From e4995bbc3d0a3dc3708a005408ac06d85a7cccc5 Mon Sep 17 00:00:00 2001 From: Armanveer Gill Date: Mon, 25 Nov 2024 18:06:33 -0500 Subject: [PATCH] First pass for PHP/MariaDB updates --- admin/reports_judges.inc.php | 13 +- admin/reports_students.inc.php | 8 +- committees.php | 15 ++- common.inc.php | 216 ++++++++++++++---------------- config/backuprestore.php | 8 +- config/categories.php | 6 +- config/dates.php | 12 +- config/divisions.php | 6 +- config/divisions_cwsf.php | 1 + config/pagetexts.php | 16 ++- config/safetyquestions.php | 5 +- config/signaturepage.php | 30 +++-- config/subdivisions.php | 8 +- config/variables.php | 28 ++-- config_editor.inc.php | 41 +++--- confirmed_participants.php | 23 ++-- contact.php | 23 ++-- data/backuprestore/.htaccess | 2 + data/config.inc.php | 29 ++++ fair_additional_materials.inc.php | 2 +- fair_info.php | 47 ++++--- fair_stats.php | 31 +++-- important_dates.php | 7 +- install.php | 49 ++++--- install2.php | 30 +++-- install3.php | 117 ++++++++++++---- lpdf.php | 2 + questions.inc.php | 10 +- register_participants.php | 47 ++++--- user.inc.php | 19 +-- user_login.php | 30 +++-- winners.php | 6 +- 32 files changed, 539 insertions(+), 348 deletions(-) create mode 100644 data/backuprestore/.htaccess create mode 100644 data/config.inc.php diff --git a/admin/reports_judges.inc.php b/admin/reports_judges.inc.php index b2d3cf4..09cf0cd 100644 --- a/admin/reports_judges.inc.php +++ b/admin/reports_judges.inc.php @@ -39,11 +39,13 @@ $report_judges_cats = array(); function report_judges_load_divs($year) { global $report_judges_divs; + global $pdo; /* Load divisions for this year, only once */ if(!array_key_exists($year, $report_judges_divs)) { $report_judges_divs[$year] = array(); - $q = mysql_query("SELECT * FROM projectdivisions WHERE year='$year'"); - while(($d = mysql_fetch_assoc($q))) { + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'"); + $q->execute(); + while(($d =$q->fetch(PDO::FETCH_ASSOC))) { $report_judges_divs[$year][$d['id']] = $d; } } @@ -51,9 +53,11 @@ function report_judges_load_divs($year) function report_judges_load_cats($year) { global $report_judges_cats; + global $pdo; if(!array_key_exists($year, $report_judges_cats)) { - $q = mysql_query("SELECT * FROM projectcategories WHERE year='$year'"); - while(($c = mysql_fetch_assoc($q))) { + $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'"); + $q->execute(); + while(($c = $q->fetch(PDO::FETCH_ASSOC))) { $report_judges_cats[$year][$c['id']] = $c; } } @@ -908,6 +912,7 @@ function report_judges_update_cats($year) report_judges_load_cats($year); + ////FIXME No check for empty projectcategories, please check the NULL case of count($report_judges_cats[$year]) if(count($report_judges_cats[$year]) > 10) { echo "Not enough judge age category fields, please file a bug report at sfiab.ca and report that you have ".count($report_judges_cats[$year])." age categories, but