diff --git a/admin/award_awardcreatedivisional.php b/admin/award_awardcreatedivisional.php index 449619a2..62e8c3c8 100644 --- a/admin/award_awardcreatedivisional.php +++ b/admin/award_awardcreatedivisional.php @@ -44,19 +44,19 @@ else if (get_value_from_array($_POST, 'award_types_id')) // first, we can only do this if we dont have any type=divisional awards created yet -$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year='{$config['FAIRYEAR']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year=?"); +$q->execute([$config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->num) { echo error(i18n('%1 Divisional awards already exist. There must not be any divisional awards in order to run this wizard', array($r->num))); } else { - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $div[$r->id] = $r->division; - $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) $cat[$r->id] = $r->category; @@ -64,8 +64,8 @@ if ($r->num) { $ckeys = array_keys($cat); if ($config['filterdivisionbycategory'] == 'yes') { - $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id"); + $q->execute([$config['FAIRYEAR']]); $divcat = array(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id); @@ -110,22 +110,22 @@ if ($r->num) { echo i18n('Creating %1 - %2', array($c_category, $d_division)) . '
'; $q = $pdo->prepare("INSERT INTO award_awards (sponsors_id,award_types_id,name,criteria,`order`,year) VALUES ( - '{$_GET['sponsors_id']}', + ?, '1', - '$c_category - $d_division', + ?-?, '" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "', - '$ord', - '{$config['FAIRYEAR']}' + ?, + ? )"); - $q->execute(); + $q->execute([$_GET['sponsors_id'],$c_category,$d_division,$ord, $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $award_awards_id = $pdo->lastInsertId(); - $q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES ('$award_awards_id','$c_id','{$config['FAIRYEAR']}')"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (?,?,?"); + $q->execute([$award_awards_id,$c_id,$config['FAIRYEAR']]); - $q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES ('$award_awards_id','$d_id','{$config['FAIRYEAR']}')"); - $q->execute(); + $q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (?,?,?)"); + $q->execute([$award_awards_id,$d_id,$config['FAIRYEAR']]); $ord++; echo '  ' . i18n('Prizes: '); diff --git a/admin/award_awards.php b/admin/award_awards.php index 08028650..800b728d 100644 --- a/admin/award_awards.php +++ b/admin/award_awards.php @@ -33,8 +33,8 @@ $_GET['action'] = $_GET['action'] ?? ''; switch ($_GET['action']) { case 'awardinfo_load': $id = intval(get_value_from_array($_GET, 'id')); - $q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?"); + $q->execute([$id]); $ret = $q->fetch(PDO::FETCH_ASSOC); // json_encode NEEDS UTF8 DATA, but we store it in the database as ISO :( @@ -57,8 +57,8 @@ switch ($_GET['action']) { if ($id == -1) { $q = $pdo->prepare("INSERT INTO award_awards (year,self_nominate,schedule_judges) - VALUES ('{$config['FAIRYEAR']}','yes','yes')"); - $q->execute(); + VALUES (?,'yes','yes')"); + $q->execute([$config['FAIRYEAR']]); $id = $pdo->lastInsertId(); happy_('Award Created'); /* Set the award_id in the client */ @@ -83,9 +83,9 @@ switch ($_GET['action']) { criteria='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['criteria'])) . "', sponsors_id='" . intval($_POST['sponsors_id']) . "' "; } - $q .= "WHERE id='$id'"; + $q .= "WHERE id=?"; $q = $pdo->prepare($q); - $q->execute(); + $q->execute([$id]); print_r($_POST); echo $q; show_pdo_errors_if_any($pdo); @@ -97,15 +97,15 @@ switch ($_GET['action']) { // select the current categories that this award is linked to $ret = array('categories' => array(), 'divisions' => array()); - $q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id=?"); + $q->execute([$id]); while ($r = $q->fetch(PDO::FETCH_ASSOC)) { $ret['categories'][] = $r['projectcategories_id']; } // select the current categories that this award is linked to - $q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id='$id'"); - $q->execute(); + $q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id=?"); + $q->execute([$id]); while ($r = $q->fetch(PDO::FETCH_ASSOC)) { $ret['divisions'][] = $r['projectdivisions_id']; } @@ -122,8 +122,8 @@ switch ($_GET['action']) { } // wipe out any old award-category links - $q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$id'"); - $q->execute(); + $q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?"); + $q->execute([$id]); foreach ($_POST['categories'] AS $key => $cat) { $c = intval($cat); $q = $pdo->prepare('INSERT INTO award_awards_projectcategories (award_awards_id, projectcategories_id, year) @@ -133,13 +133,13 @@ switch ($_GET['action']) { $q->bindParam(':c', $c, PDO::PARAM_INT); $q->bindParam(':year', $config['FAIRYEAR'], PDO::PARAM_INT); - $q->execute(); + $q->execute([]); } // wipe out any old award-divisions links - $q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$id'"); - $q->execute(); + $q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?"); + $q->execute([$id]); // now add the new ones foreach ($_POST['divisions'] AS $key => $div) { @@ -165,8 +165,8 @@ switch ($_GET['action']) { continue; $order++; - $q = $pdo->prepare("UPDATE `award_prizes` SET `order`='$order' WHERE `id`='$id'"); - $q->execute(); + $q = $pdo->prepare("UPDATE `award_prizes` SET `order`=? WHERE `id`=?"); + $q->execute([$order, $id]); } // print_r($_GET); happy_('Order Updated.'); @@ -179,8 +179,8 @@ switch ($_GET['action']) { continue; $order++; - $q = $pdo->prepare("UPDATE `award_awards` SET `order`='$order' WHERE `id`='$id'"); - $q->execute(); + $q = $pdo->prepare("UPDATE `award_awards` SET `order`=? WHERE `id`=?"); + $q->execute([$order, $id]); } happy_('Order updated'); exit; @@ -191,8 +191,8 @@ switch ($_GET['action']) { $q = $pdo->prepare("SELECT * FROM award_prizes WHERE year='-1' AND award_awards_id='0' ORDER BY `order`"); $q->execute(); } else { - $q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$id' ORDER BY `order`"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=? ORDER BY `order`"); + $q->execute([$id]); } while ($r = $q->fetch(PDO::FETCH_ASSOC)) { foreach ($r AS $k => $v) { @@ -205,8 +205,8 @@ switch ($_GET['action']) { case 'prize_load': $id = intval($_GET['id']); - $q = $pdo->prepare("SELECT * FROM award_prizes WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_prizes WHERE id=?"); + $q->execute([$id]); $ret = $q->fetch(PDO::FETCH_ASSOC); foreach ($ret AS $k => $v) { $ret[$k] = iconv('ISO-8859-1', 'UTF-8', $v); @@ -276,8 +276,8 @@ switch ($_GET['action']) { $id = intval($_GET['id']); /* Prepare two lists of fair IDs, for which fairs can upload and download this award */ - $q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id=?"); + $q->execute([$id]); $ul = array(); $dl = array(); while ($r = $q->fetch(PDO::FETCH_ASSOC)) { @@ -287,8 +287,8 @@ switch ($_GET['action']) { $dl[$r['fairs_id']] = true; } - $q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?"); + $q->execute([$id]); $a = $q->fetch(PDO::FETCH_ASSOC); ?>

@@ -354,16 +354,16 @@ switch ($_GET['action']) { /* Now save each one */ - $q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id='$id'"); - $q->execute(); + $q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id=?"); + $q->execute([$id]); show_pdo_errors_if_any($pdo); foreach ($data as $fairs_id => $f) { $dl = ($f['dl'] == true) ? 'yes' : 'no'; $ul = ($f['ul'] == true) ? 'yes' : 'no'; $q = $pdo->prepare("INSERT INTO fairs_awards_link (award_awards_id,fairs_id,download_award,upload_winners) - VALUES ('$id','$fairs_id','$dl','$ul')"); - $q->execute(); + VALUES (?,?,?,?)"); + $q->execute([$id,$fairs_id,$dl,$ul]); show_pdo_errors_if_any($pdo); } $ident = stripslashes($_POST['identifier']); @@ -371,12 +371,12 @@ switch ($_GET['action']) { $mat = intval($_POST['additional_materials']); $w = intval($_POST['register_winners']); - $q = $pdo->prepare("UPDATE award_awards SET external_identifier='$ident', - external_additional_materials='$mat', - external_register_winners='$w', - per_fair='$per_fair' - WHERE id='$id'"); - $q->execute(); + $q = $pdo->prepare("UPDATE award_awards SET external_identifier=?, + external_additional_materials=?, + external_register_winners=?, + per_fair=? + WHERE id=?"); + $q->execute([$ident, $mat,$w],$per_fair,$id); happy_('Feeder Fair information saved'); exit; @@ -729,8 +729,8 @@ while ($sr = $sq->fetch(PDO::FETCH_OBJ)) { : prepare("SELECT id,type FROM award_types WHERE year='{$config['FAIRYEAR']}' ORDER BY type"); -$tq->execute(); +$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year=? ORDER BY type"); +$tq->execute([$config['FAIRYEAR']]); echo '\n"; + $months = array('', 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'); + echo '\n"; + for ($x = 1; $x <= 12; $x++) { + if ($x == $selected) + $s = 'selected="selected"'; + else + $s = ''; + echo "\n"; + } - echo "\n"; - } + echo "\n"; +} - function emit_day_selector($name, $selected = '') - { - echo "\n"; + echo '\n"; - for ($x = 1; $x <= 31; $x++) - echo '\n"; + for ($x = 1; $x <= 31; $x++) + echo '\n"; - echo "\n"; - } + echo "\n"; +} - function emit_year_selector($name, $selected = '', $min = 0, $max = 0) - { - $curyear = date('Y'); - echo "\n"; + echo '\n"; - if ($min && $max) { - for ($x = $min; $x <= $max; $x++) - echo "\n"; - } else { - // if we arent given a min and max, lets show current year + 5 - for ($x = $curyear; $x < $curyear + 5; $x++) - echo "\n"; - } - echo "\n"; - } + if ($min && $max) { + for ($x = $min; $x <= $max; $x++) + echo "\n"; + } else { + // if we arent given a min and max, lets show current year + 5 + for ($x = $curyear; $x < $curyear + 5; $x++) + echo "\n"; + } + echo "\n"; +} - function emit_date_selector($name, $selected = '') - { - if ($selected) { - list($year, $month, $day) = explode('-', $selected); - } - echo ''; - echo ''; - echo '
'; - emit_year_selector($name . '_year', $year); - echo ''; - emit_month_selector($name . '_month', $month); - echo ''; - emit_day_selector($name . '_day', $day); - echo '
'; - } +function emit_date_selector($name, $selected = '') +{ + if ($selected) { + list($year, $month, $day) = explode('-', $selected); + } + echo ''; + echo ''; + echo '
'; + emit_year_selector($name . '_year', $year); + echo ''; + emit_month_selector($name . '_month', $month); + echo ''; + emit_day_selector($name . '_day', $day); + echo '
