diff --git a/admin/award_awardcreatedivisional.php b/admin/award_awardcreatedivisional.php
index 449619a2..4e5faf60 100644
--- a/admin/award_awardcreatedivisional.php
+++ b/admin/award_awardcreatedivisional.php
@@ -44,19 +44,19 @@ else if (get_value_from_array($_POST, 'award_types_id'))
// first, we can only do this if we dont have any type=divisional awards created yet
-$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year=?");
+$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->num) {
echo error(i18n('%1 Divisional awards already exist. There must not be any divisional awards in order to run this wizard', array($r->num)));
} else {
- $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+ $q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$div[$r->id] = $r->division;
- $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+ $q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cat[$r->id] = $r->category;
@@ -64,8 +64,8 @@ if ($r->num) {
$ckeys = array_keys($cat);
if ($config['filterdivisionbycategory'] == 'yes') {
- $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
+ $q->execute([$config['FAIRYEAR']]);
$divcat = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@@ -109,44 +109,42 @@ if ($r->num) {
echo i18n('Creating %1 - %2', array($c_category, $d_division)) . ' ';
- $q = $pdo->prepare("INSERT INTO award_awards (sponsors_id,award_types_id,name,criteria,`order`,year) VALUES (
- '{$_GET['sponsors_id']}',
- '1',
- '$c_category - $d_division',
- '" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "',
- '$ord',
- '{$config['FAIRYEAR']}'
- )");
- $q->execute();
+ $q = $pdo->prepare("INSERT INTO award_awards (sponsors_id, award_types_id, name, criteria, `order`, year)
+ VALUES (?, '1', ?, ?, ?, ?)");
+ $q->execute([$_GET['sponsors_id'], i18n('Best %1 projects in the %2 division', [$c_category, $d_division]),
+ $c_category, $ord, $config['FAIRYEAR']]);
+
show_pdo_errors_if_any($pdo);
$award_awards_id = $pdo->lastInsertId();
- $q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES ('$award_awards_id','$c_id','{$config['FAIRYEAR']}')");
- $q->execute();
+ $q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (?,?,?");
+ $q->execute([$award_awards_id,$c_id,$config['FAIRYEAR']]);
- $q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES ('$award_awards_id','$d_id','{$config['FAIRYEAR']}')");
- $q->execute();
+ $q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
+ $q->execute([$award_awards_id,$d_id,$config['FAIRYEAR']]);
$ord++;
echo ' ' . i18n('Prizes: ');
foreach ($prizes AS $prize) {
- $q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,value,prize,number,`order`,excludefromac,trophystudentkeeper,trophystudentreturn,trophyschoolkeeper,trophyschoolreturn,year) VALUES (
- '$award_awards_id',
- '{$prize['cash']}',
- '{$prize['scholarship']}',
- '{$prize['value']}',
- '{$prize['prize']}',
- '{$prize['number']}',
- '{$prize['order']}',
- '{$prize['excludefromac']}',
- '{$prize['trophystudentkeeper']}',
- '{$prize['trophystudentreturn']}',
- '{$prize['trophyschoolkeeper']}',
- '{$prize['trophyschoolreturn']}',
- '{$config['FAIRYEAR']}'
- )");
+ $q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id, cash, scholarship, value, prize, number, `order`, excludefromac, trophystudentkeeper, trophystudentreturn, trophyschoolkeeper, trophyschoolreturn, year)
+ VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
+
+ $q->execute([
+ $award_awards_id,
+ $prize['cash'],
+ $prize['scholarship'],
+ $prize['value'],
+ $prize['prize'],
+ $prize['number'],
+ $prize['order'],
+ $prize['excludefromac'],
+ $prize['trophystudentkeeper'],
+ $prize['trophystudentreturn'],
+ $prize['trophyschoolkeeper'],
+ $prize['trophyschoolreturn'],
+ $config['FAIRYEAR']
+ ]);
- $q->execute();
echo $prize['prize'] . ',';
}
diff --git a/admin/award_awards.php b/admin/award_awards.php
index 08028650..2ec8f925 100644
--- a/admin/award_awards.php
+++ b/admin/award_awards.php
@@ -33,8 +33,8 @@ $_GET['action'] = $_GET['action'] ?? '';
switch ($_GET['action']) {
case 'awardinfo_load':
$id = intval(get_value_from_array($_GET, 'id'));
- $q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+ $q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
// json_encode NEEDS UTF8 DATA, but we store it in the database as ISO :(
@@ -57,8 +57,8 @@ switch ($_GET['action']) {
if ($id == -1) {
$q = $pdo->prepare("INSERT INTO award_awards (year,self_nominate,schedule_judges)
- VALUES ('{$config['FAIRYEAR']}','yes','yes')");
- $q->execute();
+ VALUES (?,'yes','yes')");
+ $q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId();
happy_('Award Created');
/* Set the award_id in the client */
@@ -83,9 +83,9 @@ switch ($_GET['action']) {
criteria='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['criteria'])) . "',
sponsors_id='" . intval($_POST['sponsors_id']) . "' ";
}
- $q .= "WHERE id='$id'";
+ $q .= "WHERE id=?";
$q = $pdo->prepare($q);
- $q->execute();
+ $q->execute([$id]);
print_r($_POST);
echo $q;
show_pdo_errors_if_any($pdo);
