizes.php @@ -113,18 +113,18 @@ if ($config['FAIRYEAR'] == 2008) { show_pdo_errors_if_any($pdo); while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,`value`,prize,number,`order`,year,excludefromac) VALUES ( - '" . $award_awards_id . "', - '" . $r2->cash . "', - '" . $r2->scholarship . "', - '" . $r2->value . "', - '" . $r2->prize . "', - '" . $r2->number . "', - '" . $r2->order . "', - '" . $newfairyear . "', - '" . $r2->excludefromac . "')"); + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?)"); } } - + $q2->execute([$award_awards_id,$r2->cash,$r2->scholarship,$r2->value,$r2->prize,$r2->number,$r2->order,$newfairyear,$r2->excludefromac]); echo i18n('Rolling award contacts') . '
'; // award contacts $q = $pdo->prepare("SELECT * FROM award_contacts WHERE year=?"); @@ -132,19 +132,20 @@ if ($config['FAIRYEAR'] == 2008) { show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) $stmt = $pdo->prepare("INSERT INTO award_contacts (award_sponsors_id,salutation,firstname,lastname,position,email,phonehome,phonework,phonecell,fax,notes,year) VALUES ( - '" . $r->award_sponsors_id . "', - '" . $r->salutation . "', - '" . $r->firstname . "', - '" . $r->lastname . "', - '" . $r->position . "', - '" . $r->email . "', - '" . $r->phonehome . "', - '" . $r->phonework . "', - '" . $r->phonecell . "', - '" . $r->fax . "', - '" . $r->notes . "', - '" . $newfairyear . "')"); + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->award_sponsors_id,$r->salutation,$r->firstname,$r->lastname,$r->position,$r->email,$r->phonehome,$r->phonework,$r->phonecell,$r->fax,$r->notes,$newfairyear]); echo i18n('Rolling award types') . '
'; // award types $q = $pdo->prepare("SELECT * FROM award_types WHERE year=?"); diff --git a/admin/schools.php b/admin/schools.php index ac43c77e..b95755b4 100644 --- a/admin/schools.php +++ b/admin/schools.php @@ -155,29 +155,35 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS } $exec = 'UPDATE schools SET ' - . "school='" . get_value_from_array($_POST, 'school') . "', " - . "schoollang='" . get_value_from_array($_POST, 'schoollang') . "', " - . "designate='" . get_value_from_array($_POST, 'schooldesignate') . "', " - . "schoollevel='" . get_value_from_array($_POST, 'schoollevel') . "', " - . "school='" . get_value_from_array($_POST, 'school') . "', " - . "board='" . get_value_from_array($_POST, 'board') . "', " - . "district='" . get_value_from_array($_POST, 'district') . "', " - . "address='" . get_value_from_array($_POST, 'address') . "', " - . "city='" . get_value_from_array($_POST, 'city') . "', " - . "province_code='" . get_value_from_array($_POST, 'province_code') . "', " - . "postalcode='" . get_value_from_array($_POST, 'postalcode') . "', " - . "schoolemail='" . get_value_from_array($_POST, 'schoolemail') . "', " - . "phone='" . get_value_from_array($_POST, 'phone') . "', " - . "fax='" . get_value_from_array($_POST, 'fax') . "', " - . "registration_password='" . get_value_from_array($_POST, 'registration_password') . "', " - . "projectlimit='" . get_value_from_array($_POST, 'projectlimit') . "', " - . "projectlimitper='" . get_value_from_array($_POST, 'projectlimitper') . "', " - . "accesscode='" . get_value_from_array($_POST, 'accesscode') . "', " - . $sciencehead_update . $principal_update - . "atrisk='$atrisk' " - . "WHERE id='$id'"; + . "school=?, " + . "schoollang=?, " + . "designate=?, " + . "schoollevel=?, " + . "school=?, " + . "board=?, " + . "district=?, " + . "address=?, " + . "city=?, " + . "province_code=?, " + . "postalcode=?, " + . "schoolemail=?, " + . "phone=?, " + . "fax=?, " + . "registration_password=?, " + . "projectlimit=?, " + . "projectlimitper=?, " + . "accesscode=?, " + . "? ?" + . "atrisk=?" + . "WHERE id=?"; $stmt = $pdo->prepare($exec); - $stmt->execute(); + $stmt->execute([get_value_from_array($_POST, 'school'),get_value_from_array($_POST, 'schoollang'),get_value_from_array($_POST, 'schooldesignate'),get_value_from_array($_POST, 'schoollevel'), + get_value_from_array($_POST, 'school'),get_value_from_array($_POST, 'board'),get_value_from_array($_POST, 'district'), + get_value_from_array($_POST, 'address'),get_value_from_array($_POST, 'city'),get_value_from_array($_POST, 'province_code'), + get_value_from_array($_POST, 'postalcode'),get_value_from_array($_POST, 'schoolemail'),get_value_from_array($_POST, 'phone'), + get_value_from_array($_POST, 'fax'),get_value_from_array($_POST, 'registration_password'),get_value_from_array($_POST, 'projectlimit'), + get_value_from_array($_POST, 'projectlimitper'),get_value_from_array($_POST, 'accesscode'),$sciencehead_update,$principal_update, + $atrisk,$id]); show_pdo_errors_if_any($pdo); if (get_value_from_array($_POST, 'save') == 'add') diff --git a/admin/schoolsimport.php b/admin/schoolsimport.php index 143c5ab2..394c6055 100644 --- a/admin/schoolsimport.php +++ b/admin/schoolsimport.php @@ -87,26 +87,29 @@ if (get_value_from_array($_POST, 'action') == 'import') { user_save($principal); } $stmt = $pdo->prepare("INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,schoolemail,accesscode,registration_password,projectlimit,projectlimitper,year,principal_uid,sciencehead_uid) VALUES ( - '" . stripslashes($row[0]) . "', - '" . stripslashes($row[1]) . "', - '" . stripslashes($row[2]) . "', - '" . stripslashes($row[3]) . "', - '" . stripslashes($row[4]) . "', - '" . stripslashes($row[5]) . "', - '" . stripslashes($row[6]) . "', - '" . stripslashes($row[7]) . "', - '" . stripslashes($row[8]) . "', - '" . stripslashes($row[9]) . "', - '" . stripslashes($row[10]) . "', - '" . stripslashes($row[14]) . "', - '" . stripslashes($row[18]) . "', - '" . stripslashes($row[19]) . "', - '" . stripslashes($row[20]) . "', - '" . stripslashes($row[21]) . "', - '" . $config['FAIRYEAR'] . "', - '" . $principal['uid'] . "', - '" . $scienceHead['uid'] . "')"); - $stmt->execute(); + '?, + '?, + '?, + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?', + '?, + '?, + '?)"); + $stmt->execute([stripslashes($row[0]),stripslashes($row[1],stripslashes($row[2]),stripslashes($row[3])), + stripslashes($row[4]),stripslashes($row[5]),stripslashes($row[6]),stripslashes($row[7]),stripslashes($row[8]), + stripslashes($row[9]),stripslashes($row[10]),stripslashes($row[14]),stripslashes($row[18]),stripslashes($row[19]), + stripslashes($row[20]),stripslashes($row[21]),$config['FAIRYEAR'],$principal['uid'],$scienceHead['uid']]); if (!