From d6df555fc41b6b84dd55ab150af70b3c04d38c26 Mon Sep 17 00:00:00 2001
From: Armanveer Gill <contact@science-ation.ca>
Date: Wed, 27 Nov 2024 10:47:41 -0500
Subject: [PATCH] Converted sql to pdo

---
 admin/cms.php               | 11 ++++++-----
 admin/committees.php        | 10 +++++++---
 admin/communication.php     |  5 +++--
 admin/fair_stats.php        | 10 ++++++----
 admin/registration_list.php |  7 +++++--
 admin/schools.php           |  5 +++--
 admin/user_list.php         | 18 +++++++++++-------
 admin/winners.php           | 11 ++++++-----
 committee_main.php          |  4 ++--
 config/index.php            |  3 +--
 data/documents/.htaccess    |  2 ++
 tableeditor.class.php       |  8 +++++---
 12 files changed, 57 insertions(+), 37 deletions(-)
 create mode 100644 data/documents/.htaccess

diff --git a/admin/cms.php b/admin/cms.php
index 06103f4..badbac0 100644
--- a/admin/cms.php
+++ b/admin/cms.php
@@ -177,14 +177,15 @@
 	 echo "<a href=\"cms.php?action=create\">".i18n("or click here to create a new file")."</a><br />\n";
 
 	 echo "<table class=\"summarytable\">";
-
-	 $q=mysql_query("SELECT DISTINCT(filename) AS filename FROM cms ORDER BY filename");
+	$q = $pdo->prepare("SELECT DISTINCT(filename) AS filename FROM cms ORDER BY filename");
+	
 	 echo "<tr><th>".i18n("Filename")."</th><th>".i18n("Last Update")."</th></tr>";
-	 while($r=mysql_fetch_object($q))
+	 while($r=$q->fetch(PDO::FETCH_ASSOC))
 	 {
 		echo "<tr><td><a href=\"cms.php?filename=".rawurlencode($r->filename)."\">/web/$r->filename</a></td>";
-		$q2=mysql_query("SELECT dt FROM cms WHERE filename='".mysql_escape_string($r->filename)."' ORDER BY dt DESC LIMIT 1");
-		$r2=mysql_fetch_object($q2);
+		$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename='".mysql_escape_string($r->filename)."' ORDER BY dt DESC LIMIT 1");
+	
+		$r2=$q2->fetch(PDO::FETCH_OBJ);
 		if($r2->dt=="0000-00-00 00:00:00") $dt="Never";
 		else $dt=$r2->dt;
 		echo "<td>$dt</td>";
diff --git a/admin/committees.php b/admin/committees.php
index 7e1d5db..37d60fc 100644
--- a/admin/committees.php
+++ b/admin/committees.php
@@ -247,10 +247,13 @@ if($_GET['unlinkmember'] && $_GET['unlinkcommittee']) {
 	echo "</select>";
 
 	echo "</td><td>";
-	$q=mysql_query("SELECT uid,MAX(year),firstname,lastname,email,deleted FROM users WHERE types LIKE '%committee%' GROUP BY uid ORDER BY firstname");
+	$q = $pdo->prepare("SELECT uid,MAX(year),firstname,lastname,email,deleted FROM users WHERE types LIKE '%committee%' GROUP BY uid ORDER BY firstname");
+	$q->execute();
+	
+	
 	echo "<select name=\"users_uid\">";
 	echo "<option value=\"\">".i18n("Select a Member")."</option>\n";
-	while($r=mysql_fetch_object($q))
+	while($r=$q->fetch(PDO::FETCH_OBJ))
 	{
 		if($r->deleted != 'no') continue;
 		$displayname = $r->firstname.' '.$r->lastname;
@@ -265,7 +268,8 @@ if($_GET['unlinkmember'] && $_GET['unlinkcommittee']) {
 	//The Assign Div
 	echo "<div id=\"assigndiv\">";
 	echo i18n("To Committee").": ";
-	$q=mysql_query("SELECT * FROM committees ORDER BY ord,name");
+	$q = $pdo->prepare("SELECT * FROM committees ORDER BY ord,name");
+	$q->execute();
 	echo "<select name=\"committees_id\">";
 	echo "<option value=\"\">".i18n("Select a Committee")."</option>\n";
 	while($r=mysql_fetch_object($q))
diff --git a/admin/communication.php b/admin/communication.php
index 21c7fc3..c531a4c 100644
--- a/admin/communication.php
+++ b/admin/communication.php
@@ -609,14 +609,15 @@ case "email_send":
 
 case "email_get_list":
 
