diff --git a/admin/award_awards.php b/admin/award_awards.php
index 19cca880..8c214013 100644
--- a/admin/award_awards.php
+++ b/admin/award_awards.php
@@ -27,15 +27,16 @@
user_auth_required('committee', 'admin');
require_once('awards.inc.php');
- switch(get_value_from_array($_GET, 'action')) {
+ switch(get_value_from_array($_GET, 'action', 'awardinfo_load')) {
+
case 'awardinfo_load':
- $id = intval($_GET['id']);
+ $id = intval(get_value_from_array($_GET, 'id'));
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
$q->execute();
$ret = $q->fetch(PDO::FETCH_ASSOC);
//json_encode NEEDS UTF8 DATA, but we store it in the database as ISO :(
- foreach($ret AS $k=>$v) {
+ foreach($ret AS $k=>$v) {print('sdfs');
$ret[$k]=iconv("ISO-8859-1","UTF-8",$v);
}
//echo iconv("ISO-8859-1","UTF-8",json_encode($ret));
@@ -83,7 +84,7 @@
$q->execute();
print_r($_POST);
echo $q;
- echo $pdo->errorInfo();
+ show_pdo_errors_if_any($pdo);
happy_("Award information saved");
exit;
@@ -139,7 +140,7 @@
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year)
VALUES ('$id','$d','{$config['FAIRYEAR']}')");
$q->execute();
- echo $pdo->errorInfo();
+ show_pdo_errors_if_any($pdo);
}
happy_("Eligibility information saved");
exit;
@@ -319,7 +320,7 @@
$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id='$id'");
$q->execute();
- echo $pdo->errorInfo();
+ show_pdo_errors_if_any($pdo);
foreach($data as $fairs_id=>$f) {
$dl = ($f['dl'] == true) ? 'yes' : 'no';
$ul = ($f['ul'] == true) ? 'yes' : 'no';
@@ -327,7 +328,7 @@
$q = $pdo->prepare("INSERT INTO fairs_awards_link (award_awards_id,fairs_id,download_award,upload_winners)
VALUES ('$id','$fairs_id','$dl','$ul')");
$q->execute();
- echo $pdo->errorInfo();
+ show_pdo_errors_if_any($pdo);
}
$ident=stripslashes($_POST['identifier']);
$per_fair = $_POST['per_fair'] == 'yes' ? 'yes' : 'no';
@@ -729,7 +730,7 @@ $(document).ready(function() {
$cq = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade");
$cq->execute();
- echo $pdo->errorInfo();
+ show_pdo_errors_if_any($pdo);
while($cr=$cq->fetch(PDO::FETCH_OBJ)) {
echo "id}\" name=\"categories[]\" value=\"$cr->id\" />".i18n($cr->category)."
";
}
diff --git a/common.inc.php b/common.inc.php
index 99e896e9..69007361 100644
--- a/common.inc.php
+++ b/common.inc.php
@@ -232,7 +232,7 @@ else
}
//now if no language has been set yet, lets set it to the default language
-if(!$_SESSION['lang'])
+if(!get_value_from_array($_SESSION, 'lang'))
{
//first try the default language, if that doesnt work, use "en"
if($config['default_language'])
diff --git a/config/pagetexts.php b/config/pagetexts.php
index bf1c4766..357bed0f 100644
--- a/config/pagetexts.php
+++ b/config/pagetexts.php
@@ -43,29 +43,29 @@
{
foreach($config['languages'] AS $lang=>$langname) {
$q = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES (
- '".$r->textname."',
- '".$r->textdescription."',
- '".$r->text."',
- '".$config['FAIRYEAR']."',
- '".$lang."')");
- echo $r->textname;
+ ".$pdo->quote($r->textname).",
+ ".$pdo->quote($r->textdescription).",
+ ".$pdo->quote($r->text).",
+ ".$pdo->quote($config['FAIRYEAR']).",
+ ".$pdo->quote($lang).")");
+
$q->execute();
}
}
- if($_POST['action']=="save")
+ if(get_value_from_array($_POST, 'action')=="save")
{
foreach($config['languages'] AS $lang=>$langname) {
$textvar="text_$lang";
- $text=stripslashes($_POST[$textvar]);
+ $text=$pdo->quote(stripslashes($_POST[$textvar]));
$stmt = $pdo->prepare("UPDATE pagetext
SET
lastupdate=NOW(),
text='$text'
WHERE
- textname='".$_POST['textname']."'
