use prepare statements for register files (3 files) where possible

2025-02-07 20:15:53 +00:00 · 2025-02-07 20:15:53 +00:00 · c47beecc39
commit c47beecc39
parent ae40c90d07
3 changed files with 29 additions and 29 deletions
--- a/register_participants_isefforms.php
+++ b/register_participants_isefforms.php
@ -38,13 +38,13 @@
 	exit;
 }

- $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ".
- 	"WHERE students.email=?"
-	"AND registrations.num=?" 
-	"AND registrations.id=?"
-	"AND students.registrations_id=registrations.id ".
-	"AND registrations.year=?"
-	"AND students.year=?");
+ $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students 
+ 	WHERE students.email=?
+	AND registrations.num=?
+	AND registrations.id=?
+	AND students.registrations_id=registrations.id 
+	AND registrations.year=?
+	AND students.year=?");
 $q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);

--- a/register_participants_mentor.php
+++ b/register_participants_mentor.php
@ -115,7 +115,7 @@ if (get_value_from_array($_GET, 'action') == 'removementor') {
 		echo error(i18n('Cannot make changes to forms once they have been received by the fair'));
 	} else {
 		// first make sure this is one belonging to this registration id
-		$q = $pdo->prepare("SELECT id FROM mentors WHERE id=?' AND registrations_id=?");
+		$q = $pdo->prepare("SELECT id FROM mentors WHERE id=? AND registrations_id=?");
 		$q->execute([$_GET['removementor'], $_SESSION['registration_id']]);
 		if ($q->rowCount() == 1) {
 			$stmt = $pdo->prepare("DELETE FROM mentors WHERE id=? AND registrations_id=?");
--- a/register_participants_students.php
+++ b/register_participants_students.php
@ -147,27 +147,27 @@ if (get_value_from_array($_POST, 'action') == 'save') {

 				// UPDATE existing record
 				$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-				$stmt = $pdo->prepare('UPDATE students SET '
-					. 'firstname = ?, '
-					. 'lastname = ?, '
-					. 'pronunciation = ?, '
-					. 'sex = ?, '
-					. 'email = ?, '
-					. 'address = ?, '
-					. 'city = ?, '
-					. 'county = ?, '
-					. 'province = ?, '
-					. 'postalcode = ?, '
-					. 'phone = ?, '
-					. 'dateofbirth = ?, '
-					. 'grade = ?, '
-					. $schoolquery
-					. 'medicalalert = ?, '
-					. 'foodreq = ?, '
-					. 'teachername = ?, '
-					. 'teacheremail = ?, '
-					. 'tshirt = ? '
-					. 'WHERE id = ?');
+				$stmt = $pdo->prepare('UPDATE students SET 
+					firstname =?, 
+					lastname =?, 
+					pronunciation =?,
+					sex =?, 
+					email =?, 
+					address =?, 
+					city =?,
+					county =?, 
+					province=?, 
+					postalcode =?, 
+					phone =?, 
+					dateofbirth =?,
+					grade =?, 
+					$schoolquery
+					medicalalert =?, 
+					foodreq =?, 
+					teachername =?,
+					teacheremail =?, 
+					tshirt =? 
+					WHERE id =?');

 				$stmt->execute([
 					stripslashes($_POST['firstname'][$x]),