'; +} - function emit_hour_selector($name, $selected = '') - { - if ($selected != '') - $selected = (int) $selected; - echo "\n"; + echo "\n"; - for ($x = 0; $x <= 23; $x++) { - if ($x === $selected) - $sel = 'selected'; - else - $sel = ''; - echo "\n"; - } + for ($x = 0; $x <= 23; $x++) { + if ($x === $selected) + $sel = 'selected'; + else + $sel = ''; + echo "\n"; + } - echo "\n"; - } + echo "\n"; +} - function emit_minute_selector($name, $selected = '') - { - $mins = array('00', '05', '10', '15', '20', '25', '30', '35', '40', '45', '50', '55'); - echo "\n"; + echo "\n"; - for ($x = 0; $x < count($mins); $x++) - echo '\n"; + for ($x = 0; $x < count($mins); $x++) + echo '\n"; - echo "\n"; - } + echo "\n"; +} - function emit_time_selector($name, $selected = '') - { - global $hour; - global $minute; - if ($selected) { - list($hour, $minute, $second) = explode(':', $selected); - } - echo ''; - echo ''; - echo '
'; - emit_hour_selector($name . '_hour', $hour); - echo ''; - emit_minute_selector($name . '_minute', $minute); - echo '
'; - } +function emit_time_selector($name, $selected = '') +{ + global $hour; + global $minute; + if ($selected) { + list($hour, $minute, $second) = explode(':', $selected); + } + echo ''; + echo ''; + echo '
'; + emit_hour_selector($name . '_hour', $hour); + echo ''; + emit_minute_selector($name . '_minute', $minute); + echo '
'; +} - function emit_province_selector($name, $selected = '', $extra = '') - { - global $config; +function emit_province_selector($name, $selected = '', $extra = '') +{ + global $config; - global $pdo; - $q = $pdo->prepare("SELECT * FROM provinces WHERE countries_code='" . $config['country'] . "' ORDER BY province"); - $q->execute(); + global $pdo; + $q = $pdo->prepare('SELECT * FROM provinces WHERE countries_code=? ORDER BY province'); + $q->execute([$config['country']]); - if ($q->rowCount() == 1) { - $r = $q->fetch(PDO::FETCH_OBJ); + if ($q->rowCount() == 1) { + $r = $q->fetch(PDO::FETCH_OBJ); - echo "code\">"; - echo i18n($r->province); - } else { - echo "code\">"; + echo i18n($r->province); + } else { + echo "\n"; - } - } + echo "\n"; + } +} - function outputStatus($status) - { - $ret = ''; - switch ($status) { - case 'incomplete': - $ret .= '
'; - $ret .= i18n('Incomplete'); - $ret .= '
'; - break; - case 'complete': - $ret .= '
'; - $ret .= i18n('Complete'); - $ret .= '
'; - break; - case 'empty': - $ret .= '
'; - $ret .= i18n('Empty'); - $ret .= '
'; - break; +function outputStatus($status) +{ + $ret = ''; + switch ($status) { + case 'incomplete': + $ret .= '
'; + $ret .= i18n('Incomplete'); + $ret .= '
'; + break; + case 'complete': + $ret .= '
'; + $ret .= i18n('Complete'); + $ret .= '
'; + break; + case 'empty': + $ret .= '
'; + $ret .= i18n('Empty'); + $ret .= '
'; + break; - default: - $ret .= i18n('Unknown'); - break; - } - return $ret; - } + default: + $ret .= i18n('Unknown'); + break; + } + return $ret; +} - // returns true if its a valid email address, false if its not - function isEmailAddress($str) - { - if (preg_match('/^[+a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$/i', $str)) - return true; - else - return false; - } +// returns true if its a valid email address, false if its not +function isEmailAddress($str) +{ + if (preg_match('/^[+a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$/i', $str)) + return true; + else + return false; +} - function communication_get_user_replacements(&$u) - { - global $config; - $rep = array( - 'FAIRNAME' => $config['fairname'], - 'NAME' => $u['name'], - 'EMAIL' => $u['email'], - 'PASSWORD' => $u['password'], - 'SALUTATION' => $u['salutation'], - 'FIRSTNAME' => $u['firstname'], - 'LASTNAME' => $u['lastname'], - 'ORGANIZATION' => $u['sponsor']['organization'], - ); - return $rep; - } +function communication_get_user_replacements(&$u) +{ + global $config; + $rep = array( + 'FAIRNAME' => $config['fairname'], + 'NAME' => $u['name'], + 'EMAIL' => $u['email'], + 'PASSWORD' => $u['password'], + 'SALUTATION' => $u['salutation'], + 'FIRSTNAME' => $u['firstname'], + 'LASTNAME' => $u['lastname'], + 'ORGANIZATION' => $u['sponsor']['organization'], + ); + return $rep; +} - function communication_replace_vars($text, &$u, $otherrep = array()) - { - global $config; - if ($u) { - $userrep = communication_get_user_replacements($u); - } else { - $userrep = array(); - } +function communication_replace_vars($text, &$u, $otherrep = array()) +{ + global $config; + if ($u) { + $userrep = communication_get_user_replacements($u); + } else { + $userrep = array(); + } - $rep = array_merge($userrep, $otherrep); - foreach ($rep as $k => $v) { - $text = preg_replace("\[$k\]", $v, $text); - } - return $text; - } + $rep = array_merge($userrep, $otherrep); + foreach ($rep as $k => $v) { + $text = preg_replace("\[$k\]", $v, $text); + } + return $text; +} - function email_send($val, $to, $sub_subject = array(), $sub_body = array()) - { - global $config, $pdo; +function email_send($val, $to, $sub_subject = array(), $sub_body = array()) +{ + global $config, $pdo; - /* + /* * Standard substitutions that are constant no matter who * the $to is */ - $urlproto = $_SERVER['SERVER_PORT'] == 443 ? 'https://' : 'http://'; - $urlmain = "$urlproto{$_SERVER['HTTP_HOST']}{$config['SFIABDIRECTORY']}"; - $urllogin = "$urlmain/login.php"; - $stdsub = array( - 'FAIRNAME' => i18n($config['fairname']), - 'URLMAIN' => $urlmain, - 'URLLOGIN' => $urllogin, - ); - /* Add standard subs to existing sub arrays */ - $sub_subject = array_merge($sub_subject, $stdsub); - $sub_body = array_merge($sub_body, $stdsub); + $urlproto = $_SERVER['SERVER_PORT'] == 443 ? 'https://' : 'http://'; + $urlmain = "$urlproto{$_SERVER['HTTP_HOST']}{$config['SFIABDIRECTORY']}"; + $urllogin = "$urlmain/login.php"; + $stdsub = array( + 'FAIRNAME' => i18n($config['fairname']), + 'URLMAIN' => $urlmain, + 'URLLOGIN' => $urllogin, + ); + /* Add standard subs to existing sub arrays */ + $sub_subject = array_merge($sub_subject, $stdsub); + $sub_body = array_merge($sub_body, $stdsub); - // if our "to" doesnt look like a valid email, then forget about sending it. - if (!isEmailAddress($to)) { - return false; - } - - $q = $pdo->prepare("SELECT * FROM emails WHERE val='$val'"); - if ($r = $q->fetch(PDO::FETCH_ASSOC)) { - // we dont want to translate these, the messages themselves shoudl contain whatever languages they need - $subject = $r->subject; - $body = $r->body; - $bodyhtml = $r->bodyhtml; - - /* Eventually we should just do this with communication_replace_vars() */ - if (count($sub_subject)) { - foreach ($sub_subject as $sub_k => $sub_v) { - $subject = preg_replace("\[$sub_k\]", "$sub_v", $subject); - } - } - if (count($sub_body)) { - foreach ($sub_body as $sub_k => $sub_v) { - $body = preg_replace("\[$sub_k\]", "$sub_v", $body); - } - } - - if (count($sub_body)) { - foreach ($sub_body as $sub_k => $sub_v) { - $bodyhtml = preg_replace("\[$sub_k\]", "$sub_v", $bodyhtml); - } - } - - if ($r->from) - $fr = $r->from; - else if ($config['fairmanageremail']) - $fr = $config['fairmanageremail']; - else - $fr = ''; - - // only send the email if we have a from - if ($fr) { - // send using RMail - // FIXME EMAIL - ////email_send_new($to, $fr, $subject, $body, $bodyhtml); - } else - echo error(i18n("CRITICAL ERROR: email '%1' does not have a 'From' and the Fair Manager Email is not configured", array($val), array('email key name'))); - } else { - echo error(i18n("CRITICAL ERROR: email '%1' not found", array($val), array('email key name'))); - } - } - - /*require_once("Rmail/Rmail.php"); -require_once("Rmail/RFC822.php"); - -// this sends out an all-ready-to-go email, it does no substitution or changes or database lookups or anything -function email_send_new($to, $from, $subject, $body, $bodyhtml = '') -{ - $mail = new RMail(); - $mail->setFrom($from); - $mail->setSubject($subject); - $mail->setText($body); - - $r = new Mail_RFC822($from); - $structure = $r->parseAddressList($from); - $s = $structure[0]; - $ret = sprintf('%s@%s', $s->mailbox, $s->host); - $mail->setReturnPath($ret); - $mail->setHeader('Bounce-To', $ret); - - // only add the html if we have it - if ($bodyhtml) { - $mail->setHTML($bodyhtml); + // if our "to" doesnt look like a valid email, then forget about sending it. + if (!isEmailAddress($to)) { + return false; } - if (is_array($to)) { - return $mail->send($to); + $q = $pdo->prepare('SELECT * FROM emails WHERE val=?'); + if ($r = $q->fetch(PDO::FETCH_ASSOC)) { + // we dont want to translate these, the messages themselves shoudl contain whatever languages they need + $subject = $r->subject; + $body = $r->body; + $bodyhtml = $r->bodyhtml; + + /* Eventually we should just do this with communication_replace_vars() */ + if (count($sub_subject)) { + foreach ($sub_subject as $sub_k => $sub_v) { + $subject = preg_replace("\[$sub_k\]", "$sub_v", $subject); + } + } + if (count($sub_body)) { + foreach ($sub_body as $sub_k => $sub_v) { + $body = preg_replace("\[$sub_k\]", "$sub_v", $body); + } + } + + if (count($sub_body)) { + foreach ($sub_body as $sub_k => $sub_v) { + $bodyhtml = preg_replace("\[$sub_k\]", "$sub_v", $bodyhtml); + } + } + + if ($r->from) + $fr = $r->from; + else if ($config['fairmanageremail']) + $fr = $config['fairmanageremail']; + else + $fr = ''; + + // only send the email if we have a from + if ($fr) { + // send using RMail + // FIXME EMAIL + // //email_send_new($to, $fr, $subject, $body, $bodyhtml); + } else + echo error(i18n("CRITICAL ERROR: email '%1' does not have a 'From' and the Fair Manager Email is not configured", array($val), array('email key name'))); } else { - return $mail->send(array($to)); + echo error(i18n("CRITICAL ERROR: email '%1' not found", array($val), array('email key name'))); } } -*/ +/* + * require_once("Rmail/Rmail.php"); + * require_once("Rmail/RFC822.php"); + * + * // this sends out an all-ready-to-go email, it does no substitution or changes or database lookups or anything + * function email_send_new($to, $from, $subject, $body, $bodyhtml = '') + * { + * $mail = new RMail(); + * $mail->setFrom($from); + * $mail->setSubject($subject); + * $mail->setText($body); + * + * $r = new Mail_RFC822($from); + * $structure = $r->parseAddressList($from); + * $s = $structure[0]; + * $ret = sprintf('%s@%s', $s->mailbox, $s->host); + * $mail->setReturnPath($ret); + * $mail->setHeader('Bounce-To', $ret); + * + * // only add the html if we have it + * if ($bodyhtml) { + * $mail->setHTML($bodyhtml); + * } + * + * if (is_array($to)) { + * return $mail->send($to); + * } else { + * return $mail->send(array($to)); + * } + * } + */ - /* +/* * returns an array of arrays * [ 0 ] = array ( to, firstname, lastname, email ) * [ 1 ] = array ( to, firstname, lastname, email ) * ...etc */ - function getEmailRecipientsForRegistration($reg_id) - { - global $config, $pdo; - // okay first grab the registration record, to see if we should email the kids, the teacher, and/or the parents - $q = $pdo->prepare("SELECT * FROM registrations WHERE id='$reg_id' AND year='{$config['FAIRYEAR']}'"); - $q->execute(); - $registration = $q->fetch(); +function getEmailRecipientsForRegistration($reg_id) +{ + global $config, $pdo; + // okay first grab the registration record, to see if we should email the kids, the teacher, and/or the parents + $q = $pdo->prepare('SELECT * FROM registrations WHERE id=? AND year=?'); + $q->execute([$reg_id, $config['FAIRYEAR']]); + $registration = $q->fetch(); - if ($registration->emailcontact && isEmailAddress($registration->emailcontact)) { - $ret[] = array( - 'to' => $registration->emailcontact, - 'firstname' => '', - 'lastname' => '', - 'email' => $registration->emailcontact, - ); - } + if ($registration->emailcontact && isEmailAddress($registration->emailcontact)) { + $ret[] = array( + 'to' => $registration->emailcontact, + 'firstname' => '', + 'lastname' => '', + 'email' => $registration->emailcontact, + ); + } - $sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'"); - $sq->execute(); - $ret = array(); - while ($sr = $sq->fetch()) { - if ($sr->email && isEmailAddress($sr->email)) { - $to = $sr->email; + $sq = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?'); + $sq->execute([$reg_id, $config['FAIRYEAR']]); + $ret = array(); + while ($sr = $sq->fetch()) { + if ($sr->email && isEmailAddress($sr->email)) { + $to = $sr->email; - $ret[] = array( - 'to' => $to, - 'firstname' => $sr->firstname, - 'lastname' => $sr->lastname, - 'email' => $sr->email, - ); - } - } - return $ret; - } + $ret[] = array( + 'to' => $to, + 'firstname' => $sr->firstname, + 'lastname' => $sr->lastname, + 'email' => $sr->email, + ); + } + } + return $ret; +} - function output_page_text($textname) - { - global $config; - global $pdo; +function output_page_text($textname) +{ + global $config; + global $pdo; - $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='$textname' AND year='" . $config['FAIRYEAR'] . "' AND lang='" . $_SESSION['lang'] . "'"); - $q->execute(); - if ($q->rowCount()) - $r = $q->fetch(); - else { - // not defined, lets grab the default text - $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='$textname' AND year='-1' AND lang='" . $config['default_language'] . "'"); - $q->execute(); - $r = $q->fetch(); - } + $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=? AND lang=?"); + $q->execute([$textname, $config['FAIRYEAR'], $_SESSION['lang']]); + if ($q->rowCount()) + $r = $q->fetch(); + else { + // not defined, lets grab the default text + $q = $pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year='-1' AND lang=?"); + $q->execute([ + $textname, $config['default_language'] + ]); + $r = $q->fetch(); + } - // if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br - if (get_value_property_or_default($r, 'text') !== null and strlen($r->text) == strlen(strip_tags($r->text))) - echo nl2br($r->text); - else - echo get_value_property_or_default($r, 'text'); - } + // if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br + if (get_value_property_or_default($r, 'text') !== null and strlen($r->text) == strlen(strip_tags($r->text))) + echo nl2br($r->text); + else + echo get_value_property_or_default($r, 'text'); +} - function output_page_cms($filename) - { - global $config; - global $pdo; +function output_page_cms($filename) +{ + global $config; + global $pdo; - $q = $pdo->prepare("SELECT * FROM cms WHERE filename='" . $filename . "' AND lang='" . $_SESSION['lang'] . "' ORDER BY dt DESC LIMIT 1"); - $q->execute(); - if ($q->rowCount()) { - $r = $q->fetch(); - send_header($r['title'], null, null, true); + $q = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? ORDER BY dt DESC LIMIT 1"); + $q->execute([$filename, $_SESSION['lang']]); + if ($q->rowCount()) { + $r = $q->fetch(); + send_header($r['title'], null, null, true); - if (file_exists('data/logo-200.gif') && $r['showlogo'] == 1) - echo ''; + if (file_exists('data/logo-200.gif') && $r['showlogo'] == 1) + echo ''; - // if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br - if ($r['text'] !== null and strlen($r['text']) == strlen(strip_tags($r['text']))) - echo nl2br($r['text']); - else - echo $r['text']; - } else { - send_header('Error: File not found'); - echo error(i18n('The file you have requested (%1), does not exist on the server.', array($filename))); - return; - // not defined, lets grab the default text - } + // if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br + if ($r['text'] !== null and strlen($r['text']) == strlen(strip_tags($r['text']))) + echo nl2br($r['text']); + else + echo $r['text']; + } else { + send_header('Error: File not found'); + echo error(i18n('The file you have requested (%1), does not exist on the server.', array($filename))); + return; + // not defined, lets grab the default text + } - send_footer(); - } + send_footer(); +} // config specific warning function config_warnings() {} - // admin specific warnings - function admin_warnings() {} +// admin specific warnings +function admin_warnings() {} - // warnings to show to both config and/or admin people - function committee_warnings() - { - global $config, $pdo; - // it is vital that each year the system be rolled over before we start it again - // we should do this, say, 4 months after the FAIRDATE, so its soon enough that they should see - // the message as soon as they login to start preparing for hte new year, but not too late to do it - // properly :) +// warnings to show to both config and/or admin people +function committee_warnings() +{ + global $config, $pdo; + // it is vital that each year the system be rolled over before we start it again + // we should do this, say, 4 months after the FAIRDATE, so its soon enough that they should see + // the message as soon as they login to start preparing for hte new year, but not too late to do it + // properly :) - $q = $pdo->prepare("SELECT DATE_ADD('" . $config['dates']['fairdate'] . "', INTERVAL 4 MONTH) < NOW() AS rollovercheck"); - $q->execute(); + $q = $pdo->prepare('SELECT DATE_ADD(?, INTERVAL 4 MONTH) < NOW() AS rollovercheck'); + $q->execute([$config['dates']['fairdate']]); - $r = $q->fetch(PDO::FETCH_OBJ); + $r = $q->fetch(PDO::FETCH_OBJ); - // FIXME Clear out Important Dates as part of rollover - if ($r->rollovercheck) { - echo error(i18n("It has been more than 4 months since your fair. In order to prepare the system for the next year's fair, you should go to the SFIAB Configuration page, and click on 'Rollover Fair Year'. Do not start updating the system with new information until the year has been properly rolled over.")); - } + // FIXME Clear out Important Dates as part of rollover + if ($r->rollovercheck) { + echo error(i18n("It has been more than 4 months since your fair. In order to prepare the system for the next year's fair, you should go to the SFIAB Configuration page, and click on 'Rollover Fair Year'. Do not start updating the system with new information until the year has been properly rolled over.")); + } $q = $pdo->prepare('SELECT * FROM award_prizes WHERE `external_identifier` IS NOT NULL AND external_identifier=prize'); - $q->execute(); - if ($q->rowCount() > 0) { - /* + $q->execute(); + if ($q->rowCount() > 0) { + /* * The bug was that the external_identifier was set to the prize name.. so only display the warning * if we find that case for a non-sfiab external fair */ while (($p = $q->fetch(PDO::FETCH_ASSOC))) { $qq = $pdo->prepare("SELECT * FROM award_awards LEFT JOIN fairs ON fairs.id=award_awards.award_source_fairs_id - WHERE award_awards.id='{$p['award_awards_id']}' - AND year='{$config['FAIRYEAR']}' + WHERE award_awards.id=? + AND year=? AND award_awards.award_source_fairs_id IS NOT NULL AND fairs.type='ysc' "); - $qq->execute(); + $qq->execute([$p['award_awards_id'], $config['FAIRYEAR']]); } } } - $CWSFDivisions = array( - 1 => 'Discovery', - 2 => 'Energy', - 3 => 'Environment', - 4 => 'Health', - 5 => 'Information', - 6 => 'Innovation', - 7 => 'Resources' - ); +$CWSFDivisions = array( + 1 => 'Discovery', + 2 => 'Energy', + 3 => 'Environment', + 4 => 'Health', + 5 => 'Information', + 6 => 'Innovation', + 7 => 'Resources' +); - function theme_icon($icon, $width = 0) - { - global $theme_icons, $config; +function theme_icon($icon, $width = 0) +{ + global $theme_icons, $config; - $w = ($width == 0) ? '' : "width=\"$width\""; - if ($theme_icons['icons'][$icon]) - return "\""'; + $w = ($width == 0) ? '' : "width=\"$width\""; + if ($theme_icons['icons'][$icon]) + return "\""'; - return ''; - } + return ''; +} - // $d can be a unix timestamp integer, OR a text string, eg 2008-01-22 - function format_date($d) - { - global $config; - if (is_numeric($d)) - return date($config['dateformat'], $d); - else - return date($config['dateformat'], strtotime($d)); - } +// $d can be a unix timestamp integer, OR a text string, eg 2008-01-22 +function format_date($d) +{ + global $config; + if (is_numeric($d)) + return date($config['dateformat'], $d); + else + return date($config['dateformat'], strtotime($d)); +} - // $t can be a unix timestamp integer, or a text string, eg 10:23:48 - function format_time($t) - { - global $config; - if (is_numeric($t)) - return date($config['timeformat'], $t); - else - return date($config['timeformat'], strtotime($t)); - } +// $t can be a unix timestamp integer, or a text string, eg 10:23:48 +function format_time($t) +{ + global $config; + if (is_numeric($t)) + return date($config['timeformat'], $t); + else + return date($config['timeformat'], strtotime($t)); +} - // $dt can be a unix timestamp integer, or a text string, eg 2008-01-22 10:23:48 - function format_datetime($dt) - { - if (is_numeric($dt)) { - return format_date($dt) . ' ' . i18n('at') . ' ' . format_time($dt); - } else { - list($d, $t) = explode(' ', $dt); - return format_date($d) . ' ' . i18n('at') . ' ' . format_time($t); - } - } +// $dt