use prepare statements for these 2 files under the admin folder (award files) where possible

2025-02-07 20:14:01 +00:00 · 2025-02-07 20:14:01 +00:00 · ae40c90d07
commit ae40c90d07
parent 843aa38ce6
2 changed files with 18 additions and 18 deletions
--- a/admin/award_awards.php
+++ b/admin/award_awards.php
@ -133,7 +133,7 @@ switch ($_GET['action']) {
 			$q->bindParam(':c', $c, PDO::PARAM_INT);
 			$q->bindParam(':year', $config['FAIRYEAR'], PDO::PARAM_INT);

-			$q->execute([]);
+			$q->execute();
 		}

 		// wipe out any old award-divisions links
@ -376,7 +376,7 @@ switch ($_GET['action']) {
 							external_register_winners=?,
 							per_fair=?
 						WHERE id=?");
-		$q->execute([$ident, $mat,$w],$per_fair,$id);
+		$q->execute([[$ident, $mat,$w],$per_fair,$id]);

 		happy_('Feeder Fair information saved');
 		exit;
@ -1111,13 +1111,13 @@ LEFT JOIN sponsors ON sponsors.id = award_awards.sponsors_id
 LEFT JOIN award_types ON award_types.id = award_awards.award_types_id
 WHERE 
 				award_awards.year=?
-				?
-				?
+				$where_asi
+				$where_ati
 			AND \taward_types.year=?
-		?
+		$orderby
 ");

-$q->execute([$config['FAIRYEAR'],$where_asi,$where_ati,$config['FAIRYEAR'],$orderby]);
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);

 show_pdo_errors_if_any($pdo);

--- a/admin/award_download.php
+++ b/admin/award_download.php
@ -150,7 +150,7 @@ switch (get_value_from_array($_GET, 'action')) {
 				$sponsor_id = $sponsorr->id;
 			} else {
 				$q = $pdo->prepare("INSERT INTO sponsors (organization,year,notes) 
-				VALUES (?,?,'" . "Imported from external source: ?" . "')");
+				VALUES (?,?, Imported from external source: ?)");
 				$q->execute([$sponsor_str,$year,$r->name]);
 				show_pdo_errors_if_any($pdo);
 				$sponsor_id = $pdo->lastInsertId();
@ -231,17 +231,17 @@ switch (get_value_from_array($_GET, 'action')) {
 					$prize['identifier'] = $prize['prize_en'];

 					$q = $pdo->prepare("UPDATE award_prizes SET 
-						cash = ?, 
-						scholarship = ?, 
-						value = ?, 
-						prize = ?, 
-						number = ?, 
-						`order` = ?, 
-						external_identifier = ?, 
-						trophystudentkeeper = ?, 
-						trophystudentreturn = ?, 
-						trophyschoolkeeper = ?, 
-						trophyschoolreturn = ? 
+						cash =?, 
+						scholarship =?, 
+						value =?, 
+						prize =?, 
+						number =?, 
+						`order` =?, 
+						external_identifier =?, 
+						trophystudentkeeper =?, 
+						trophystudentreturn =?, 
+						trophyschoolkeeper =?, 
+						trophyschoolreturn =? 
 						WHERE id = ?");
 				
 					$q->execute([