-	 $q=mysql_query("SELECT * FROM emails ORDER BY type,name");
+	$q = $pdo->prepare("SELECT * FROM emails ORDER BY type,name");
+
 	 echo "<table class=\"tableview\">";
 	 echo "<thead><tr>";
 	 echo " <th>".i18n("Name")."</th>";
 	 echo " <th>".i18n("Type")."</th>";
 	 echo " <th>".i18n("Actions")."</th>";
 	 echo "</tr></thead>";
-	 while($r=mysql_fetch_object($q)) {
+	 while($r=$q->fetch(PDO::FETCH_OBJ)) {
 		if($r->fundraising_campaigns_id) $fcid=$r->fundraising_campaigns_id;
 		else $fcid='null';
 		if($r->name) $name=$r->name;
diff --git a/admin/fair_stats.php b/admin/fair_stats.php
index c55f62f..de5c0da 100644
--- a/admin/fair_stats.php
+++ b/admin/fair_stats.php
@@ -134,19 +134,21 @@
 
 
  echo "<form name=\"fairselect\" action=\"$PHPSELF\" method=\"get\">";
- $q=mysql_query("SELECT * FROM fairs WHERE `type`='sfiab' OR `type`='ysc' AND enable_stats='yes'");
+ $q = $pdo->prepare("SELECT * FROM fairs WHERE `type`='sfiab' OR `type`='ysc' AND enable_stats='yes'");
+ $q->execute();
  echo "<select name=\"id\">";
  echo "<option value=\"\">".i18n("Choose a destination")."</option>\n";
- while($r=mysql_fetch_object($q)) {
+ while($r=$q->fetch(PDO::FETCH_OBJ)) {
  	if($fairs_id==$r->id) $sel="selected=\"selected\""; else $sel="";
  	echo "<option $sel value=\"{$r->id}\">{$r->name} ({$r->abbrv})</option>\n";
  }
  echo "</select>\n";
 
- $q=mysql_query("SELECT DISTINCT(year) AS year FROM config WHERE year>0 ORDER BY year");
+ $q = $pdo->prepare("SELECT DISTINCT(year) AS year FROM config WHERE year>0 ORDER BY year");
+ $q->execute();
  echo "<select name=\"year\">";
  echo "<option value=\"\">".i18n("Choose a year")."</option>\n";
- while($r=mysql_fetch_object($q)) {
+ while($r=$q->fetch(PDO::FETCH_OBJ)) {
  	if($year==$r->year) $sel="selected=\"selected\""; else $sel="";
  	echo "<option $sel value=\"$r->year\">$r->year</option>\n";
  }
diff --git a/admin/registration_list.php b/admin/registration_list.php
index 9d87e3c..4ed46dd 100644
--- a/admin/registration_list.php
+++ b/admin/registration_list.php
@@ -399,7 +399,7 @@ function list_query($year, $wherestatus, $reg_id)
 		$fair = "AND projects.fairs_id='{$_SESSION['fairs_id']}'";
 	}
 
-	$q=mysql_query("SELECT  registrations.id AS reg_id,
+	$q = pdo->prepare("SELECT  registrations.id AS reg_id,
 				registrations.num AS reg_num,
 				registrations.status,
 				registrations.email,
@@ -420,7 +420,10 @@ function list_query($year, $wherestatus, $reg_id)
 			ORDER BY
 				registrations.status DESC, projects.title
 			");
-	echo mysql_error();
+
+	
+
+	echo $pdo->erroInfo();
 	return $q;
 }
 
diff --git a/admin/schools.php b/admin/schools.php
index fbc6070..064dc77 100644
--- a/admin/schools.php
+++ b/admin/schools.php
@@ -346,8 +346,9 @@
 		echo " <th>".i18n("Action")."</th>";
 		echo "</tr></thead>\n";
 
-		$q=mysql_query("SELECT * FROM schools WHERE year='".$config['FAIRYEAR']."' ORDER BY school");
-		while($r=mysql_fetch_object($q))
+		$q = $pdo->prepare("SELECT * FROM schools WHERE year='".$config['FAIRYEAR']."' ORDER BY school");
+		$q->execute();
+		while($r=$q->fetch(PDO::FETCH_OBJ))
 		{
 			echo "<tr>\n";
 			echo " <td>$r->school</td>\n";
diff --git a/admin/user_list.php b/admin/user_list.php
index a2ad87f..23a399d 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -298,11 +298,14 @@ function update (id)
 				lastname ASC,
 				firstname ASC,
 				year DESC";
-	$q=mysql_query($querystr);
-	echo mysql_error();
+	
+	$q = $pdo->prepare($querystr);
+	$q->execute();
+	
+	echo $pdo->errorInfo();
 //	echo $querystr;
-	$num=mysql_num_rows($q);
-	echo mysql_error();
+	$num=$q->rowCount();
+	echo $pdo->errorInfo();
 	echo i18n("Listing %1 people total.  See the table at the bottom for the totals by status <br><br><br>",array($num));
 	echo i18n(" <lh>Notes:</lh> <ul><li> Deleting users from this list is a permanent operation and cannot be undone.  Consider editing the user and deactivating or deleting roles in their account instead.
 					      		   <li> Updating a user to the current fair year allows you to then complete the user from this list.
@@ -330,7 +333,7 @@ function update (id)
 	$tally['active']['incomplete'] = 0;
 	$tally['inactive']['complete'] = 0;
 	$tally['inactive']['incomplete'] = 0;
-	while($r=mysql_fetch_assoc($q))
+	while($r=$q->fetch(PDO::FETCH_ASSOC))
 	{
 		//JAMES - TEMP - due to the previous error with improperly setting judge status to NOT complete when special awards was turned off
 		//we now need to make sure we re-calculate all the judge statuses somehow, so might as well do it here.
@@ -353,10 +356,11 @@ function update (id)
 