can be a unix timestamp integer, or a text string, eg 2008-01-22 10:23:48 +function format_datetime($dt) +{ + if (is_numeric($dt)) { + return format_date($dt) . ' ' . i18n('at') . ' ' . format_time($dt); + } else { + list($d, $t) = explode(' ', $dt); + return format_date($d) . ' ' . i18n('at') . ' ' . format_time($t); + } +} - function format_money($n, $decimals = true) - { - global $neg; - if ($n < 0) { - $neg = true; - $n = $n * -1; - } - // get the part before the decimal - $before = floor(get_value_or_default($n, 0)); - $out = ''; +function format_money($n, $decimals = true) +{ + global $neg; + if ($n < 0) { + $neg = true; + $n = $n * -1; + } + // get the part before the decimal + $before = floor(get_value_or_default($n, 0)); + $out = ''; - // space it out in blocks of three - for ($x = strlen($before); $x > 3; $x -= 3) { - $out = substr($before, $x - 3, 3) . ' ' . $out; - } - if ($x > 0) - $out = substr($before, 0, $x) . ' ' . $out; + // space it out in blocks of three + for ($x = strlen($before); $x > 3; $x -= 3) { + $out = substr($before, $x - 3, 3) . ' ' . $out; + } + if ($x > 0) + $out = substr($before, 0, $x) . ' ' . $out; - // trim any leading/trailing space that was added - $out = trim($out); + // trim any leading/trailing space that was added + $out = trim($out); - if ($neg) - $negdisp = '-'; - else - $negdisp = ''; + if ($neg) + $negdisp = '-'; + else + $negdisp = ''; - if ($decimals) { - // get everything after the decimal place, and %02f it. - $after = substr(strstr(sprintf('%.02f', $n), '.'), 1); + if ($decimals) { + // get everything after the decimal place, and %02f it. + $after = substr(strstr(sprintf('%.02f', $n), '.'), 1); - // finally display it with the right language localization - if ($_SESSION['lang'] == 'fr') - return sprintf('%s%s,%s $', $negdisp, $out, $after); - else - return sprintf('%s$%s.%s', $negdisp, $out, $after); - } else { - if ($_SESSION['lang'] == 'fr') - return sprintf('%s%s $', $negdisp, $out); - else - return sprintf('%s$%s', $negdisp, $out); - } - } + // finally display it with the right language localization + if ($_SESSION['lang'] == 'fr') + return sprintf('%s%s,%s $', $negdisp, $out, $after); + else + return sprintf('%s$%s.%s', $negdisp, $out, $after); + } else { + if ($_SESSION['lang'] == 'fr') + return sprintf('%s%s $', $negdisp, $out); + else + return sprintf('%s$%s', $negdisp, $out); + } +} - function message_push($m) - { - if (!is_array($_SESSION['messages'])) - $_SESSION['messages'] = array(); - $_SESSION['messages'][] = $m; - } +function message_push($m) +{ + if (!is_array($_SESSION['messages'])) + $_SESSION['messages'] = array(); + $_SESSION['messages'][] = $m; +} - function notice_($str, $i18n_array = array(), $timeout = -1, $type = 'notice') - { - if ($timeout == -1) - $timeout = 5000; - echo ""; - } +} - function happy_($str, $i18n_array = array(), $timeout = -1) - { - notice_($str, $i18n_array, $timeout, 'happy'); - } +function happy_($str, $i18n_array = array(), $timeout = -1) +{ + notice_($str, $i18n_array, $timeout, 'happy'); +} - function error_($str, $i18n_array = array(), $timeout = -1) - { - notice_($str, $i18n_array, $timeout, 'error'); - } +function error_($str, $i18n_array = array(), $timeout = -1) +{ + notice_($str, $i18n_array, $timeout, 'error'); +} - function debug_($str) - { - if (get_value_from_array($_SESSION, 'debug') != true) - return; - $s = str_replace("\n", '', nl2br(htmlspecialchars($str))) . '
'; - echo ""; - } +} - // this function returns a HTML colour code ranging between red and green, with yellow in the middle based on the percent passed into it - function colour_to_percent($percent) - { - // 0 is red - // 50 is yellow - // 100 is green +// this function returns a HTML colour code ranging between red and green, with yellow in the middle based on the percent passed into it +function colour_to_percent($percent) +{ + // 0 is red + // 50 is yellow + // 100 is green - if ($percent <= 50) - $red = 255; - else - $red = (100 - $percent) * 2 / 100 * 255;; + if ($percent <= 50) + $red = 255; + else + $red = (100 - $percent) * 2 / 100 * 255; + ; - if ($percent > 50) - $green = 255; - else - $green = ($percent) * 2 / 100 * 255;; + if ($percent > 50) + $green = 255; + else + $green = ($percent) * 2 / 100 * 255; + ; - // echo "red=$red"; - // echo "green=$green"; - $str = '#' . sprintf('%02s', dechex($red)) . sprintf('%02s', dechex($green)) . '00'; - return $str; - } + // echo "red=$red"; + // echo "green=$green"; + $str = '#' . sprintf('%02s', dechex($red)) . sprintf('%02s', dechex($green)) . '00'; + return $str; +} - function format_duration($seconds, $granularity = 2) - { - $units = array( - '1 year|:count years' => 31536000, - '1 week|:count weeks' => 604800, - '1 day|:count days' => 86400, - '1 hour|:count hours' => 3600, - '1 min|:count min' => 60, - '1 sec|:count sec' => 1 - ); - $output = ''; - // $output.=time()." - ".$timestamp." = ".$seconds; - foreach ($units as $key => $value) { - $key = explode('|', $key); - if ($seconds >= $value) { - $count = floor($seconds / $value); - $output .= ($output ? ' ' : ''); - $output .= ($count == 1) ? $key[0] : str_replace(':count', $count, $key[1]); - $seconds %= $value; - $granularity--; - } - if ($granularity == 0) { - break; - } - } - return $output ? $output : '0 sec'; - } +function format_duration($seconds, $granularity = 2) +{ + $units = array( + '1 year|:count years' => 31536000, + '1 week|:count weeks' => 604800, + '1 day|:count days' => 86400, + '1 hour|:count hours' => 3600, + '1 min|:count min' => 60, + '1 sec|:count sec' => 1 + ); + $output = ''; + // $output.=time()." - ".$timestamp." = ".$seconds; + foreach ($units as $key => $value) { + $key = explode('|', $key); + if ($seconds >= $value) { + $count = floor($seconds / $value); + $output .= ($output ? ' ' : ''); + $output .= ($count == 1) ? $key[0] : str_replace(':count', $count, $key[1]); + $seconds %= $value; + $granularity--; + } + if ($granularity == 0) { + break; + } + } + return $output ? $output : '0 sec'; +} - function getTextFromHtml($html) - { - // first, replace an

with


- $text = str_replace('

', '


', $html); - // next, replace a with
- $text = str_replace('', '
', $html); - // now replace any
with newlines - $text = preg_replace('', chr(13) . chr(10), $text); - // and strip the rest of the tags - $text = strip_tags($text); +function getTextFromHtml($html) +{ + // first, replace an

with


+ $text = str_replace('

', '


', $html); + // next, replace a with
+ $text = str_replace('', '
', $html); + // now replace any
with newlines + $text = preg_replace('', chr(13) . chr(10), $text); + // and strip the rest of the tags + $text = strip_tags($text); - // a few common html entities - // replace & with & first, so multiply-encoded entities will decode (like "&#160;") - $text = str_replace('&', '&', $text); - $text = str_replace(' ', ' ', $text); - $text = str_replace(' ', ' ', $text); - $text = str_replace('<', '<', $text); - $text = str_replace('>', '>', $text); + // a few common html entities + // replace & with & first, so multiply-encoded entities will decode (like "&#160;") + $text = str_replace('&', '&', $text); + $text = str_replace(' ', ' ', $text); + $text = str_replace(' ', ' ', $text); + $text = str_replace('<', '<', $text); + $text = str_replace('>', '>', $text); - // text version should always wrap at 75 chars, some mail severs wont accept - // mail with very long lines - $text = wordwrap($text, 75, "\n", true); + // text version should always wrap at 75 chars, some mail severs wont accept + // mail with very long lines + $text = wordwrap($text, 75, "\n", true); - return $text; - } + return $text; +} - function getUserForSponsor($sponsor_id) - { - global $pdo; - // loop through each contact and draw a form with their data in it. - $q = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id +function getUserForSponsor($sponsor_id) +{ + global $pdo; + // loop through each contact and draw a form with their data in it. + $q = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id WHERE - sponsors_id='" . $sponsor_id . "' + sponsors_id=? AND types LIKE '%sponsor%' GROUP BY uid HAVING deleted='no' ORDER BY users_sponsor.primary DESC,lastname,firstname LIMIT 1 "); - $q->execute(); - $r = $q->fetch(); - return user_load_by_uid($r->uid); - } + $q->execute([$sponsor_id]); + $r = $q->fetch(); + return user_load_by_uid($r->uid); +} - function projectdivisions_load($year = false) - { - global $config, $pdo; - if ($year == false) - $year = $config['FAIRYEAR']; - $divs = array(); - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'"); - $q->execute(); - while ($d = $q->fetch(PDO::FETCH_ASSOC)) - $divs[$d['id']] = $d; - return $divs; - } +function projectdivisions_load($year = false) +{ + global $config, $pdo; + if ($year == false) + $year = $config['FAIRYEAR']; + $divs = array(); + $q = $pdo->prepare('SELECT * FROM projectdivisions WHERE year=?'); + $q->execute([$year]); + while ($d = $q->fetch(PDO::FETCH_ASSOC)) + $divs[$d['id']] = $d; + return $divs; +} - function projectcategories_load($year = false) - { - global $config, $pdo; - if ($year == false) - $year = $config['FAIRYEAR']; - $cats = array(); - $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'"); - $q->execute(); - while ($c = $q->fetch(PDO::FETCH_ASSOC)) - $cats[$c['id']] = $c; - return $cats; - } +function projectcategories_load($year = false) +{ + global $config, $pdo; + if ($year == false) + $year = $config['FAIRYEAR']; + $cats = array(); + $q = $pdo->prepare('SELECT * FROM projectcategories WHERE year=?'); + $q->execute([$year]); + while ($c = $q->fetch(PDO::FETCH_ASSOC)) + $cats[$c['id']] = $c; + return $cats; +} - // Converts the numeric value "$val" to an English text representation of it (e.g. "two thousand four"). - // If the "$monetize" flag is set to true, then it's formatted to be useable on printed cheques (e.g. "***** Two Thousand Four 00/100 *****". - function wordify($val, $monetize = false) - { - $digits = array('zero', 'one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine'); - if ($monetize) { - $pennies = intval(($val - intval($val)) * 100); - $returnval = 'and ' . sprintf('%02d', $pennies) . '/100'; - } else if ($val != intval($val)) { - $dec = $val - intval($val); - $returnval = 'point'; - while ($dec) { - $dec *= 10; - $returnval .