$pdo->errorInfo()) $loaded++; else diff --git a/admin/student_editor.php b/admin/student_editor.php index 94f51a73..b363f79c 100644 --- a/admin/student_editor.php +++ b/admin/student_editor.php @@ -152,25 +152,33 @@ function students_save() // INSERT new record $dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x]; $stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (' - . "'" . $registrations_id . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', " - . "'" . stripslashes($_POST['sex'][$x]) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', " - . "'" . stripslashes($_POST['postalcode'][$x]) . "', " - . "'" . stripslashes($_POST['phone'][$x]) . "', " - . "'$dob', " - . "'" . stripslashes($_POST['grade'][$x]) . "', " - . $schoolvalue - . "'" . stripslashes($_POST['tshirt'][$x]) . "', " - . "'" . stripslashes($_POST['medicalalert'][$x]) . "', " - . "'" . stripslashes($_POST['foodreq'][$x]) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', " - . "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', " - . "'" . $config['FAIRYEAR'] . "')"); + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?" + . "?, " + . "?, " + . "?, " + . "?, " + . "?, " + . "?)"); + $stmt->execute([$registrations_id,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),stripslashes($_POST['sex'][$x]), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])), + stripslashes($_POST['postalcode'][$x]),stripslashes($_POST['phone'][$x]),$dob,stripslashes($_POST['grade'][$x]), + $schoolvalue,stripslashes($_POST['tshirt'][$x]),stripslashes($_POST['medicalalert'][$x]),stripslashes($_POST['foodreq'][$x]), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])), + $config['FAIRYEAR']]); happy_('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x])); } else { @@ -185,25 +193,36 @@ function students_save() // UPDATE existing record $dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x]; $stmt = $pdo->prepare('UPDATE students SET ' - . "firstname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', " - . "lastname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', " - . "sex='" . stripslashes($_POST['sex'][$x]) . "', " - . "email='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', " - . "address='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', " - . "city='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', " - . "province='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', " - . "postalcode='" . stripslashes($_POST['postalcode'][$x]) . "', " - . "phone='" . stripslashes($_POST['phone'][$x]) . "', " - . "dateofbirth='$dob', " - . "grade='" . stripslashes($_POST['grade'][$x]) . "', " - . $schoolquery - . "medicalalert='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['medicalalert'][$x])) . "', " - . "foodreq='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['foodreq'][$x])) . "', " - . "teachername='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', " - . "teacheremail='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', " - . "tshirt='" . stripslashes($_POST['tshirt'][$x]) . "' " - . "WHERE id='" . $_POST['id'][$x] . "'"); - $stmt->execute(); + . "firstname=?, " + . "lastname=?, " + . "sex=/, " + . "email=?, " + . "address=?, " + . "city=?, " + . "province=?, " + . "postalcode=?, " + . "phone=?, " + . "dateofbirth=?, " + . "grade=?, " + . "?" + . "medicalalert=?, " + . "foodreq=?, " + . "teachername=?, " + . "teacheremail=?, " + . "tshirt=/ " + . "WHERE id=?"); + $stmt->execute([iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])), + stripslashes($_POST['sex'][$x]),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])), + stripslashes($_POST['postalcode'][$x]),stripslashes($_POST['phone'][$x]), + $dob,stripslashes($_POST['grade'][$x]),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $schoolquery,stripslashes($_POST['medicalalert'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['foodreq'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])), + iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])), + stripslashes($_POST['tshirt'][$x]),$_POST['id'][$x]]); happy_('%1 %2 successfully updated', array(iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['firstname'][$x]), iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['lastname'][$x]))); } $x++; diff --git a/admin/tours_sa.php b/admin/tours_sa.php index 71ef4cdf..c3fc9c33 100644 --- a/admin/tours_sa.php +++ b/admin/tours_sa.php @@ -304,10 +304,10 @@ foreach ($tours as $x => $t) { (`students_id`,`registrations_id`, `tour_id`,`year`,`rank`) VALUES ( - '$sid', '{$s['registrations_id']}', - '{$t['id']}', '{$config['FAIRYEAR']}', + '?', '?', + '?', '?', '0')"); - $stmt->execute(); + $stmt->execute([$sid,$s['registrations_id'],$t['id'],$config['FAIRYEAR']]); } } diff --git a/admin/translations.php b/admin/translations.php index 940e58df..d0f74b71 100644 --- a/admin/translations.php +++ b/admin/translations.php @@ -65,7 +65,8 @@ if (get_value_from_array($_POST, 'action') == 'save') { if ($_POST['changedFields']) { $changed = split(',', $_POST['changedFields']); foreach ($changed AS $ch) { - $stmt = $pdo->prepare("UPDATE translations SET val='" . stripslashes($_POST['val'][$ch]) . "' WHERE strmd5='" . $ch . "' AND lang='" . $_SESSION['translang'] . "'"); + $stmt = $pdo->prepare("UPDATE translations SET val=? WHERE strmd5=? AND lang=?"); + $stmt->execute([stripslashes($_POST['val'][$ch]),$ch ,$_SESSION['translang']]); } echo happy(i18n('Translation(s) saved')); } diff --git a/config/categories.php