the system can handle a maximum of 10."; exit; diff --git a/admin/reports_students.inc.php b/admin/reports_students.inc.php index 1e0d935..760c75d 100644 --- a/admin/reports_students.inc.php +++ b/admin/reports_students.inc.php @@ -146,11 +146,11 @@ function report_student_regfee_item($report, $field, $text) { } } - - $q = mysql_query("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'"); + $q = $pdo->prepare("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'"); + $q->execute(); $regfeeitems=array(); $first=true; - while($i = mysql_fetch_assoc($q)) { + while($i = $q->fetch(PDO::FETCH_ASSOC)) { $regfeeitems["regfee_item_".$i['id']] = array ( 'name' => "Registration Fee Items -- {$i['name']}", 'header' => $i['name'], @@ -1069,7 +1069,7 @@ $report_students_fields = array( 'name' => 'Fair -- Name', 'header' => 'Fair Name', 'width' => 3, - 'table' => "'".mysql_escape_string($config['fairname'])."'"), + 'table' => "'".$config['fairname']."'"), 'fair_logo' => array( 'name' => 'Fair -- Logo (for Labels only)', diff --git a/committees.php b/committees.php index 39994f3..b70aa5d 100644 --- a/committees.php +++ b/committees.php @@ -27,10 +27,13 @@ send_header("Committee List", null, "committee_management"); echo ""; - $q=mysql_query("SELECT * FROM committees ORDER BY ord,name"); - while($r=mysql_fetch_object($q)) { - /* Select all the users in the committee, using MAX(year) for the most recent year */ - $q2=mysql_query("SELECT committees_link.*,users.uid,MAX(users.year),users.lastname + $q = $pdo->prepare("SELECT * FROM committees ORDER BY ord,name"); + $q->execute(); + + while($r=$q->fetch()) + { + /* Select all the u$q=("SELECT * FROM committees ORDER BY ord,name");sers in the committee, using MAX(year) for the most recent year */ + $q2=("SELECT committees_link.*,users.uid,MAX(users.year),users.lastname FROM committees_link LEFT JOIN users ON users.uid = committees_link.users_uid WHERE committees_id='{$r->id}' GROUP BY users.uid ORDER BY ord,users.lastname "); @@ -43,8 +46,8 @@ echo "\n"; - echo mysql_error(); - while($r2=mysql_fetch_object($q2)) { + echo pdo->errorInfo(); + while($r2 = $q2->fetch()){ $uid = $r2->users_uid; $u = user_load_by_uid($uid); diff --git a/common.inc.php b/common.inc.php index ac1550e..63180fa 100644 --- a/common.inc.php +++ b/common.inc.php @@ -22,15 +22,14 @@ */ ?> *'); @@ -85,16 +84,11 @@ else exit; } -/* -difference between MySQL <5.1 and 5.1: -in <5.1 in must have internall truncated it at 16 before comparing with the hard-coded 16 character database limit -in 5.1 it doesnt truncate and compares the full string with the hardcoded 16 character limit, so all our very long usernames -are now failing -James - Dec 30 2010 -*/ -$DBUSER=substr($DBUSER,0,16); +$dsn = "mysql:host=db;dbname=sfiab;charset=utf8mb4"; -if(!mysql_connect($DBHOST,$DBUSER,$DBPASS)) +$pdo = new PDO($dsn,$DBUSER,$DBPASS,$dsn_options); + +if(!$pdo) { echo "SFIAB ERROR"; echo "