@@ -97,15 +97,15 @@ switch ($_GET['action']) {
// select the current categories that this award is linked to
$ret = array('categories' => array(), 'divisions' => array());
- $q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id=?");
+ $q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$ret['categories'][] = $r['projectcategories_id'];
}
// select the current categories that this award is linked to
- $q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
- $q->execute();
+ $q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id=?");
+ $q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$ret['divisions'][] = $r['projectdivisions_id'];
}
@@ -122,8 +122,8 @@ switch ($_GET['action']) {
}
// wipe out any old award-category links
- $q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$id'");
- $q->execute();
+ $q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
+ $q->execute([$id]);
foreach ($_POST['categories'] AS $key => $cat) {
$c = intval($cat);
$q = $pdo->prepare('INSERT INTO award_awards_projectcategories (award_awards_id, projectcategories_id, year)
@@ -138,8 +138,8 @@ switch ($_GET['action']) {
// wipe out any old award-divisions links
- $q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
- $q->execute();
+ $q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
+ $q->execute([$id]);
// now add the new ones
foreach ($_POST['divisions'] AS $key => $div) {
@@ -165,8 +165,8 @@ switch ($_GET['action']) {
continue;
$order++;
- $q = $pdo->prepare("UPDATE `award_prizes` SET `order`='$order' WHERE `id`='$id'");
- $q->execute();
+ $q = $pdo->prepare("UPDATE `award_prizes` SET `order`=? WHERE `id`=?");
+ $q->execute([$order, $id]);
}
// print_r($_GET);
happy_('Order Updated.');
@@ -179,8 +179,8 @@ switch ($_GET['action']) {
continue;
$order++;
- $q = $pdo->prepare("UPDATE `award_awards` SET `order`='$order' WHERE `id`='$id'");
- $q->execute();
+ $q = $pdo->prepare("UPDATE `award_awards` SET `order`=? WHERE `id`=?");
+ $q->execute([$order, $id]);
}
happy_('Order updated');
exit;
@@ -191,8 +191,8 @@ switch ($_GET['action']) {
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE year='-1' AND award_awards_id='0' ORDER BY `order`");
$q->execute();
} else {
- $q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$id' ORDER BY `order`");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=? ORDER BY `order`");
+ $q->execute([$id]);
}
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
foreach ($r AS $k => $v) {
@@ -205,8 +205,8 @@ switch ($_GET['action']) {
case 'prize_load':
$id = intval($_GET['id']);
- $q = $pdo->prepare("SELECT * FROM award_prizes WHERE id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_prizes WHERE id=?");
+ $q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
foreach ($ret AS $k => $v) {
$ret[$k] = iconv('ISO-8859-1', 'UTF-8', $v);
@@ -276,8 +276,8 @@ switch ($_GET['action']) {
$id = intval($_GET['id']);
/* Prepare two lists of fair IDs, for which fairs can upload and download this award */
- $q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id=?");
+ $q->execute([$id]);
$ul = array();
$dl = array();
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
@@ -287,8 +287,8 @@ switch ($_GET['action']) {
$dl[$r['fairs_id']] = true;
}
- $q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+ $q->execute([$id]);
$a = $q->fetch(PDO::FETCH_ASSOC);
?>
@@ -354,16 +354,16 @@ switch ($_GET['action']) {
/* Now save each one */
- $q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id='$id'");
- $q->execute();
+ $q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id=?");
+ $q->execute([$id]);
show_pdo_errors_if_any($pdo);
foreach ($data as $fairs_id => $f) {
$dl = ($f['dl'] == true) ? 'yes' : 'no';
$ul = ($f['ul'] == true) ? 'yes' : 'no';
$q = $pdo->prepare("INSERT INTO fairs_awards_link (award_awards_id,fairs_id,download_award,upload_winners)
- VALUES ('$id','$fairs_id','$dl','$ul')");
- $q->execute();
+ VALUES (?,?,?,?)");
+ $q->execute([$id,$fairs_id,$dl,$ul]);
show_pdo_errors_if_any($pdo);
}
$ident = stripslashes($_POST['identifier']);
@@ -371,12 +371,12 @@ switch ($_GET['action']) {
$mat = intval($_POST['additional_materials']);
$w = intval($_POST['register_winners']);
- $q = $pdo->prepare("UPDATE award_awards SET external_identifier='$ident',
- external_additional_materials='$mat',
- external_register_winners='$w',
- per_fair='$per_fair'
- WHERE id='$id'");
- $q->execute();
+ $q = $pdo->prepare("UPDATE award_awards SET external_identifier=?,
+ external_additional_materials=?,
+ external_register_winners=?,
+ per_fair=?
+ WHERE id=?");
+ $q->execute([[$ident, $mat,$w],$per_fair,$id]);
happy_('Feeder Fair information saved');
exit;
@@ -729,8 +729,8 @@ while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
:
prepare("SELECT id,type FROM award_types WHERE year='{$config['FAIRYEAR']}' ORDER BY type");
-$tq->execute();
+$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year=? ORDER BY type");
+$tq->execute([$config['FAIRYEAR']]);
echo '