b/config/categories.php index 911604be..23df2b87 100644 --- a/config/categories.php +++ b/config/categories.php @@ -71,14 +71,15 @@ if (get_value_from_array($_POST, 'action') == 'new') { if ($q->rowCount()) { echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID'))); } else { - $stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES ( ' - . "'" . $_POST['id'] . "', " - . "'" . stripslashes($_POST['category']) . "', " - . "'" . stripslashes($_POST['category_shortform']) . "', " - . "'" . $_POST['mingrade'] . "', " - . "'" . $_POST['maxgrade'] . "', " - . "'" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES ( + ?, + ?, + ?, + ?, + ?, + ?)'); + $stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']), + $_POST['mingrade'],$_POST['maxgrade'],$config['FAIRYEAR']]); echo happy(i18n('Category successfully added')); } } else { diff --git a/config/divisions.php b/config/divisions.php index 42951f2b..51f71511 100644 --- a/config/divisions.php +++ b/config/divisions.php @@ -63,11 +63,8 @@ if (get_value_from_array($_POST, 'action') == 'edit') { $stmt->execute([ $_POST['saveid'],$config['FAIRYEAR']]); if (is_array($_POST['divcat'])) { foreach ($_POST['divcat'] as $tempcat) { - $stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( ' - . "'" . $_POST['id'] . "', " - . "'" . $tempcat . "', " - . "'" . $config['FAIRYEAR'] . "') "); - $stmt->execute(); + $stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?,?)'); + $stmt->execute([$_POST['id'],$tempcat,$config['FAIRYEAR']]); } } } @@ -82,25 +79,19 @@ if (get_value_from_array($_POST, 'action') == 'edit') { if (get_value_from_array($_POST, 'action') == 'new') { if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) { - $q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?"); + $q->execute([$_POST['id'],$config['FAIRYEAR']]); if ($q->rowCount()) { echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID'))); } else { - $stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES ( ' - . "'" . $_POST['id'] . "', " - . "'" . stripslashes($_POST['division']) . "', " - . "'" . stripslashes($_POST['division_shortform']) . "', " - . "'" . $config['FAIRYEAR'] . "') "); - $stmt->execute(); + $stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES (?,?,?,?)'); + $stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$config['FAIRYEAR']]); // ###### Feature Specific - filtering divisions by category if ($config['filterdivisionbycategory'] == 'yes') { foreach ($_POST['divcat'] as $tempcat) { - $stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( ' - . "'" . $tempcat . "', " - . "'" . $config['FAIRYEAR'] . "') "); - $stmt->execute(); + $stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?)'); + $stmt->execute([$tempcat,$conference['id']]); } } // ####### @@ -114,10 +105,10 @@ if (get_value_from_array($_POST, 'action') == 'new') { if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) { // ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links // for this division exist they should be deleted - $stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id=? AND year=?"); + $stmt->execute([$_GET['remove'], $config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id=? AND year=?"); + $stmt->execute([$_GET['remove'],$config['FAIRYEAR']]); echo happy(i18n('Division successfully removed')); } @@ -142,8 +133,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE echo '\n"; if (get_value_from_array($_GET, 'action') == 'edit') { echo '\n"; - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id=? AND year=?"); + $q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]); $divisionr = $q->fetch(PDO::FETCH_OBJ); $buttontext = 'Save'; @@ -158,12 +149,12 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE // ###### Feature Specific - filtering divisions by category if ($config['filterdivisionbycategory'] == 'yes') { echo ' '; - $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade"); + $q->execute([$config['FAIRYEAR']]); while ($categoryr = $q->fetch(PDO::FETCH_OBJ)) { - $query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=' . $divisionr->id . ' AND projectcategories_id=' . $categoryr->id . " AND year='" . $config['FAIRYEAR'] . "'"; + $query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND projectcategories_id=? AND year=?'; $t = $pdo->prepare($query); - $t->execute(); + $t->execute([$divisionr->id,$categoryr->id,$config['FAIRYEAR']]); if ($t && $t->rowCount() > 0) echo "id\" checked=\"checked\" /> $categoryr->category
"; else @@ -175,8 +166,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE echo ' '; echo ''; } else { - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { echo ''; echo " $r->id"; @@ -186,11 +177,11 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE if ($config['filterdivisionbycategory'] == 'yes') { $c = $pdo->prepare("SELECT category FROM projectcategoriesdivisions_link, projectcategories WHERE projectcategoriesdivisions_link.projectcategories_id = projectcategories.id - AND projectdivisions_id='$r->id' - AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' - AND projectcategories.year='" . $config['FAIRYEAR'] . "' + AND projectdivisions_id=? + AND projectcategoriesdivisions_link.year=? + AND projectcategories.year=? ORDER BY projectcategories.mingrade"); - $c->execute(); + $c->execute([$r->id,$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); if (!$c) { $tempcat = ' '; diff --git a/config/pagetexts.php b/config/pagetexts.php index 2a236b4a..62946565 100644 --- a/config/pagetexts.php +++ b/config/pagetexts.php @@ -48,13 +48,14 @@ if ($q_current->rowCount() == 0) { $q1 = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES ( - ".$pdo->quote($r->textname).", - ".$pdo->quote($r->textdescription).", - ".$pdo->quote($r->text).", - ".$pdo->quote($config['FAIRYEAR']).", - ".