Science Fair In A Box - ERROR

"; @@ -102,23 +96,18 @@ if(!mysql_connect($DBHOST,$DBUSER,$DBPASS)) echo ""; exit; } - -if(!mysql_select_db($DBNAME)) -{ - echo "SFIAB ERROR"; - echo "

Science Fair In A Box - ERROR

"; - echo "Cannot select database!"; - echo ""; - exit; -} -//this will silently fail on mysql 4.x, but is needed on mysql5.x to ensure we're only using iso-8859-1 (/latin1) encodings -@mysql_query("SET NAMES latin1"); //find out the fair year and any other 'year=0' configuration parameters (things that dont change as the years go on) -$q=@mysql_query("SELECT * FROM config WHERE year='0'"); + //we might get an error if installation step 2 is not done (ie, the config table doesnt even exist) -if(mysql_error()) + +//if we have 0 (<1) then install2 is not done, which would get caught above, +//if we have 1 (<2) then insatll3 is not done (no entries for FAIRYEAR and SFIABDIRECTORY) +$q = $pdo->prepare("SELECT * FROM config WHERE year='0'"); +$q->execute(); + +if($pdo->errorInfo()[0] != '00000') { echo "SFIAB ERROR"; echo "

Science Fair In A Box - ERROR

"; @@ -127,9 +116,9 @@ if(mysql_error()) echo ""; exit; } -//if we have 0 (<1) then install2 is not done, which would get caught above, -//if we have 1 (<2) then insatll3 is not done (no entries for FAIRYEAR and SFIABDIRECTORY) -if(mysql_num_rows($q)<2) + + +if($q->rowCount()<2) { echo "SFIAB ERROR"; echo "

Science Fair In A Box - ERROR

"; @@ -140,10 +129,11 @@ if(mysql_num_rows($q)<2) } else -{ - while($r=mysql_fetch_object($q)) +{ + while($r=$q->fetch()) { - $config[$r->var]=$r->val; + + $config[$r['var']]=$r['val']; } } @@ -151,6 +141,7 @@ $dbdbversion=$config['DBVERSION']; $dbcodeversion=@file($prependdir."db/db.code.version.txt"); $dbcodeversion=trim($dbcodeversion[0]); + if(!$dbdbversion) { echo "SFIAB ERROR"; @@ -182,42 +173,20 @@ if($dbcodeversion!=$dbdbversion) exit; } -/* Check that magic_quotes is OFF */ -if(get_magic_quotes_gpc()) { -?> - SFIAB ERROR -

Science Fair In A Box - ERROR

-

Your PHP configuration has magic_quotes ENABLED. They should be - disabled, and are disabled in the .htaccess file, so your server is - ignoring the .htaccess file or overriding it. -

Magic quotes is DEPRECATED as of PHP 5.3.0, REMOVE as of 6.0, but ON - by default for any PHP < 5.3.0. -

It's a pain in the butt because PHP runs urldecode() on all inputs - from GET and POST, but if it sees the string has quotes, then it escapes - existing quotes before passing it to us. This is a problem for json_decode - where we do not want this behaviour, and thus need to pass through stripslashes() - first, but only if magicquotes is ON. If it's off, stripslashes will - break json_decode. -