= ' ' . smallIntToText(intval($dec)); - $dec -= intval($dec); - } - } - $val = intval($val); - $powerofthousand = array( - '', - 'Thousand', - 'Million', - 'Billion', - 'trillion', - 'quadrillion' - ); - $n = 0; - if (!$val) { - $returnval = 'Zero ' . $returnval; - } else { - while ($val > 0) { - $sectionVal = $val % 1000; - if ($sectionVal != 0) { - $sectionText = smallIntToText($sectionVal); - if ($powerofthousand[$n] != '') { - $returnval = $sectionText . ' ' . $powerofthousand[$n] . ' ' . $returnval; - } else { - $returnval = $sectionText . ' ' . $returnval; - } - } - $val = intval($val / 1000); - $n++; - } - } - if ($monetize) - $returnval = '***' . $returnval; - return $returnval; - } +// Converts the numeric value "$val" to an English text representation of it (e.g. "two thousand four"). +// If the "$monetize" flag is set to true, then it's formatted to be useable on printed cheques (e.g. "***** Two Thousand Four 00/100 *****". +function wordify($val, $monetize = false) +{ + $digits = array('zero', 'one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine'); + if ($monetize) { + $pennies = intval(($val - intval($val)) * 100); + $returnval = 'and ' . sprintf('%02d', $pennies) . '/100'; + } else if ($val != intval($val)) { + $dec = $val - intval($val); + $returnval = 'point'; + while ($dec) { + $dec *= 10; + $returnval .= ' ' . smallIntToText(intval($dec)); + $dec -= intval($dec); + } + } + $val = intval($val); + $powerofthousand = array( + '', + 'Thousand', + 'Million', + 'Billion', + 'trillion', + 'quadrillion' + ); + $n = 0; + if (!$val) { + $returnval = 'Zero ' . $returnval; + } else { + while ($val > 0) { + $sectionVal = $val % 1000; + if ($sectionVal != 0) { + $sectionText = smallIntToText($sectionVal); + if ($powerofthousand[$n] != '') { + $returnval = $sectionText . ' ' . $powerofthousand[$n] . ' ' . $returnval; + } else { + $returnval = $sectionText . ' ' . $returnval; + } + } + $val = intval($val / 1000); + $n++; + } + } + if ($monetize) + $returnval = '***' . $returnval; + return $returnval; +} - // Converts a number between zero and one thousand to Canadian English text - function smallIntToText($number) - { - $number %= 1000; - $rvals = array( - 0 => 'Zero', - 1 => 'One', - 2 => 'Two', - 3 => 'Three', - 4 => 'Four', - 5 => 'Five', - 6 => 'Six', - 7 => 'Seven', - 8 => 'Eight', - 9 => 'Nine', - 10 => 'Ten', - 11 => 'Eleven', - 12 => 'Twelve', - 13 => 'Thirteen', - 14 => 'Fourteen', - 15 => 'Fifteen', - 16 => 'Sixteen', - 17 => 'Seventeen', - 18 => 'Eighteen', - 19 => 'Nineteen', - 20 => 'Twenty', - 30 => 'Thirty', - 40 => 'Forty', - 50 => 'Fifty', - 60 => 'Sixty', - 70 => 'Seventy', - 80 => 'Eighty', - 90 => 'Ninety', - ); - if (array_key_exists($number, $rvals)) - return $rvals[$number]; - $returnval = ''; - if ($number >= 100) { - $hundred = intval($number / 100); - $returnval = $rvals[$hundred] . ' Hundred'; - $number -= 100 * $hundred; - } - if (array_key_exists($number, $rvals)) { - if ($number > 0) - $returnval .= ' ' . $rvals[$number]; - return $returnval; - } - if ($number >= 10) { - $ten = intval($number / 10); - if ($returnval != '') - $returnval .= ' '; - $returnval .= $rvals[10 * $ten]; - $number -= 10 * $ten; - } - if ($number > 0) { - $returnval .= ' ' . $rvals[$number]; - } - return $returnval; - } +// Converts a number between zero and one thousand to Canadian English text +function smallIntToText($number) +{ + $number %= 1000; + $rvals = array( + 0 => 'Zero', + 1 => 'One', + 2 => 'Two', + 3 => 'Three', + 4 => 'Four', + 5 => 'Five', + 6 => 'Six', + 7 => 'Seven', + 8 => 'Eight', + 9 => 'Nine', + 10 => 'Ten', + 11 => 'Eleven', + 12 => 'Twelve', + 13 => 'Thirteen', + 14 => 'Fourteen', + 15 => 'Fifteen', + 16 => 'Sixteen', + 17 => 'Seventeen', + 18 => 'Eighteen', + 19 => 'Nineteen', + 20 => 'Twenty', + 30 => 'Thirty', + 40 => 'Forty', + 50 => 'Fifty', + 60 => 'Sixty', + 70 => 'Seventy', + 80 => 'Eighty', + 90 => 'Ninety', + ); + if (array_key_exists($number, $rvals)) + return $rvals[$number]; + $returnval = ''; + if ($number >= 100) { + $hundred = intval($number / 100); + $returnval = $rvals[$hundred] . ' Hundred'; + $number -= 100 * $hundred; + } + if (array_key_exists($number, $rvals)) { + if ($number > 0) + $returnval .= ' ' . $rvals[$number]; + return $returnval; + } + if ($number >= 10) { + $ten = intval($number / 10); + if ($returnval != '') + $returnval .= ' '; + $returnval .= $rvals[10 * $ten]; + $number -= 10 * $ten; + } + if ($number > 0) { + $returnval .= ' ' . $rvals[$number]; + } + return $returnval; +} ?> \ No newline at end of file diff --git a/config_editor.inc.php b/config_editor.inc.php index 96fd2feb..196fdba3 100644 --- a/config_editor.inc.php +++ b/config_editor.inc.php @@ -29,9 +29,9 @@ include_once ('helper.inc.php'); function config_editor_load($category, $year) { global $pdo; - $query = "SELECT * FROM config WHERE year='$year' AND category='$category' ORDER BY ord"; + $query = "SELECT * FROM config WHERE year=? AND category=? ORDER BY ord"; $q = $pdo->prepare($query); - $q->execute(); + $q->execute([$year, $category]); // print_r($pdo->errorInfo()); $var = array(); @@ -94,10 +94,10 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL) */ $q = $pdo->prepare("SELECT config.var FROM `config` LEFT JOIN `config` AS C2 ON(config.var=C2.var - AND C2.year='$fairyear') + AND C2.year=?) WHERE config.year=-1 AND C2.year IS NULL"); - $q->execute(); + $q->execute([$fairyear]); show_pdo_errors_if_any($pdo); while ($i = $q->fetch(PDO::FETCH_ASSOC)) { @@ -108,11 +108,11 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL) * the -1 year, prefer last year's value */ $r2 = $pdo->prepare("SELECT * FROM `config` - WHERE config.var='$var' - AND (config.year='$lastfairyear' + WHERE config.var=? + AND (config.year=? OR config.year='-1') ORDER BY config.year DESC"); - $r2->execute(); + $r2->execute([$var, $lastfairyear]); show_pdo_errors_if_any($pdo); if ($r2->rowCount() < 1) { diff --git a/judge.inc.php b/judge.inc.php index a89503fe..2089b762 100644 --- a/judge.inc.php +++ b/judge.inc.php @@ -48,15 +48,15 @@ function judge_status_expertise(&$u) } /* Check to see if they have ranked all project age categories, and all divisions */ - $q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectcategories WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); $numcats = $r->num; if ($numcats != count(get_value_from_array($u, 'cat_prefs', []))) return 'incomplete'; - $q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectdivisions WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); $numdivisions = $r->num; if ($numdivisions != count($u['div_prefs'])) @@ -86,7 +86,7 @@ function judge_status_questions($u) global $config, $pdo; // get the questions we're looking for $q = $pdo->prepare('SELECT id FROM questions WHERE year=' . $config['FAIRYEAR'] . " AND required='yes'"); - $q->execute(); + $q->execute([]); $idList = array(); while ($row = $q->fetch(PDO::FETCH_ASSOC)) $idList[] = $row['id']; @@ -116,8 +116,8 @@ function judge_status_special_awards(&$u) */ $qq = $pdo->prepare("SELECT COUNT(id) AS num FROM judges_specialaward_sel - WHERE users_id='{$u['id']}'"); - $qq->execute(); + WHERE users_id=?"); + $qq->execute([$u['id']]); $rr = $qq->fetch(PDO::FETCH_OBJ); $awards_selected = $rr->num; // echo "$awards_selected awards selected, ({$config['judges_specialaward_min']} - {$config['judges_specialaward_max']})"; diff --git a/judge_availability.php b/judge_availability.php index 740c0c4c..701bc16f 100644 --- a/judge_availability.php +++ b/judge_availability.php @@ -49,8 +49,8 @@ $u = user_load($eid); $times = array(); /* Load the judging rounds */ -$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type"); -$q->execute(); +$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type"); +$q->execute([$config['FAIRYEAR']]); $x = 0; while ($r = $q->fetch(PDO::FETCH_OBJ)) { $found = false; @@ -72,8 +72,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { switch (get_value_from_array($_GET, 'action')) { case 'save': - $stmt = $pdo->prepare("DELETE FROM judges_availability WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_availability WHERE users_id=?"); + $stmt->execute([$u['id']]); if (is_array($_POST['time'])) { foreach ($_POST['time'] as $x) { @@ -129,8 +129,8 @@ if (get_value_from_array($_SESSION, 'embed') != true) { prepare("SELECT * FROM judges_availability WHERE users_id=\"{$u['id']}\" ORDER BY `start`"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`"); +$q->execute([$u['id']]); $sel = array(); while ($r = $q->fetch(PDO::FETCH_OBJ)) { foreach ($times as $x => $t) { diff --git a/judge_expertise.php b/judge_expertise.php index c40061fb..ccb55ba6 100644 --- a/judge_expertise.php +++ b/judge_expertise.php @@ -133,8 +133,8 @@ if ($u['special_award_only'] == 'yes') { echo "\n"; echo "\n"; -$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade"); +$q->execute([$config['FAIRYEAR']]); echo '

' . i18n('Age Category Preferences') . '


'; echo '
'; while ($r = $q->fetch(PDO::FETCH_OBJ)) { @@ -171,8 +171,8 @@ echo '
'; echo "
\n"; // query all of the categories -$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY division"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division"); +$q->execute([$config['FAIRYEAR']]); $first = true; $trclass = ''; while ($r = $q->fetch(PDO::FETCH_OBJ)) { @@ -199,8 +199,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { // only show the sub-divisions if the 'main' division is scored >=3 if ($u['div_prefs'][$r->id] >= 3) { - $subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE projectdivisions_id='$r->id' AND year='" . $config['FAIRYEAR'] . "' ORDER BY subdivision"); - $subq->execute(); + $subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE projectdivisions_id=? AND year=? ORDER BY subdivision"); + $subq->execute([$r->id, $config['FAIRYEAR']]); while ($subr = $subq->fetch(PDO::FETCH_OBJ)) { echo ''; echo ''; diff --git a/judge_main.php b/judge_main.php index 1bdfb07b..8b33756e 100644 --- a/judge_main.php +++ b/judge_main.php @@ -49,8 +49,8 @@ echo '