$pdo->quote($lang).")"); + ?, + ?, + ?, + ?, + ?)"); - $q1->execute(); + $q1->execute([$pdo->quote($r->textname),$pdo->quote($r->textdescription),$pdo->quote($r->text), + $pdo->quote($config['FAIRYEAR']),$pdo->quote($lang)]); } } } @@ -69,12 +70,12 @@ $stmt = $pdo->prepare("UPDATE pagetext SET lastupdate=NOW(), - text=$text + text=? WHERE - textname=".$pdo->quote($_POST['textname'])." - AND year='".$config['FAIRYEAR']."' - AND lang='$lang'"); - $stmt->execute(); + textname=? + AND year=? + AND lang=?"); + $stmt->execute([$text,$pdo->quote($_POST['textname']),$config['FAIRYEAR'],$lang]); } echo happy(i18n("Page texts successfully saved")); diff --git a/config/rollover.php b/config/rollover.php index dc475df4..067dcb9a 100644 --- a/config/rollover.php +++ b/config/rollover.php @@ -139,11 +139,11 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES ( - '" . $r->newdate . "', - '" . $r->name . "', - '" . $r->description . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->newdate,$r->name,$r->description,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -154,13 +154,13 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,lastupdate,year,lang) VALUES ( - '" . $r->textname . "', - '" . $r->textdescription . "', - '" . $r->text . "', - '" . $r->lastupdate . "', - '" . $newfairyear . "', - '" . $r->lang . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->textname,$r->textdescription,$r->text,$r->lastupdate,$newfairyear,$r->lang]); show_pdo_errors_if_any($pdo); } @@ -171,13 +171,13 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES ( - '" . $r->id . "', - '" . $r->category . "', - '" . $r->category_shortform . "', - '" . $r->mingrade . "', - '" . $r->maxgrade . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->id,$r->category,$r->category_shortform,$r->mingrade,$r->maxgrade,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -188,12 +188,12 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO projectdivisions (id,division,division_shortform,cwsfdivisionid,year) VALUES ( - '" . $r->id . "', - '" . $r->division . "', - '" . $r->division_shortform . "', - '" . $r->cwsfdivisionid . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->id,$r->division,$r->division_shortform,$r->cwsfdivisionid,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -204,10 +204,10 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( - '" . $r->projectdivisions_id . "', - '" . $r->projectcategories_id . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?)"); + $stmt->execute([$r->projectdivisions_id,$r->projectcategories_id ,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -218,11 +218,11 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES ( - '" . $r->id . "', - '" . $r->projectsubdivisions_id . "', - '" . $r->subdivision . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->id,$r->projectsubdivisions_id,$r->subdivision,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -233,12 +233,12 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES ( - '" . $r->question . "', - '" . $r->type . "', - '" . $r->required . "', - '" . $r->ord . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?"); + $stmt->execute([$r->question,$r->type,$r->required ,$r->ord,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -270,11 +270,11 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES ( - '" . $r->id . "', - '" . $r->type . "', - '" . $r->order . "', - '" . $newfairyear . "')"); - $stmt->execute(); + ?, + ?, + ?, + ?)"); + $stmt->execute([$r->id,$r->type,$r->order,$newfairyear]); show_pdo_errors_if_any($pdo); } @@ -288,28 +288,33 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array $shuid = ($r->sciencehead_uid == null) ? 'NULL' : ("'" . intval($r->sciencehead_uid) . "'"); $stmt = $pdo->prepare('INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,principal_uid,schoolemail,sciencehead_uid,accesscode,lastlogin,junior,intermediate,senior,registration_password,projectlimit,projectlimitper,year) VALUES ( - ' . $pdo->quote($r->school) . ', - ' . $pdo->quote($r->schoollang) . ', - ' . $pdo->quote($r->schoollevel) . ', - ' . $pdo->quote($r->board) . ', - ' . $pdo->quote($r->district) . ', - ' . $pdo->quote($r->phone) . ', - ' . $pdo->quote($r->fax) . ', - ' . $pdo->quote($r->address) . ', - ' . $pdo->quote($r->city) . ', - ' . $pdo->quote($r->province_code) . ', - ' . $pdo->quote($r->postalcode) . ",$puid, - " . $pdo->quote($r->schoolemail) . ",$shuid, - " . $pdo->quote($r->accesscode) . ', + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?,?, + ?,?, + ?, NULL, - ' . $pdo->quote($r->junior) . ', - ' . $pdo->quote($r->intermediate) . ', - ' . $pdo->quote($r->senior) . ', - ' . $pdo->quote($r->registration_password) . ', - ' . $pdo->quote($r->projectlimit) . ', - ' . $pdo->quote($r->projectlimitper) . ', - ' . $newfairyear . ')'); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?, + ?, + ?)'); + $stmt->execute([$pdo->quote($r->school),$pdo->quote($r->schoollang),$pdo->quote($r->schoollevel), + $pdo->quote($r->board),$pdo->quote($r->district),$pdo->quote($r->phone),$pdo->quote($r->fax), + $pdo->quote($r->address),$pdo->quote($r->city),$pdo->quote($r->province_code),$pdo->quote($r->postalcode),$puid, + $pdo->quote($r->schoolemail),$shuid,$pdo->quote($r->accesscode),$pdo->quote($r->junior),$pdo->quote($r->intermediate), + $pdo->quote($r->senior),$pdo->quote($r->registration_password),$pdo->quote($r->projectlimit),$pdo->quote($r->projectlimitper), + $newfairyear ]); show_pdo_errors_if_any($pdo); } @@ -320,14 +325,15 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array while ($r = $q->fetch(PDO::FETCH_OBJ)) { $stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES ( '', - '$newfairyear', - " . $pdo->quote($r->section) . ', - ' . $pdo->quote($r->db_heading) . ', - ' . $pdo->quote($r->question) . ', - ' . $pdo->quote($r->type) . ', - ' . $pdo->quote($r->required) . ', - ' . $pdo->quote($r->ord) . ')'); - $stmt->execute(); + ?, + ?, + ?, + ?, + ?, + ?, + ?)"); + $stmt->execute([$newfairyear,$pdo->quote($r->section),$pdo->quote($r->db_heading),$pdo->quote($r->question), + $pdo->quote($r->type),$pdo->quote($r->required),$pdo->quote($r->ord)]); show_pdo_errors_if_any($pdo); } @@ -347,9 +353,9 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array while ($r = $q->fetch(PDO::FETCH_ASSOC)) { $d = $newfairyear - $currentfairyear; $stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`,`name`) - VALUES ('$newfairyear','0','{$r['type']}',DATE_ADD('{$r['date']}', INTERVAL $d YEAR), - '{$r['starttime']}','{$r['endtime']}','{$r['name']}')"); - $stmt->execute(); + VALUES (?,'0',?,DATE_ADD(?, INTERVAL ? YEAR), + ?,?,?)"); + $stmt->execute([$newfairyear,$r['type'],$r['date'],$d,$r['starttime'],$r['endtime'],$r['name']]); show_pdo_errors_if_any($pdo); $round_id = $pdo->lastInsertId(); $qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?"); @@ -357,9 +363,9 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array show_pdo_errors_if_any($pdo); while ($rr = $qq->fetch(PDO::FETCH_ASSOC)) { $stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`) - VALUES ('$newfairyear','$round_id','timeslot',DATE_ADD('{$rr['date']}', INTERVAL $d YEAR), - '{$rr['starttime']}','{$rr['endtime']}')"); - $stmt->execute(); + VALUES (?,?,'timeslot',DATE_ADD(?, INTERVAL ? YEAR), + ?,?)"); + $stmt->execute([$newfairyear,$round_id,$rr['date'],$d,$rr['starttime'],$rr['endtime']]); show_pdo_errors_if_any($pdo); } } diff --git a/config/safetyquestions.php b/config/safetyquestions.php index 35e335d1..039c73ef 100644 --- a/config/safetyquestions.php +++ b/config/safetyquestions.php @@ -36,12 +36,13 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P echo notice(i18n('Defaulting non-numeric order value %1 to 0', array($_POST['ord']))); $stmt = $pdo->prepare("UPDATE safetyquestions SET - question='" . stripslashes($_POST['question']) . "', - `type`='" . stripslashes($_POST['type']) . "', - `required`='" . stripslashes($_POST['required']) . "', - ord='" . stripslashes($_POST['ord']) . "' - WHERE id='" . $_POST['save'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + question=?, + `type`=?, + `required`=?, + ord=? + WHERE id=? AND year=?"); + $stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']), + stripslashes($_POST['ord']),$_POST['save'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); echo happy(i18n('Safety question successfully saved')); @@ -52,13 +53,14 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P if (get_value_from_array($_POST, 'action') == 'new') { if ($_POST['question']) { $stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES ( - '" . stripslashes($_POST['question']) . "', - '" . stripslashes($_POST['type']) . "', - '" . stripslashes($_POST['required']) . "', - '" . stripslashes($_POST['ord']) . "', - '" . $config['FAIRYEAR'] . "' + ?, + ?, + ?, + ?, + ? )"); - $stmt->execute(); + $stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']), + stripslashes($_POST['ord']),$config['FAIRYEAR'] ]); show_pdo_errors_if_any($pdo); echo happy(i18n('Safety question successfully added')); diff --git a/config/subdivisions.php b/config/subdivisions.php index 835cb641..279615ed 100644 --- a/config/subdivisions.php +++ b/config/subdivisions.php @@ -75,11 +75,11 @@ if (get_value_from_array($_POST, 'action') == 'new') { echo error(i18n('Sub-Division ID %1 already exists', array($newid))); } else { $stmt = $pdo->prepare('INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES ( ' - . "'$newid', " - . "'" . $_POST['projectdivisions_id'] . "', " - . "'" . stripslashes($_POST['subdivision']) . "', " - . "'" . $config['FAIRYEAR'] . "') "); - $stmt->execute(); + . "?, " + . "?, " + . "?, " + . "?) "); + $stmt->execute([$newid,$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$config['FAIRYEAR']]); echo happy(i18n('Sub-Division successfully added')); } } else { diff --git a/config/variables.php b/config/variables.php index 4d30f7dc..ea4deb31 100644 --- a/config/variables.php +++ b/config/variables.php @@ -32,14 +32,15 @@ $q = $pdo->prepare("SELECT * FROM config WHERE year='-1'"); $q->execute(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $q = $pdo->prepare("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES ( - '" . $r->var . "', - '" . $r->val . "', - '" . $r->category . "', - '" . $r->type . "', - '" . $r->type_values . "', - '" . $r->ord . "', - '" . $r->description . "', - '" . $config['FAIRYEAR'] . "')"); + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?)"); + $q->execute([$r->var,$r->val,$r->category,$r->type,$r->type_values,$r->ord,$r->description,$config['FAIRYEAR']]); } // for the Special category diff --git a/db/db.update.118.php b/db/db.update.118.php index 79fc7d6b..e652b8f4 100644 --- a/db/db.update.118.php +++ b/db/db.update.118.php @@ -58,14 +58,14 @@ function db_update_118_post() $password .= $available[rand(0, $availlen)]; // set passwordset to 0000-00-00 to force it to expire on next login - $sql = 'INSERT INTO users (`types`,`username`,`created`,`password`,`passwordset`,`' . implode('`,`', $userfields) . '`,`year`) VALUES ('; - $sql .= "'sponsor','" . $username . "',NOW(),'$password','0000-00-00'"; + $sql = 'INSERT INTO users (`types`,`username`,`created`,`password`,`passwordset`,`' . implode('`,`','?') . '`,`year`) VALUES ('; + $sql .= "'sponsor',?,NOW(),?,'0000-00-00'"; foreach ($userfields AS $f) { $sql .= ",'" . $r->$f . "'"; } $sql .= ",'" . $r->year . "')"; $stmt = $pdo->prepare($sql); - $stmt->execute(); + $stmt->execute([$userfields,$username,$password]); show_pdo_errors_if_any($pdo); $user_id = $pdo->lastInsertId(); diff --git a/db/db.update.62.php b/db/db.update.62.php index 079ca2f8..8aac3a31 100644 --- a/db/db.update.62.php +++ b/db/db.update.62.php @@ -48,19 +48,19 @@ function db_update_62_post() (`types`,`firstname`,`lastname`,`username`,`password`,`passwordexpiry`, `email`,`phonehome`,`phonework`,`phonecell`,`fax`,`organization`, `created`,`deleted`) - VALUES ('committee','$fn', '$ln', '$username', - '" . $c['password'] . "', - $passwordexpiry, - '{$c['email']}', - '{$c['phonehome']}', - '{$c['phonework']}', - '{$c['phonecell']}', - '{$c['fax']}', - '" . $c['organization'] . "', + VALUES ('committee',?,?,?