Add 

php_flag magic_quotes_gpc off
to the .htacces, or add - 
php_flag magic_quotes_gpc=off
to php.ini - -
-prepare("SELECT * FROM config WHERE year='".$config['FAIRYEAR']."'"); +$q->execute(); +while($r=$q->fetch()) { - $config[$r->var]=$r->val; + $config[$r['var']]=$r['val']; } //now pull the dates -$q=mysql_query("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."'"); -while($r=mysql_fetch_object($q)) +$q = $pdo->prepare("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."'"); +$q->execute(); +while($r=$q->fetch()) { - $config['dates'][$r->name]=$r->date; + $config['dates'][$r['name']]=$r['date']; } //and now pull the theme @@ -226,6 +195,8 @@ require_once("theme/{$config['theme_icons']}/icons.php"); require_once("committee.inc.php"); +session_start(); + if($config['SFIABDIRECTORY'] == '') { session_name("SFIABSESSID"); session_set_cookie_params(0,'/'); @@ -233,7 +204,6 @@ if($config['SFIABDIRECTORY'] == '') { session_name("SFIABSESSID".preg_replace("/[^A-Za-z]/","_",$config['SFIABDIRECTORY'])); session_set_cookie_params(0,$config['SFIABDIRECTORY']); } -session_start(); //detect the browser first, so we know what icons to use - we store this in the config array as well //even though its not configurable by the fair @@ -245,17 +215,18 @@ else //now get the languages, and make sure we have at least one active language -$q=mysql_query("SELECT * FROM languages WHERE active='Y' ORDER BY langname"); -if(mysql_num_rows($q)==0) + +$q=$pdo->prepare("SELECT * FROM languages WHERE active='Y' ORDER BY langname"); +$q->execute(); +if($q->rowCount()==0) { echo "No active languages defined, defaulting to English"; $config['languages']['en']="English"; } else -{ - while($r=mysql_fetch_object($q)) +{ while($r=$q->fetch()) { - $config['languages'][$r->lang]=$r->langname; + $config['languages'][$r['lang']]=$r['langname']; } } //now if no language has been set yet, lets set it to the default language @@ -279,7 +250,7 @@ if($_GET['switchlanguage']) if($config['languages'][$_GET['switchlanguage']]) { $_SESSION['lang']=$_GET['switchlanguage']; - + } else { @@ -288,7 +259,7 @@ if($_GET['switchlanguage']) } function i18n($str,$args=array(),$argsdesc=array(),$forcelang="") -{ +{ global $pdo; if(!$str) return ""; @@ -311,12 +282,15 @@ function i18n($str,$args=array(),$argsdesc=array(),$forcelang="") } else { - $q=mysql_query("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'"); - if($r=@mysql_fetch_object($q)) + + $q = $pdo->prepare("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'"); + $q->execute(); + if($r = $q->fetch()) + { - if($r->val) + if($r["val"]) { - $ret=$r->val; + $ret=$r["val"]; for($x=1;$x<=count($args);$x++) { @@ -348,12 +322,13 @@ function i18n($str,$args=array(),$argsdesc=array(),$forcelang="") $n++; } $argsdescstring=substr($argsdescstring,0,-2); - $argsdescstring="'".mysql_escape_string($argsdescstring)."'"; + $argsdescstring=pdo->quote($argsdescstring)."'"; } else $argsdescstring="null"; - mysql_query("INSERT INTO translations (lang,strmd5,str,argsdesc) VALUES ('".$_SESSION['lang']."','".md5($str)."','".mysql_escape_string($str)."',$argsdescstring)"); + $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,argsdesc) VALUES (?,?,?,?)"); + $stmt->execute([$_SESSION['lang'], md5($str), $pdo->quote($str), $argsdescstring]); for($x=1;$x<=count($args);$x++) { $str=str_replace("%$x",$args[$x-1],$str); @@ -420,12 +395,13 @@ function send_header($title="", $nav=null, $icon=null, $titletranslated=false) ?> -<? if($title && !$titletranslated) echo i18n($title); else if($title) echo $title; else echo i18n($config['fairname']); ?> +<? //if($title && !$titletranslated) echo i18n($title); else if($title) echo $title; else echo i18n($config['fairname']); ?> + @@ -489,8 +465,8 @@ echo ""; //only display it if a date is set to begin with. if($config['dates']['postparticipants'] && $config['dates']['postparticipants']!="0000-00-00 00:00:00") { - $q=mysql_query("SELECT (NOW()>'".$config['dates']['regclose']."') AS test"); - $r=mysql_fetch_object($q); + $q=("SELECT (NOW()>'".$config['dates']['regclose']."') AS test"); + $r=$q->fetch(); if($r->test==1) { $registrationconfirmationlink="
  • ".i18n("Confirmed Participants")."