'; $scheduleok = false; if ($config['dates']['judgescheduleavailable'] && $config['dates']['judgescheduleavailable'] != '0000-00-00 00:00:00') { - $q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['judgescheduleavailable'] . "') AS test"); - $q->execute(); + $q = $pdo->prepare("SELECT (NOW()>?) AS test"); + $q->execute([$config['dates']['judgescheduleavailable']]); $r = $q->fetch(PDO::FETCH_OBJ); $scheduleok = $r->test; } else { @@ -64,8 +64,8 @@ if ($scheduleok) { * it's less obvious below */ $q = $pdo->prepare("SELECT id FROM judges_teams_link WHERE - users_id='{$u['id']}' AND year='{$config['FAIRYEAR']}'"); - $q->execute(); + users_id=? AND year=?"); + $q->execute([$u['id'], $config['FAIRYEAR']]); if ($q->rowCount() > 0) { echo ''; echo i18n('You have been assigned to a judging team. %1Click here%2 to view the judging schedule', diff --git a/judge_project_summary.php b/judge_project_summary.php index bceec950..5b76be87 100644 --- a/judge_project_summary.php +++ b/judge_project_summary.php @@ -31,9 +31,9 @@ user_auth_required(array('judge', 'committee')); $pn = stripslashes($_GET['pn']); $q = $pdo->prepare("SELECT * FROM projects WHERE - projectnumber='$pn' - AND year='{$config['FAIRYEAR']}'"); -$q->execute(); + projectnumber=? + AND year=?"); +$q->execute([$pn, $config['FAIRYEAR']]); if ($q->rowCount() == 0) { echo 'not found'; exit; @@ -43,9 +43,9 @@ $pi = $q->fetch(PDO::FETCH_OBJ); $sq = $pdo->prepare("SELECT firstname,lastname,school FROM students LEFT JOIN schools ON schools.id = students.schools_id WHERE - registrations_id='{$pi->registrations_id}' - AND students.year='{$config['FAIRYEAR']}'"); -$sq->execute(); + registrations_id=? + AND students.year=?"); +$sq->execute([$pi->registrations_id, $config['FAIRYEAR']]); $student = array(); while ($si = $sq->fetch(PDO::FETCH_OBJ)) { diff --git a/judge_schedule.php b/judge_schedule.php index 02f06602..d576d014 100644 --- a/judge_schedule.php +++ b/judge_schedule.php @@ -57,8 +57,8 @@ send_header('Schedule', $scheduleok = false; if ($config['dates']['judgescheduleavailable'] && $config['dates']['judgescheduleavailable'] != '0000-00-00 00:00:00') { - $q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['judgescheduleavailable'] . "') AS test"); - $q->execute(); + $q = $pdo->prepare("SELECT (NOW()>?"); + $q->execute([$config['dates']['judgescheduleavailable']]); $r = $q->fetch(PDO::FETCH_OBJ); $scheduleok = $r->test; } else { @@ -76,17 +76,17 @@ if (!$scheduleok) { /* Find all judging teams this judge is on */ $q = $pdo->prepare("SELECT * FROM judges_teams_link LEFT JOIN judges_teams ON judges_teams.id=judges_teams_link.judges_teams_id - WHERE judges_teams_link.users_id='{$u['id']}' - AND judges_teams_link.year='{$config['FAIRYEAR']}'"); -$q->execute(); + WHERE judges_teams_link.users_id=? + AND judges_teams_link.year=?"); +$q->execute([$u['id'], $config['FAIRYEAR']]); $teams = array(); while ($t = $q->fetch(PDO::FETCH_ASSOC)) { /* Load timeslot data for this team (team -> judges_timeslots_link -> timeslot -> parent timeslot */ $qq = $pdo->prepare("SELECT T.* FROM judges_teams_timeslots_link LEFT JOIN judges_timeslots ON judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id LEFT JOIN judges_timeslots AS T ON T.id=judges_timeslots.round_id - WHERE judges_teams_timeslots_link.judges_teams_id={$t['judges_teams_id']}"); - $qq->execute(); + WHERE judges_teams_timeslots_link.judges_teams_id=?"); + $qq->execute([$t['judges_teams_id']]); $tt = $qq->fetch(PDO::FETCH_ASSOC); show_pdo_errors_if_any($pdo); $t['timeslot'] = $tt; @@ -95,8 +95,8 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) { $qq = $pdo->prepare("SELECT award_awards.*,T.type FROM judges_teams_awards_link LEFT JOIN award_awards ON award_awards.id=judges_teams_awards_link.award_awards_id LEFT JOIN award_types as T ON T.id=award_awards.award_types_id - WHERE judges_teams_awards_link.judges_teams_id={$t['judges_teams_id']}"); - $qq->execute(); + WHERE judges_teams_awards_link.judges_teams_id=?"); + $qq->execute([$t['judges_teams_id']]); show_pdo_errors_if_any($pdo); $aa = $qq->fetch(PDO::FETCH_ASSOC); $t['award'] = $aa; @@ -104,9 +104,9 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) { /* Load team members */ $qq = $pdo->prepare("SELECT * FROM judges_teams_link LEFT JOIN users ON users.id=judges_teams_link.users_id - WHERE judges_teams_link.judges_teams_id={$t['judges_teams_id']} + WHERE judges_teams_link.judges_teams_id=? ORDER BY judges_teams_link.captain,users.lastname,users.firstname"); - $qq->execute(); + $qq->execute([$t['judges_teams_id']]); $t['members'] = array(); while (($mm = $qq->fetch(PDO::FETCH_ASSOC))) { @@ -116,8 +116,8 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) { /* Load projects */ $qq = $do->prepare("SELECT projects.id,projects.projectnumber,projects.title FROM judges_teams_timeslots_projects_link LEFT JOIN projects ON projects.id=judges_teams_timeslots_projects_link.projects_id - WHERE judges_teams_id={$t['judges_teams_id']}"); - $qq->execute(); + WHERE judges_teams_id=?"); + $qq->execute([$t['judges_teams_id']]); $p = array(); while (($pp = $qq->fetch(PDO::FETCH_ASSOC))) $p[] = $pp; diff --git a/judge_special_awards.php b/judge_special_awards.php index cadb22b0..c363f2c9 100644 --- a/judge_special_awards.php +++ b/judge_special_awards.php @@ -50,14 +50,14 @@ $u = user_load($eid); switch (get_value_from_array($_GET, 'action')) { case 'save': // first delete all their old associations for this year.. - $stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id=?"); + $stmt->execute([$u['id']]); if (array_key_exists('spaward', $_POST)) { foreach ($_POST['spaward'] AS $aid) { $stmt = $pdo->prepare("INSERT INTO judges_specialaward_sel (users_id, award_awards_id) - VALUES ('{$u['id']}','$aid')"); - $stmt->execute(); + VALUES (?,?)"); + $stmt->execute([$u['id'], $aid]); } } happy_('Special Award preferences successfully saved'); @@ -110,8 +110,8 @@ if ($u['special_award_only'] == 'yes') { echo '
'; echo '
'; -$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id='{$u['id']}'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id=?"); +$q->execute([$u['id']]); $spawards = array(); while ($r = $q->fetch(PDO::FETCH_OBJ)) $spawards[] = $r->award_awards_id; @@ -131,11 +131,11 @@ $q = $pdo->prepare("SELECT award_awards.id, award_types.id=award_awards.award_types_id\t\t AND sponsors.id=award_awards.sponsors_id\t\t AND (award_types.type='Special' OR award_types.type='Other') - AND award_awards.year='{$config['FAIRYEAR']}' - AND award_types.year='{$config['FAIRYEAR']}' + AND award_awards.year=? + AND award_types.year=? ORDER BY name"); -$q->execute(); +$q->execute([$config['FAIRYEAR'], $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); while ($r = $q->fetch(PDO::FETCH_OBJ)) { ?> diff --git a/lpdf.php b/lpdf.php index c0c2d2dd..dcb6bc66 100644 --- a/lpdf.php +++ b/lpdf.php @@ -223,8 +223,8 @@ class lpdf // echo "breaking because nr==prevnr ($nr==$prevnr) trying to output [$textstr] (debug: fontsize=$fontsize, lineheight=$lineheight, stringwidth=$stringwidth, left=".$this->loc(0.75).", top=".$this->loc($this->yloc).", width=".$this->loc(7).", height=$lineheight)\n"; break; } - $q=$pdo->prepare("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?"); + $q->execute([$_SESSION['lang'], md5($str)]); if($r=$q->fetch(PDO::FETCH_OBJ)) $prevnr=$nr; diff --git a/projects.inc.php b/projects.inc.php index 6765eb15..6910f871 100644 --- a/projects.inc.php +++ b/projects.inc.php @@ -42,17 +42,17 @@ function getProjectsEligibleForAward($award_id) award_awards_projectdivisions, projects WHERE - award_awards.id='$award_id' + award_awards.id=? AND award_awards.id=award_awards_projectcategories.award_awards_id AND award_awards.id=award_awards_projectdivisions.award_awards_id AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id AND projects.projectnumber is not null - AND projects.year='" . $config['FAIRYEAR'] . "' + AND projects.year=?' ORDER BY projectsort "); - $prjq->execute(); + $prjq->execute($award_id, [$config['FAIRYEAR']]); $projects = array(); while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) { $projects[$prjr->projectnumber] = array( @@ -76,17 +76,17 @@ function getLanguagesOfProjectsEligibleForAward($award_id) award_awards_projectdivisions, projects WHERE - award_awards.id='$award_id' + award_awards.id=? AND award_awards.id=award_awards_projectcategories.award_awards_id AND award_awards.id=award_awards_projectdivisions.award_awards_id AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id AND projects.projectnumber is not null - AND projects.year='" . $config['FAIRYEAR'] . "' + AND projects.year=? ORDER BY language "); - $prjq->execute(); + $prjq->execute([$award_id, $config['FAIRYEAR']]); $languages = array(); while ($r = $prjq->fetch(PDO::FETCH_OBJ)) { if ($r->language) @@ -100,8 +100,8 @@ function getProjectsEligibleOrNominatedForAwards($awards_ids_array) global $pdo; $projects = array(); foreach ($awards_ids_array AS $award_id) { - $q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.id='$award_id' AND award_awards.award_types_id=award_types.id"); - $q->execute(); + $q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.id=? AND award_awards.award_types_id=award_types.id"); + $q->execute([$award_id]); $r = $q->fetch(PDO::FETCH_OBJ); $awardprojects = array(); @@ -149,14 +149,14 @@ function getSpecialAwardsEligibleForProject($projectid) AND projects.projectcategories_ipreparequeryd=award_awards_projectcategories.projectcategories_id AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id AND award_awards.id is not null - AND projects.year='" . $config['FAIRYEAR'] . "' - AND projects.id='$projectid' - AND award_types.year='" . $config['FAIRYEAR'] . "' - AND award_awards.year='" . $config['FAIRYEAR'] . "' + AND projects.year=? + AND projects.id=? + AND award_types.year=? + AND award_awards.year=? ORDER BY award_awards.name "); - $awardsq->execute(); + $awardsq->execute([$config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]); $awards = array(); show_pdo_errors_if_any($pdo); while ($r = $awardsq->fetch(PDO::FETCH_OBJ)) { @@ -185,14 +185,14 @@ function getSpecialAwardsNominatedForProject($projectid) project_specialawards_link, projects WHERE - project_specialawards_link.projects_id='$projectid' + project_specialawards_link.projects_id=? AND project_specialawards_link.award_awards_id=award_awards.id - AND projects.year='" . $config['FAIRYEAR'] . "' - AND projects.id='$projectid' + AND projects.year=? + AND projects.id=? ORDER BY award_awards.name "); - $awardsq->execute(); + $awardsq->execute([$projectid, $config['FAIRYEAR'], $projectid]); $awards = array(); show_pdo_errors_if_any($pdo); while ($r = $awardsq->fetch(PDO::FETCH_OBJ)) { @@ -215,12 +215,12 @@ function getNominatedForNoSpecialAwardsForProject($projectid) project_specialawards_link, projects