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, + ?, NOW(), - '$deleted')"; + ?)"; $stmt = $pdo->prepare($q); - $stmt->execute(); + $stmt->execute([$fn,$ln,$username,$c['password'],$passwordexpiry,$c['email'],$c['phonehome'],$c['phonework'],$c['phonecell'],$c['fax'],$c['organization'],$deleted]); echo "$q\n"; $id = $pdo->lastInsertId(); @@ -71,22 +71,22 @@ function db_update_62_post() $q = "INSERT INTO users_committee(`users_id`,`emailprivate`, `ord`,`displayemail`,`access_admin`,`access_config`, `access_super`) VALUES ( - '$id', '{$c['emailprivate']}', - '{$c['ord']}', - '$displayemail', - '$access_admin', - '$access_config', - '$access_super')"; + ?,?, + ?, + ?, + ?, + ?, + ?)"; $stmt = $pdo->prepare($q); - $stmt->execute(); + $stmt->execute([$id,$c['emailprivate'],$c['ord'],$displayemail,$access_admin,$access_config,$access_super]); echo "$q\n"; show_pdo_errors_if_any($pdo); /* Update committee links */ - $q = "UPDATE committees_link SET users_id='$id' - WHERE committees_members_id='{$c['id']}'"; + $q = "UPDATE committees_link SET users_id=? + WHERE committees_members_id=?"; $stmt = $pdo->prepare($q); - $stmt->execute(); + $stmt->execute([$id,$c['id']]); echo "$q\n"; } } diff --git a/questions.inc.php b/questions.inc.php index 3ef2ec07..c5c4090c 100644 --- a/questions.inc.php +++ b/questions.inc.php @@ -194,14 +194,14 @@ function questions_save_new_question($qs, $year) { global $pdo; $stmt = $pdo->prepare('INSERT INTO questions ' - . '(question,type,section,db_heading,required,ord,year) VALUES (' - ?," - ?," - ?," - ?," - ?," - ?," - ?")"); + . '(question,type,section,db_heading,required,ord,year) VALUES ( + ?, + ?, + ?, + ?, + ?, + ?, + ?)'); $stmt->execute([$qs['question'],$qs['type'],$qs['section'],$qs['db_heading'],$qs['required'],$year]); show_pdo_errors_if_any($pdo); } diff --git a/register_participants.php b/register_participants.php index 77a74977..8cd4e368 100644 --- a/register_participants.php +++ b/register_participants.php @@ -33,14 +33,14 @@ $q = $pdo->query("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()< $datecheck = $q->fetch(PDO::FETCH_OBJ); if (get_value_from_array($_POST, 'action') == 'new') { - $q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?"); - $q->execute([$_SESSION['email'],$_POST['regnum'],$config['FAIRYEAR']]); + $q = $pdo->prepare('SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?'); + $q->execute([$_SESSION['email'], $_POST['regnum'], $config['FAIRYEAR']]); if ($q->rowCount()) { $r = $q->fetch(PDO::FETCH_OBJ); $_SESSION['registration_number'] = $r->num; $_SESSION['registration_id'] = $r->id; - $stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)"); - $stmt->execute([$r->id,$_SESSION['email'],$r->schools_id,$config['FAIRYEAR']]); + $stmt = $pdo->prepare('INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)'); + $stmt->execute([$r->id, $_SESSION['email'], $r->schools_id, $config['FAIRYEAR']]); $stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?"); $stmt->execute([$r->id]); @@ -56,13 +56,24 @@ if (get_value_from_array($_POST, 'action') == 'new') { if (get_value_from_array($_POST, 'email')) $_SESSION['email'] = stripslashes($_POST['email']); - $q = $pdo->prepare('SELECT registrations.id AS regid, registrations.num AS regnum, students.id AS studentid, students.firstname FROM registrations,students ' - . "WHERE students.email='" . $_SESSION['email'] . "' " - . "AND registrations.num='" . intval($_POST['regnum']) . "' " - . 'AND students.registrations_id=registrations.id ' - . 'AND registrations.year=' . $config['FAIRYEAR'] . ' ' - . 'AND students.year=' . $config['FAIRYEAR']); - $q->execute(); + $q = $pdo->prepare('SELECT + registrations.id AS regid, + registrations.num AS regnum, + students.id AS studentid, + students.firstname + FROM registrations + JOIN students ON students.registrations_id = registrations.id + WHERE students.email = ? + AND registrations.num = ? + AND registrations.year = ? + AND students.year = ?'); + + $q->execute([ + $_SESSION['email'], + intval($_POST['regnum']), + $config['FAIRYEAR'], + $config['FAIRYEAR'] + ]); if ($q->rowCount()) { $r = $q->fetch(PDO::FETCH_OBJ); @@ -78,24 +89,24 @@ if (get_value_from_array($_POST, 'action') == 'new') { } } else if (get_value_from_array($_GET, 'action') == 'resend' && get_value_from_array($_SESSION, 'email')) { // first see if the email matches directly from the registrations table - $q = $pdo->prepare("SELECT registrations.num FROM + $q = $pdo->prepare('SELECT registrations.num FROM registrations WHERE registrations.email=? - AND registrations.year=?"); + AND registrations.year=?'); $q->execute([$_SESSION['email'], $config['FAIRYEAR']]); if ($q->rowCount()) $r = $q->fetch(PDO::FETCH_OBJ); else { // no match from registrations, so lets see if it matches from the students table - $q = $pdo->prepare("SELECT registrations.num FROM + $q = $pdo->prepare('SELECT registrations.num FROM registrations, students WHERE students.email=? AND students.registrations_id=registrations.id - AND registrations.year=?"); - $q->execute([$_SESSION['email'],$config['FAIRYEAR']]); + AND registrations.year=?'); + $q->execute([$_SESSION['email'], $config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); } @@ -214,7 +225,7 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($ } else if ($config['participant_registration_type'] == 'schoolpassword') { $showschoolpasswordform = true; if ($_POST['schoolpassword'] && $_POST['schoolid']) { - $q = $pdo->prepare("SELECT registration_password FROM schools WHERE id=? AND year=?"); + $q = $pdo->prepare('SELECT registration_password FROM schools WHERE id=? AND year=?'); $q->execute([$_POST['schoolid'], $config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); @@ -237,7 +248,7 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($ echo ''; echo i18n('Email Address:') . ' ' . $_SESSION['email'] . '