    • "; @@ -866,10 +842,10 @@ function emit_time_selector($name,$selected="") function emit_province_selector($name,$selected="",$extra="") { global $config; - $q=mysql_query("SELECT * FROM provinces WHERE countries_code='".mysql_escape_string($config['country'])."' ORDER BY province"); + $q=("SELECT * FROM provinces WHERE countries_code='".mysql_escape_string($config['country'])."' ORDER BY province"); if(mysql_num_rows($q)==1) { - $r=mysql_fetch_object($q); + $r = $q->fetch(); echo ""; echo i18n($r->province); } @@ -877,7 +853,7 @@ function emit_province_selector($name,$selected="",$extra="") { echo ""; echo " "; diff --git a/config/dates.php b/config/dates.php index 6934205..14503d6 100644 --- a/config/dates.php +++ b/config/dates.php @@ -31,8 +31,10 @@ ,"important_dates" ); -$q=mysql_query("SELECT * FROM dates WHERE year='-1'"); -while($r=mysql_fetch_object($q)) { +$q = $pdo->prepare("SELECT * FROM dates WHERE year='-1'"); +$q->execute(); + +while($r=$q->fetch(PDO::FETCH_OBJ)) { $defaultdates[$r->name]=$r; } @@ -78,8 +80,10 @@ $dates = array('fairdate' => array() , 'specawardregclose' => array()); /* Now copy the SQL data into the above array */ - $q=mysql_query("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."' ORDER BY date"); - while($r=mysql_fetch_object($q)) { + + $q = $pdo->prepare("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."' ORDER BY date"); + $q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { $dates[$r->name]['description'] = $r->description; $dates[$r->name]['id'] = $r->id; $dates[$r->name]['date'] = $r->date; diff --git a/config/divisions.php b/config/divisions.php index 5f28b8f..132469a 100644 --- a/config/divisions.php +++ b/config/divisions.php @@ -184,9 +184,9 @@ if($_GET['action']=="edit" || $_GET['action']=="new") { echo ""; } else - { - $q=mysql_query("SELECT * FROM projectdivisions WHERE year='".$config['FAIRYEAR']."' ORDER BY id"); - while($r=mysql_fetch_object($q)) + { $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='".$config['FAIRYEAR']."' ORDER BY id"); + $q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { echo ""; echo " "; diff --git a/config/divisions_cwsf.php b/config/divisions_cwsf.php index d6110c0..5b8534d 100644 --- a/config/divisions_cwsf.php +++ b/config/divisions_cwsf.php @@ -31,6 +31,7 @@ ,"cwsf_project_divisions" ); +////// FIX ME!!!!! if(count($_POST['cwsfdivision'])) { foreach($_POST['cwsfdivision'] AS $k=>$v) diff --git a/config/pagetexts.php b/config/pagetexts.php index 716dc40..5e30dc4 100644 --- a/config/pagetexts.php +++ b/config/pagetexts.php @@ -37,16 +37,18 @@ ,"page_texts" ); - $q=mysql_query("SELECT * FROM pagetext WHERE year='-1' ORDER BY textname"); - while($r=mysql_fetch_object($q)) +$q = $pdo->prepare("SELECT * FROM pagetext WHERE year='-1' ORDER BY textname"); + $q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { foreach($config['languages'] AS $lang=>$langname) { - mysql_query("INSERT INTO pagetext (textname,textdescription,text,year,lang) VALUES ( - '".mysql_escape_string($r->textname)."', - '".mysql_escape_string($r->textdescription)."', - '".mysql_escape_string($r->text)."', + $q = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,year,lang) VALUES ( + '".$r->textname."', + '".$r->textdescription."', + '".$r->text."', '".$config['FAIRYEAR']."', - '".mysql_escape_string($lang)."')"); + '".$lang."')"); + $q->execute(); } } diff --git a/config/safetyquestions.php b/config/safetyquestions.php index 438f82b..61f1fda 100644 --- a/config/safetyquestions.php +++ b/config/safetyquestions.php @@ -142,9 +142,10 @@ echo "".i18n("Add new safety question").""; echo "

    ".i18n($r->name)."

    "; echo "
    $r->id
    $r->id
    "; - $q=mysql_query("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord"); + $q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord"); + $q->execute(); echo ""; - while($r=mysql_fetch_object($q)) + while($r=$q->fetch(PDO::FETCH_OBJ)) { echo ""; echo ""; diff --git a/config/signaturepage.php b/config/signaturepage.php index 5a638f7..6091f1e 100644 --- a/config/signaturepage.php +++ b/config/signaturepage.php @@ -49,9 +49,9 @@ } echo "Preview your signature form as a PDF (as a student would see it)
    "; - -$q=mysql_query("SELECT * FROM signaturepage WHERE name='exhibitordeclaration'"); -$r=mysql_fetch_object($q); +$q = $pdo->prepare("SELECT * FROM signaturepage WHERE name='exhibitordeclaration'"); +$q->execute(); +$r=$q->fetch(PDO::FETCH_OBJ); echo ""; echo "\n"; if($r->use) $ch="checked=\"checked\""; else $ch=""; @@ -61,8 +61,9 @@ echo "
    ".i18n("Ord")."".i18n("Question")."".i18n("Type")."".i18n("Required")."".i18n("Actions")."
    $r->ord