WHERE - project_specialawards_link.projects_id='$projectid' - AND projects.year='" . $config['FAIRYEAR'] . "' - AND projects.id='$projectid' + project_specialawards_link.projects_id=? + AND projects.year=? + AND projects.id=? AND project_specialawards_link.award_awards_id IS NULL "); - $awardsq->execute(); + $awardsq->execute([$projectid, $config['FAIRYEAR'], $projectid]); if ($awardsq->rowCount() == 1) return true; return false; @@ -242,14 +242,14 @@ function getProjectsNominatedForSpecialAward($award_id) project_specialawards_link, projects WHERE - project_specialawards_link.award_awards_id='$award_id' + project_specialawards_link.award_awards_id=? AND project_specialawards_link.projects_id=projects.id AND projects.projectnumber is not null - AND projects.year='" . $config['FAIRYEAR'] . "' + AND projects.year=? ORDER BY projectsort "); - $prjq->execute(); + $prjq->execute([$award_id, $config['FAIRYEAR']]); $projects = array(); while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) { $projects[$prjr->projectnumber] = array( @@ -279,13 +279,13 @@ function getLanguagesOfProjectsNominatedForSpecialAward($award_id) project_specialawards_link, projects WHERE - project_specialawards_link.award_awards_id='$award_id' + project_specialawards_link.award_awards_id=? AND project_specialawards_link.projects_id=projects.id AND projects.projectnumber is not null - AND projects.year='" . $config['FAIRYEAR'] . "' + AND projects.year=? ORDER BY language "); - $prjq->execute(); + $prjq->execute([$award_id, $config['FAIRYEAR']]); $languages = array(); while ($r = $prjq->fetch(PDO::FETCH_OBJ)) { // dont count "" as a language, if the project doesnt have a language specified too bad they're up shit creek without a paddle @@ -316,17 +316,17 @@ function getSpecialAwardsNominatedByRegistrationID($id) award_awards_projectdivisions, projects WHERE - award_awards.id='$award_id' + award_awards.id=? AND award_awards.id=award_awards_projectcategories.award_awards_id AND award_awards.id=award_awards_projectdivisions.award_awards_id AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id AND projects.projectnumber is not null - AND projects.year='" . $config['FAIRYEAR'] . "' + AND projects.year=? ORDER BY projectsort "); - $awardq->execute(); + $awardq->execute([$award_id, $config['FAIRYEAR']]); $projects = array(); while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) { $projects[$prjr->projectnumber] = array( @@ -342,15 +342,15 @@ function project_load($pid) { global $pdo; /* Load this project */ - $q = $pdo->prepare("SELECT * FROM projects WHERE id='$pid'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE id=?"); + $q->execute([$pid]); $proj = $q->fetch(); /* Load the students */ $q = $pdo->prepare("SELECT students.*,schools.school FROM students LEFT JOIN schools ON schools.id=students.schools_id - WHERE registrations_id='{$proj['registrations_id']}' AND students.year='{$proj['year']}' ORDER BY students.id"); - $q->execute(); + WHERE registrations_id=? AND students.year=? ORDER BY students.id"); + $q->execute([$proj['registrations_id'], $proj['year']]); $proj['num_students'] = 0; while ($s = $q->fetch(PDO::FETCH_OBJ)) { $proj['num_students']++; diff --git a/questions.inc.php b/questions.inc.php index 994f00bb..47d25b4e 100644 --- a/questions.inc.php +++ b/questions.inc.php @@ -27,15 +27,15 @@ function questions_load_answers($section, $users_id) { global $pdo, $config; - $yearq = $pdo->prepare("SELECT `year` FROM users WHERE id='$users_id'"); - $yearq->execute(); + $yearq = $pdo->prepare("SELECT `year` FROM users WHERE id=?"); + $yearq->execute([$users_id]); $yearr = $yearq->fetch(PDO::FETCH_OBJ); $ans = array(); $qs = questions_load_questions($section, $yearr->year); foreach ($qs AS $id => $question) { - $q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='$id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?"); + $q->execute([$users_id, $id]); $r = $q->fetch(PDO::FETCH_OBJ); $ans[$id] = get_value_or_default($r, 'answer', ''); } @@ -46,10 +46,10 @@ function questions_load_questions($section, $year) { global $pdo; $q = $pdo->prepare('SELECT * FROM questions ' - . "WHERE year='$year' " - . " AND section='$section' " + . "WHERE year=?" + . " AND section=?" . 'ORDER BY ord ASC'); - $q->execute(); + $q->execute([$year, $section]); show_pdo_errors_if_any($pdo); @@ -71,11 +71,11 @@ function questions_save_answers($section, $id, $answers) global $config, $pdo; $qs = questions_load_questions($section, $config['FAIRYEAR']); $keys = array_keys($answers); - $q = $pdo->prepare("SELECT * FROM questions WHERE year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM questions WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { - $stmt = $pdo->prepare("DELETE FROM question_answers WHERE users_id='$id' AND questions_id='$r->id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM question_answers WHERE users_id=? AND questions_id=?"); + $stmt->execute([$id, $r->id]); show_pdo_errors_if_any($pdo); } @@ -83,10 +83,8 @@ function questions_save_answers($section, $id, $answers) foreach ($keys as $qid) { /* Poll key */ $stmt = $pdo->prepare("INSERT INTO question_answers - (users_id,questions_id,answer) VALUES( - '$id','$qid', - '" . $answers[$qid] . "')"); - $stmt->execute(); + (users_id,questions_id,answer) VALUES(?,?,?)"); + $stmt->execute([$id, $qid, $answers[$qid]]); } } @@ -94,9 +92,9 @@ function questions_find_question_id($section, $dbheading) { global $pdo; $q = $pdo->prepare('SELECT id FROM questions WHERE ' - . " section='$section' " - . " AND db_heading='$dbheading' "); - $q->execute(); + . " section=?" + . " AND db_heading=?"); + $q->execute([$section, $dbheading]); if ($q->rowCount() == 1) { $r = $q->fetch(PDO::FETCH_OBJ); return $r->id; @@ -182,13 +180,13 @@ function questions_update_question($qs) global $pdo; $qs['ord'] = $qs['ord'] ?? ''; $stmt = $pdo->prepare("UPDATE questions SET - `question`='" . $qs['question'] . "', - `type`='" . $qs['type'] . "', - `db_heading`='" . $qs['db_heading'] . "', - `required`='" . $qs['required'] . "', - `ord`=" . intval($qs['ord'] . " - WHERE id='{$qs['id']}' ")); - $stmt->execute(); + `question`=?, + `type`=?, + `db_heading`=?, + `required`=?, + `ord`=? + WHERE id=?")); + $stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord'], $qs['id']]); show_pdo_errors_if_any($pdo); } @@ -251,8 +249,8 @@ function questions_editor($section, $year, $array_name, $self) $qs = questions_load_questions($section, $year); /* Delete this question */ - $stmt = $pdo->prepare("DELETE FROM questions WHERE id='$qid'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM questions WHERE id=?"); + $stmt->execute([$qid]); /* Update the order of all questions after this one */ $keys = array_keys($qs); @@ -261,8 +259,8 @@ function questions_editor($section, $year, $array_name, $self) continue; if ($qs[$q]['ord'] > $qs[$qid]['ord']) { $qs[$q]['ord']--; - $stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE questions SET ord='{}' WHERE id=?"); + $stmt->execute([$qs[$q]['ord'], $q]); } } echo happy(i18n('Question successfully removed')); @@ -270,8 +268,8 @@ function questions_editor($section, $year, $array_name, $self) if (get_value_from_array($_GET, 'action') == 'import' && get_value_from_array($_GET, 'impyear')) { $x = 0; - $q = $pdo->prepare("SELECT * FROM questions WHERE year='{$_GET['impyear']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM questions WHERE year=?"); + $q->execute([$_GET['impyear']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $x++; $stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) @@ -331,8 +329,8 @@ function questions_editor($section, $year, $array_name, $self) if ($qdir != 0) { $qs[$qid]['ord'] += $qdir; /* Update the db */ - $stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$qid]['ord']}' WHERE id='$qid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?"); + $stmt->execute([$qs[$qid]['ord'], $qid]); $keys = array_keys($qs); $originalq = $qs[$qid]; @@ -343,12 +341,12 @@ function questions_editor($section, $year, $array_name, $self) continue; if ($qdir == 1) { $qs[$q]['ord']--; - $stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?"); + $stmt->execute([$qs[$q]['ord'], $q]); } else { $qs[$q]['ord']++; - $stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?"); + $stmt->execute([$qs[$q]['ord'], $q]); } /* diff --git a/register_participants.inc.php b/register_participants.inc.php index a172b049..d2022741 100644 --- a/register_participants.inc.php +++ b/register_participants.inc.php @@ -26,8 +26,8 @@ function registrationFormsReceived($reg_id="") { global $pdo; if($reg_id) $rid=$reg_id; else $rid=$_SESSION['registration_id']; - $q=$pdo->prepare("SELECT status FROM registrations WHERE id='$rid'"); - $q->execute(); + $q=$pdo->prepare("SELECT status FROM registrations WHERE id=?"); + $q->execute([$rid]); $r=$q->fetch(PDO::FETCH_OBJ); if($r->status=="complete" || $r->status=="paymentpending") return true; @@ -38,8 +38,8 @@ function registrationFormsReceived($reg_id="") function registrationDeadlinePassed() { global $config, $pdo; - $q=$pdo->prepare("SELECT (NOW()<'".$config['dates']['regclose']."') AS datecheck"); - $q->execute(); + $q=$pdo->prepare("SELECT (NOW()execute([$config['dates']['regclose']]); $datecheck=$q->fetch(PDO::FETCH_OBJ); if($datecheck->datecheck==1) return false; @@ -62,8 +62,8 @@ function studentStatus($reg_id="") if($reg_id) $rid=$reg_id; else $rid=$_SESSION['registration_id']; - $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); + $q->execute([$rid,$config['FAIRYEAR']]); //if we dont have the minimum, return incomplete if($q->rowCount()<$config['minstudentsperproject']) return "incomplete"; @@ -97,14 +97,14 @@ function emergencycontactStatus($reg_id="") if($reg_id) $rid=$reg_id; else $rid=$_SESSION['registration_id']; - $sq=$pdo->prepare("SELECT id FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'"); - $sq->execute(); + $sq=$pdo->prepare("SELECT id FROM students WHERE registrations_id=? AND year=?"); + $sq->execute([$rid, $config['FAIRYEAR']]); $numstudents=$sq->rowCount(); while($sr=$sq->fetch(PDO::FETCH_OBJ)) { - $q=$pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."' AND students_id='$sr->id'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id=? AND year=? AND students_id=?"); + $q->execute([$rid, $config['FAIRYEAR'], $sr->id]); $r=$q->fetch(PDO::FETCH_OBJ); foreach ($required_fields AS $req) @@ -139,8 +139,8 @@ function projectStatus($reg_id="") if($reg_id) $rid=$reg_id; else $rid=$_SESSION['registration_id']; - $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?"); + $q->execute([$rid, $config['FAIRYEAR']]); //if we dont have a project entry yet, return empty if(!