'; echo i18n('School: '); - $q = $pdo->prepare("SELECT id,school FROM schools WHERE year=? ORDER BY school"); + $q = $pdo->prepare('SELECT id,school FROM schools WHERE year=? ORDER BY school'); $q->execute([$config['FAIRYEAR']]); echo '\n"; echo '\n"; @@ -450,7 +495,7 @@ for ($x = 1; $x <= $numtoshow; $x++) { } echo '' . REQUIREDFIELD; } else { - $schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?"); + $schoolq = $pdo->prepare('SELECT id,school FROM schools WHERE year=? AND id=?'); $schoolq->execute([$config['FAIRYEAR'], $studentinfo->schools_id]); $r = $schoolq->fetch(PDO::FETCH_OBJ); echo $r->school; @@ -465,8 +510,8 @@ for ($x = 1; $x <= $numtoshow; $x++) { echo "\n"; if ($config['participant_regfee_items_enable'] == 'yes') { - $sel_q = $pdo->prepare("SELECT * FROM regfee_items_link - WHERE students_id=?"); + $sel_q = $pdo->prepare('SELECT * FROM regfee_items_link + WHERE students_id=?'); $sel_q->execute([$id]); $sel = array(); while ($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) { diff --git a/register_participants_tours.php b/register_participants_tours.php index 525d0074..1ff643b0 100644 --- a/register_participants_tours.php +++ b/register_participants_tours.php @@ -38,14 +38,23 @@ if (!$_SESSION['registration_number']) { exit; } -$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ' - . "WHERE students.email='" . $_SESSION['email'] . "' " - . "AND registrations.num='" . $_SESSION['registration_number'] . "' " - . "AND registrations.id='" . $_SESSION['registration_id'] . "' " - . 'AND students.registrations_id=registrations.id ' - . 'AND registrations.year=' . $config['FAIRYEAR'] . ' ' - . 'AND students.year=' . $config['FAIRYEAR']); -$q->execute(); +$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname + FROM registrations + JOIN students ON students.registrations_id = registrations.id + WHERE students.email = ? + AND registrations.num = ? + AND registrations.id = ? + AND registrations.year = ? + AND students.year = ?'); + +$q->execute([ + $_SESSION['email'], + $_SESSION['registration_number'], + $_SESSION['registration_id'], + $config['FAIRYEAR'], + $config['FAIRYEAR'] +]); + show_pdo_errors_if_any($pdo); if ($q->rowCount() == 0) { @@ -74,7 +83,7 @@ if ($_POST['action'] == 'save') { WHERE registrations_id=? AND year=? AND rank!='0'"); - $stmt->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]); + $stmt->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); if (is_array($_POST['toursel'])) { foreach ($_POST['toursel'] AS $students_id => $ts) { $selarray = array(); @@ -94,13 +103,18 @@ if ($_POST['action'] == 'save') { /* Remember this choice in a format that is easily searchable */ $selarray[] = $x; - $stmt = $pdo->prepare('INSERT INTO tours_choice (registrations_id,students_id,tour_id,year,rank) VALUES (' - . "'" . $_SESSION['registration_id'] . "', " - . "'" . intval($students_id) . "', " - . "'" . intval($tid) . "', " - . "'" . $config['FAIRYEAR'] . "', " - . "'$rank')"); - $stmt->execute(); + $stmt = $pdo->prepare('INSERT INTO tours_choice + (registrations_id, students_id, tour_id, year, rank) + VALUES (?, ?, ?, ?, ?)'); + + $stmt->execute([ + $_SESSION['registration_id'], + intval($students_id), + intval($tid), + $config['FAIRYEAR'], + $rank + ]); + show_pdo_errors_if_any($pdo); } } @@ -131,8 +145,8 @@ if ($newstatus != 'complete') { } $assigned_tour = array(); -$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id=? AND year=?"); -$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]); +$q = $pdo->prepare('SELECT * FROM tours_choice WHERE registrations_id=? AND year=?'); +$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r->rank == 0) $assigned_tour[$r->students_id] = $r->tour_id; @@ -140,7 +154,7 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { } $tours = array(); -$q = $pdo->prepare("SELECT * FROM tours WHERE year=? ORDER BY id"); +$q = $pdo->prepare('SELECT * FROM tours WHERE year=? ORDER BY id'); $q->execute([$config['FAIRYEAR']]); if ($q->rowCount() == 0) { echo notice(i18n('There is not tour information')); @@ -163,8 +177,8 @@ $max = $config['tours_choices_max']; echo "
\n"; echo "\n"; -$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); -$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]); +$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?'); +$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); $num_found = $q->rowCount(); $print_submit = false; diff --git a/remote.php b/remote.php index f6b129b3..bfcc1388 100644 --- a/remote.php +++ b/remote.php @@ -274,8 +274,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo } while ($q->rowCount() > 0); // actually insert it - $stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES (' - ?,?,NOW(),'open',NULL,?')'); + $stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES ( + ?,?,NOW(),open,NULL,?)'); $stmt->execute([$regnum,$regnum,$year]); $registrations_id = $pdo->lastInsertId(); /* We'll fill in the email address later */ @@ -295,12 +295,13 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo $registration = $q->fetch(PDO::FETCH_ASSOC); /* Update the project in case anythign changed */ - $stmt = $pdo->prepare("UPDATE projects SET title='" . $project['title'] . "', + $stmt = $pdo->prepare("UPDATE projects SET title=?, summary='" . $project['abstract'] . "', - projectcategories_id='" . intval($project['projectcategories_id']) . "', - projectdivisions_id='" . intval($project['projectdivisions_id']) . "' - WHERE id='$pid'"); - $stmt->execute(); + projectcategories_id=?, + projectdivisions_id=? + WHERE id=?"); + $stmt->execute([$project['title'],intval($project['projectcategories_id']), + intval($project['projectdivisions_id']),$pid]); /* Record the winner */ $stmt = $pdo->prepare("INSERT INTO winners(`awards_prizes_id`,`projects_id`,`year`,`fairs_id`) diff --git a/schoolinvite.php b/schoolinvite.php index 5dc07036..9e0013c8 100644 --- a/schoolinvite.php +++ b/schoolinvite.php @@ -8,7 +8,7 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { echo '<< ' . i18n('Return to school access main page') . '
