From c47beecc39e99e52ccf84a70bd5d1458b9c1256e Mon Sep 17 00:00:00 2001
From: Muad Sakah <muadsakah@yahoo.com>
Date: Fri, 7 Feb 2025 20:15:53 +0000
Subject: [PATCH] use prepare statements for register files (3 files) where
 possible

---
 register_participants_isefforms.php | 14 +++++-----
 register_participants_mentor.php    |  2 +-
 register_participants_students.php  | 42 ++++++++++++++---------------
 3 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/register_participants_isefforms.php b/register_participants_isefforms.php
index 5d0dce03..fd01dd18 100644
--- a/register_participants_isefforms.php
+++ b/register_participants_isefforms.php
@@ -38,13 +38,13 @@
 	exit;
  }
 
- $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ".
- 	"WHERE students.email=?"
-	"AND registrations.num=?" 
-	"AND registrations.id=?"
-	"AND students.registrations_id=registrations.id ".
-	"AND registrations.year=?"
-	"AND students.year=?");
+ $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students 
+ 	WHERE students.email=?
+	AND registrations.num=?
+	AND registrations.id=?
+	AND students.registrations_id=registrations.id 
+	AND registrations.year=?
+	AND students.year=?");
 $q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
diff --git a/register_participants_mentor.php b/register_participants_mentor.php
index 478db1d0..71bc2aa0 100644
--- a/register_participants_mentor.php
+++ b/register_participants_mentor.php
@@ -115,7 +115,7 @@ if (get_value_from_array($_GET, 'action') == 'removementor') {
 		echo error(i18n('Cannot make changes to forms once they have been received by the fair'));
 	} else {
 		// first make sure this is one belonging to this registration id
-		$q = $pdo->prepare("SELECT id FROM mentors WHERE id=?' AND registrations_id=?");
+		$q = $pdo->prepare("SELECT id FROM mentors WHERE id=? AND registrations_id=?");
 		$q->execute([$_GET['removementor'], $_SESSION['registration_id']]);
 		if ($q->rowCount() == 1) {
 			$stmt = $pdo->prepare("DELETE FROM mentors WHERE id=? AND registrations_id=?");
diff --git a/register_participants_students.php b/register_participants_students.php
index 61307218..effe450d 100644
--- a/register_participants_students.php
+++ b/register_participants_students.php
@@ -147,27 +147,27 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 
 				// UPDATE existing record
 				$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-				$stmt = $pdo->prepare('UPDATE students SET '
-					. 'firstname = ?, '
-					. 'lastname = ?, '
-					. 'pronunciation = ?, '
-					. 'sex = ?, '
-					. 'email = ?, '
-					. 'address = ?, '
-					. 'city = ?, '
-					. 'county = ?, '
-					. 'province = ?, '
-					. 'postalcode = ?, '
-					. 'phone = ?, '
-					. 'dateofbirth = ?, '
-					. 'grade = ?, '
-					. $schoolquery
-					. 'medicalalert = ?, '
-					. 'foodreq = ?, '
-					. 'teachername = ?, '
-					. 'teacheremail = ?, '
-					. 'tshirt = ? '
-					. 'WHERE id = ?');
+				$stmt = $pdo->prepare('UPDATE students SET 
+					firstname =?, 
+					lastname =?, 
+					pronunciation =?,
+					sex =?, 
+					email =?, 
+					address =?, 
+					city =?,
+					county =?, 
+					province=?, 
+					postalcode =?, 
+					phone =?, 
+					dateofbirth =?,
+					grade =?, 
+					$schoolquery
+					medicalalert =?, 
+					foodreq =?, 
+					teachername =?,
+					teacheremail =?, 
+					tshirt =? 
+					WHERE id =?');
 
 				$stmt->execute([
 					stripslashes($_POST['firstname'][$x]),