 		$name = "{$r['firstname']} {$r['lastname']}";
 		if(in_array('fair', $types)) {
-			$qq = mysql_query("SELECT * FROM users_fair 
+			$qq = $pdo->prepare("SELECT * FROM users_fair 
 							LEFT JOIN fairs ON fairs.id=users_fair.fairs_id
 						WHERE users_id='{$r['id']}'");
-			$rr = mysql_fetch_assoc($qq);
+			
+			$rr = $qq->fetch(PDO::FETCH_ASSOC);
 			$name = "{$rr['name']}".((trim($name)=='') ? '' : "<br />($name)");
 		} 
 		echo "<a href=\"#\" onclick=\"return openeditor({$r['id']})\">$name</a>";
diff --git a/admin/winners.php b/admin/winners.php
index c40d457..d62fbae 100644
--- a/admin/winners.php
+++ b/admin/winners.php
@@ -34,8 +34,9 @@ $action = $_GET['action'];
 
 /* Load fairs */
 $fairs = array();
-$q = mysql_query("SELECT * FROM fairs WHERE type='feeder' ORDER BY name");
-while(($f = mysql_fetch_assoc($q))) {
+$q=$pdo->prepare("SELECT * FROM fairs WHERE type='feeder' ORDER BY name");
+$q->execute();
+while(($f = $q->fetch(PDO::FETCH_ASSOC))) {
 	$fairs[$f['id']] = $f;
 }
 
@@ -386,7 +387,7 @@ if($auth_type == 'fair') {
 	$fair_where = "AND fairs_awards_link.upload_winners='yes' 
 			AND fairs_awards_link.fairs_id='{$_SESSION['fairs_id']}'";
 }
-$q=mysql_query("SELECT 
+$q = $pdo->prepare("SELECT 
 			award_awards.id,
 			award_awards.name,
 			award_awards.order AS awards_order,
@@ -407,9 +408,9 @@ $q=mysql_query("SELECT
 			$fair_where
 		ORDER BY awards_order");
 
-echo mysql_error();
+echo $pdo->errorInfo();
 
-if(mysql_num_rows($q) == 0) {
+if($q->rowCount() == 0) {
 	echo i18n('No awards to display.');
 	send_footer();
 	exit;
diff --git a/committee_main.php b/committee_main.php
index d1facec..4fa38ee 100644
--- a/committee_main.php
+++ b/committee_main.php
@@ -26,12 +26,12 @@
  require_once("common.inc.php");
  require_once("user.inc.php");
  require_once("user_page.inc.php");
- require_once("chat.inc.php");
+ 
 
  user_auth_required('committee');
 
  send_header("Committee Main", array());
- draw_chatbox('general');
+
  //only display the named greeting if we have their name
  echo i18n("Hello <b>%1</b>",array($_SESSION['name']));
  echo "<br />";
diff --git a/config/index.php b/config/index.php
index 6c28888..7b1e93c 100644
--- a/config/index.php
+++ b/config/index.php
@@ -25,7 +25,7 @@
  require("../common.inc.php");
  require("signaturepage_or_permissionform.php");
  require_once("../user.inc.php");
- require_once("../chat.inc.php");
+ 
  user_auth_required('committee', 'config');
 
  send_header("SFIAB Configuration",
@@ -34,7 +34,6 @@
 		);
 
 
-draw_chatbox('general');
 
  echo "<table class=\"adminconfigtable\">";
  echo " <tr>";
diff --git a/data/documents/.htaccess b/data/documents/.htaccess
new file mode 100644
index 0000000..773fbb5
--- /dev/null
+++ b/data/documents/.htaccess
@@ -0,0 +1,2 @@
+Order Deny,Allow
+Deny From All
diff --git a/tableeditor.class.php b/tableeditor.class.php
index 3e47dc2..20a6b09 100644
--- a/tableeditor.class.php
+++ b/tableeditor.class.php
@@ -993,6 +993,7 @@ class TableEditor
 	{
 		global $icon_path;
 		global $icon_extension;
+		global $pdo;
 
 		$query="SELECT SQL_CALC_FOUND_ROWS {$this->primaryKey}";
 
@@ -1030,11 +1031,12 @@ class TableEditor
 		}
 		if($this->DEBUG) echo $query;
 
-//		print("query[$query]");
-		$q=mysql_query($query);
+		print("query[$query]");
+		$q = $pdo->prepare($query);
+		$q->execute();
 		if($q == false) {
 			echo "Sorry, MYSQL query failed: <pre>$query</pre><br />";
-			echo "Error: ".mysql_error(); 
+			echo "Error: ".$pdo->errorInfo(); 
 			exit;
 		}