'; echo '
'; - $q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?"); + $q = $pdo->prepare('SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?'); $q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $school = $q->fetch(PDO::FETCH_OBJ); @@ -17,7 +17,7 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { if ($_POST['action'] == 'invite') { if ($_POST['firstname'] && $_POST['lastname'] && $_POST['email'] && $_POST['grade']) { // make sure they arent already invited! - $q = $pdo->prepare("SELECT firstname, lastname FROM students WHERE year=? AND email=?"); + $q = $pdo->prepare('SELECT firstname, lastname FROM students WHERE year=? AND email=?'); $q->execute([$config['FAIRYEAR'], $_POST['email']]); if ($q->rowCount()) { echo error(i18n('That students email address has already been invited')); @@ -28,31 +28,37 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { // random number between // 100000 and 999999 (six digit integer) $regnum = rand(100000, 999999); - $q = $pdo->prepare("SELECT * FROM registrations WHERE num? AND year=?"); + $q = $pdo->prepare('SELECT * FROM registrations WHERE num? AND year=?'); $q->execute([$regnum, $config['FAIRYEAR']]); } while ($q->rowCount() > 0); // actually insert it - $stmt = $pdo->prepare('INSERT INTO registrations (num,email,emailcontact,start,status,year) VALUES (' - . "'$regnum'," - . "'" . $_POST['email'] . "'," - . "'" . $_POST['emailcontact'] . "'," - . 'NOW(),' - . "'open'," - . $config['FAIRYEAR'] - . ')'); - $stmt->execute(); + $stmt = $pdo->prepare('INSERT INTO registrations (num, email, emailcontact, start, status, year) + VALUES (?, ?, ?, NOW(), ?, ?)'); + + $stmt->execute([ + $regnum, + $_POST['email'], + $_POST['emailcontact'], + 'open', + $config['FAIRYEAR'] + ]); + $regid = $pdo->lastInsertId(); - $stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,firstname,lastname,schools_id,grade,year) VALUES ( - '$regid', - '" . $_POST['email'] . "', - '" . $_POST['firstname'] . "', - '" . $_POST['lastname'] . "', - '" . $_SESSION['schoolid'] . "', - '" . $_POST['grade'] . "', - '" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO students (registrations_id, email, firstname, lastname, schools_id, grade, year) + VALUES (?, ?, ?, ?, ?, ?, ?)"); + + $stmt->execute([ + $regid, + $_POST['email'], + $_POST['firstname'], + $_POST['lastname'], + $_SESSION['schoolid'], + $_POST['grade'], + $config['FAIRYEAR'] + ]); + email_send('new_participant', $_POST['email'], array(), array('REGNUM' => $regnum, 'EMAIL' => $_POST['email'])); if ($_POST['emailcontact']) @@ -65,24 +71,24 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { if ($_GET['action'] == 'uninvite') { // first, make sure that this is really their student, and it sfor this year. - $q = $pdo->prepare("SELECT * FROM students WHERE id=? AND year=? AND schools_id=?"); + $q = $pdo->prepare('SELECT * FROM students WHERE id=? AND year=? AND schools_id=?'); $q->execute([$_GET['uninvite'], $config['FAIRYEAR'], $_SESSION['schoolid']]); if ($q->rowCount()) { $r = $q->fetch(PDO::FETCH_OBJ); $registrations_id = $r->registrations_id; if ($registrations_id) // just to be safe! { - $stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?"); + $stmt = $pdo->prepare('DELETE FROM students WHERE registrations_id=?'); $stmt->execute([$registrations_id]); - $stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=?"); + $stmt = $pdo->prepare('DELETE FROM projects WHERE registrations_id=?'); $stmt->execute([$registrations_id]); - $stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=?"); + $stmt = $pdo->prepare('DELETE FROM mentors WHERE registrations_id=?'); $stmt->execute([$registrations_id]); - $stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=?"); + $stmt = $pdo->prepare('DELETE FROM safety WHERE registrations_id=?'); $stmt->execute([$registrations_id]); - $stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=?"); + $stmt = $pdo->prepare('DELETE FROM emergencycontact WHERE registrations_id=?'); $stmt->execute([$registrations_id]); - $stmt = $pdo->prepare("DELETE FROM registrations WHERE id=?"); + $stmt = $pdo->prepare('DELETE FROM registrations WHERE id=?'); $stmt->execute([$registrations_id]); echo happy(i18n('Student successfully uninvited')); @@ -91,8 +97,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { echo error(i18n('Invalid student to uninvite')); } - $q = $pdo->prepare("SELECT (NOW()>? AND NOW()execute([$config['dates']['regopen'],$config['dates']['regclose']]); + $q = $pdo->prepare('SELECT (NOW()>? AND NOW()execute([$config['dates']['regopen'], $config['dates']['regclose']]); $datecheck = $q->fetch(PDO::FETCH_OBJ); $q = $pdo->prepare("SELECT \t @@ -110,7 +116,7 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { ORDER BY lastname, firstname"); - $q->execute([$school->id,$config['FAIRYEAR']]); + $q->execute([$school->id, $config['FAIRYEAR']]); $currentinvited = $q->rowCount(); if ($datecheck != 0) { @@ -135,10 +141,10 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { } } else if ($school->projectlimitper == 'agecategory') { echo '
'; - $catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); + $catq = $pdo->prepare('SELECT * FROM projectcategories WHERE year=? ORDER BY id'); $catq->execute([$config['FAIRYEAR']]); while ($catr = $catq->fetch(PDO::FETCH_OBJ)) { - $q2 = $pdo->prepare("SELECT COUNT(students.id) AS num + $q2 = $pdo->prepare('SELECT COUNT(students.id) AS num FROM students, registrations @@ -149,8 +155,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) { AND students.year=? AND students.registrations_id=registrations.id GROUP BY registrations.num - "); - $q2->execute([$school->id,$catr->mingrade,$catr->maxgrade,$config['FAIRYEAR']]); + '); + $q2->execute([$school->id, $catr->mingrade, $catr->maxgrade, $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $r2 = $q2->fetch(PDO::FETCH_OBJ); $currentinvited = $r2->num;