+ textname='".$pdo->quote($_POST['textname'])."'
AND year='".$config['FAIRYEAR']."'
AND lang='$lang'");
$stmt->execute();
@@ -74,7 +74,7 @@
}
- if($_GET['textname'])
+ if(get_value_from_array($_GET, 'textname'))
{
$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."'");
$q->execute();
@@ -93,7 +93,7 @@
if(!$r)
{
- $stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES ('".$_GET['textname']."','".$config['FAIRYEAR']."','$lang')");
+ $stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES ('".$pdo->quote($_GET['textname'])."','".$config['FAIRYEAR']."','$lang')");
$stmt->execute();
echo $pdo->errorInfo();
}
diff --git a/tableeditor.class.php b/tableeditor.class.php
index b64f3e18..78ef009f 100644
--- a/tableeditor.class.php
+++ b/tableeditor.class.php
@@ -497,10 +497,10 @@ class TableEditor
{
if($insert_mode) $field = '';
else $field = "`$f`=";
-
+
$query .= $field.$n.",";
}
- //rip off the last comma
+ //rip off the last commaguix-system-vm-image-1.4.0.x86_64-linux.qcow2
$query=substr($query,0,-1);
if($insert_mode) {
@@ -595,8 +595,8 @@ class TableEditor
else if($inputtype == 'time') //r->Type=="time")
{
if($_POST[$f."_hour"]!="" && $_POST[$f."_minute"]!="") {
- $editdata[$f] = "'".stripslashes($_POST[$f."_hour"]).":".
- stripslashes($_POST[$f."_minute"]).":00'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_POST[$f."_hour"])).":".
+ $pdo->quote(stripslashes($_POST[$f."_minute"])).":00'";
} else {
$editdata[$f] = 'NULL';
}
@@ -617,13 +617,13 @@ class TableEditor
{
//chose the text field first, if its been filled in, otherwise, go with the select box
if($_POST[$f."_text"])
- $editdata[$f] = "'".stripslashes($_POST[$f."_text"])."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_POST[$f."_text"]))."'";
else if($_POST[$f."_select"])
- $editdata[$f] = "'".stripslashes($_POST[$f."_select"])."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_POST[$f."_select"]))."'";
else
{
//maybe the options were over-wridden, if so, just check the field name
- $editdata[$f] = "'".stripslashes($_POST[$f])."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_POST[$f]))."'";
}
}
@@ -633,9 +633,9 @@ class TableEditor
//but allow them to enter http:// or https:// themselves.
//if no protocol is given, assume http://
if(substr(strtolower($_POST[$f]),0,4)=="http")
- $editdata[$f] = "'".stripslashes($_POST[$f])."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_POST[$f]))."'";
else
- $editdata[$f] = "'http://".stripslashes($_POST[$f])."'";
+ $editdata[$f] = "'http://".$pdo->quote(stripslashes($_POST[$f]))."'";
}
else if(substr($f,0,8)=="filename" && $this->uploadPath)
@@ -646,7 +646,7 @@ class TableEditor
if(file_exists($this->uploadPath."/".$_FILES[$f]['name']))
echo error(i18n("A file with that filename already exists, it will be overwritten"));
move_uploaded_file($_FILES[$f]['tmp_name'],$this->uploadPath."/".$_FILES[$f]['name']);
- $editdata[$f] = "'".stripslashes($_FILES[$f]['name'])."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_FILES[$f]['name']))."'";
}
else
{
@@ -662,9 +662,9 @@ class TableEditor
else
{
if($this->fieldValidation[$f])
- $editdata[$f] = "'".stripslashes(ereg_replace($this->fieldValidation[$f],"",$_POST[$f]))."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes(ereg_replace($this->fieldValidation[$f],"",$_POST[$f])))."'";
else
- $editdata[$f] = "'".stripslashes($_POST[$f])."'";
+ $editdata[$f] = "'".$pdo->quote(stripslashes($_POST[$f]))."'";
}
}
@@ -1016,7 +1016,7 @@ class TableEditor
foreach($sel as $s) $query .= ", $s";
$query .= " FROM ";
foreach($from as $f) $query .= "$f ";
- print("sfs $f");
+
$query .= " WHERE 1 ";
if(is_array($where)) {