$q->rowCount()) return "empty"; @@ -169,14 +169,14 @@ function mentorStatus($reg_id="") else $rid=$_SESSION['registration_id']; //first check the registrations table to see if 'nummentors' is set, or if its null - $q=$pdo->prepare("SELECT nummentors FROM registrations WHERE id='$rid' AND year='".$config['FAIRYEAR']."'"); - $q->execute(); + $q=$pdo->prepare("SELECT nummentors FROM registrations WHERE id=? AND year=?"); + $q->execute([$rid, $config['FAIRYEAR']]); $r=$q->fetch(PDO::FETCH_OBJ); if($r->nummentors==null) return "incomplete"; - $q=$pdo->prepare("SELECT * FROM mentors WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'"); -$q->execute(); + $q=$pdo->prepare("SELECT * FROM mentors WHERE registrations_id=? AND year=?"); +$q->execute([$rid, $config['FAIRYEAR']]); //if we dont have the minimum, return incomplete if($q->rowCount()prepare("SELECT * FROM safety WHERE registrations_id='$rid'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM safety WHERE registrations_id=?"); + $q->execute([$rid]); while($r=$q->fetch(PDO::FETCH_OBJ)) { $safetyanswers[$r->safetyquestions_id]=$r->answer; } //now grab all the questions - $q=$pdo->prepare("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord"); + $q->execute([$config['FAIRYEAR']]); while($r=$q->fetch(PDO::FETCH_OBJ)) { if($r->required=="yes" && !$safetyanswers[$r->id]) @@ -233,8 +233,8 @@ function spawardStatus($reg_id="") if($reg_id) $rid=$reg_id; else $rid=$_SESSION['registration_id']; - $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$rid'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id=?"); + $q->execute([$rid]); $project=$q->fetch(PDO::FETCH_OBJ); /* We want this query to get any awards with a NULL award_awards_id */ @@ -244,10 +244,10 @@ function spawardStatus($reg_id="") project_specialawards_link, projects WHERE - project_specialawards_link.projects_id='".$project->id."' - AND projects.year='".$config['FAIRYEAR']."' + project_specialawards_link.projects_id=? + AND projects.year=? "); - $awardsq->execute(); + $awardsq->execute([$project->id,$config['FAIRYEAR']]); if($awardsq->rowCount()) return "complete"; @@ -263,16 +263,16 @@ function tourStatus($reg_id="") else $rid=$_SESSION['registration_id']; /* Get the students for this project */ - $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); + $q->execute([$rid,$config['FAIRYEAR']]); $num_found = $q->rowCount(); $ret = "complete"; while($s=$q->fetch(PDO::FETCH_OBJ)) { //grab all of their tour prefs $sid = $s->id; - $qq=$pdo->prepare("SELECT * FROM tours_choice WHERE students_id='$sid' and year='{$config['FAIRYEAR']}' ORDER BY rank"); - $qq->execute(); + $qq=$pdo->prepare("SELECT * FROM tours_choice WHERE students_id=? and year=? ORDER BY rank"); + $qq->execute([$sid, $config['FAIRYEAR']]); $n_tours = $qq->rowCount(); if($n_tours > 0) { /* See if there's a rank 0 tour (rank 0 == their tour assignment) */ @@ -300,14 +300,14 @@ function namecheckStatus($reg_id="") if($reg_id) { $q=$pdo->prepare("SELECT * FROM students WHERE - registrations_id='$reg_id' + registrations_id=? - AND year='".$config['FAIRYEAR']."'"); - $q->execute(); + AND year=?"); + $q->execute([$config['FAIRYEAR']]); } else { $q=$pdo->prepare("SELECT * FROM students WHERE - id='{$_SESSION['students_id']}'"); - $q->execute(); + id=?"); + $q->execute([$reg_id, $_SESSION['students_id']]); } /* Get the students for this project */ @@ -335,13 +335,13 @@ function generateProjectNumber($registration_id) projectcategories, projectdivisions WHERE - registrations_id='$reg_id' + registrations_id=? AND projects.projectdivisions_id=projectdivisions.id AND projects.projectcategories_id=projectcategories.id - AND projectcategories.year='{$config['FAIRYEAR']}' - AND projectdivisions.year='{$config['FAIRYEAR']}' + AND projectcategories.year=? + AND projectdivisions.year=? "); - $q->execute(); + $q->execute([$reg_id,$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $r=$q->fetch(PDO::FETCH_OBJ); @@ -376,10 +376,10 @@ function generateProjectNumber($registration_id) $q = $pdo->prepare("SELECT projectnumber_seq,projectsort_seq, projectdivisions_id,projectcategories_id FROM projects - WHERE year='{$config['FAIRYEAR']}' + WHERE year=? AND projectnumber_seq!='0' AND projectnumber IS NOT NULL"); - $q->execute(); + $q->execute([$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); while($i = $q->fetch(PDO::FETCH_OBJ)) { if( ($r->projectdivisions_id == $i->projectdivisions_id) @@ -455,12 +455,12 @@ function computeRegistrationFee($regid) $regfee_items = array(); $q = $pdo->prepare("SELECT * FROM regfee_items - WHERE year='{$config['FAIRYEAR']}'"); - $q->execute(); + WHERE year=?"); + $q->execute([$config['FAIRYEAR']]); while($i = $q->fetch(PDO::FETCH_ASSOC)) $regfee_items[] = $i; - $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$regid' AND year='".$config['FAIRYEAR']."'"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); + $q->execute([$regid, $config['FAIRYEAR']]); $n_students = $q->rowCount(); $n_tshirts = 0; $sel = array(); @@ -471,8 +471,8 @@ function computeRegistrationFee($regid) if($config['participant_regfee_items_enable'] != 'yes') continue; $sel_q = $pdo->prepare("SELECT * FROM regfee_items_link - WHERE students_id={$s->id}"); - $sel_q->execute(); + WHERE students_id=?"); + $sel_q->execute([$s->id]); while($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) { $sel[] = $info_q['regfee_items_id']; } diff --git a/register_participants.php b/register_participants.php index 9f366ce1..ba984583 100644 --- a/register_participants.php +++ b/register_participants.php @@ -42,8 +42,8 @@ if (get_value_from_array($_POST, 'action') == 'new') { $stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES ('$r->id','" . $_SESSION['email'] . "','" . $r->schools_id . "','" . $config['FAIRYEAR'] . "')"); $stmt->execute(); - $stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?"); + $stmt->execute([$r->id]); header('Location: register_participants_main.php'); exit; @@ -81,9 +81,9 @@ if (get_value_from_array($_POST, 'action') == 'new') { $q = $pdo->prepare("SELECT registrations.num FROM registrations WHERE - registrations.email='" . $_SESSION['email'] . "' - AND registrations.year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + registrations.email=? + AND registrations.year=?"); + $q->execute([$_SESSION['email'], $config['FAIRYEAR']]); if ($q->rowCount()) $r = $q->fetch(PDO::FETCH_OBJ); else { @@ -92,10 +92,10 @@ if (get_value_from_array($_POST, 'action') == 'new') { registrations, students WHERE - students.email='" . $_SESSION['email'] . "' + students.email=? AND students.registrations_id=registrations.id - AND registrations.year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + AND registrations.year=?"); + $q->execute([$_SESSION['email'],$config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); } @@ -214,8 +214,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($ } else if ($config['participant_registration_type'] == 'schoolpassword') { $showschoolpasswordform = true; if ($_POST['schoolpassword'] && $_POST['schoolid']) { - $q = $pdo->prepare("SELECT registration_password FROM schools WHERE id='" . $_POST['schoolid'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT registration_password FROM schools WHERE id=? AND year=?"); + $q->execute([$_POST['schoolid'], $config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($_POST['schoolpassword'] == $r->registration_password) { @@ -237,8 +237,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($ echo ''; echo i18n('Email Address:') . ' ' . $_SESSION['email'] . '
'; echo i18n('School: '); - $q = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school"); - $q->execute(); + $q = $pdo->prepare("SELECT id,school FROM schools WHERE year=? ORDER BY school"); + $q->execute([$config['FAIRYEAR']]); echo '\n"; while ($sr = $sq->fetch(PDO::FETCH_OBJ)) { - $q = $pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "' AND students_id='$sr->id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id=? AND year=? AND students_id=?"); + $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR'], $sr->id]); if ($q->rowCount() == 0) { - $stmt = $pdo->prepare("INSERT INTO emergencycontact (registrations_id,students_id,year) VALUES ('" . $_SESSION['registration_id'] . "','" . $sr->id . "','" . $config['FAIRYEAR'] . "')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO emergencycontact (registrations_id,students_id,year) VALUES (?,?,?)"); + $stmt->execute([$_SESSION['registration_id'], $sr->id, ]); $id = $pdo->lastInsertId(); unset($r); } else { diff --git a/register_participants_isefforms.php b/register_participants_isefforms.php index b2d92508..7d681997 100644 --- a/register_participants_isefforms.php +++ b/register_participants_isefforms.php @@ -45,7 +45,7 @@ "AND students.registrations_id=registrations.id ". "AND registrations.year=".$config['FAIRYEAR']." ". "AND students.year=".$config['FAIRYEAR']); -$q->execute(); +$q->execute([]); show_pdo_errors_if_any($pdo); if($q->rowCount()==0) @@ -73,8 +73,8 @@ show_pdo_errors_if_any($pdo); //because it will be added below by the _FILES, and if its not added there then that means we just said yes and didnt upload anything //so removing it makes it go all red again so you are aware - $stmt = $po->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID='$r->id' AND FormID='$k' AND `year`='$CURRENT_FAIRYEAR'"); - $stmt->execute(); + $stmt = $po->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID=? AND FormID=? AND `year`=?"); + $stmt->execute([$r->id, $k, $CURRENT_FAIRYEAR]); //just look at hte first letter, since its either "no:" or "yes:"; if($v[0]=="n") { @@ -129,8 +129,8 @@ show_pdo_errors_if_any($pdo); if($pgs) $p="'$pgs'"; else $p="null"; - $stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID='$r->id' AND FormID='$k' AND `year`='$CURRENT_FAIRYEAR'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID=? AND FormID=? AND `year`=?"); + $stmt->execute([$r->id, $k, $CURRENT_FAIRYEAR]); $stmt = $pdo->prepare("INSERT INTO TC_ProjectForms (`FormID`,`ProjectID`,`uploaded`,`filename`,`pages`,`dt`,`year`) VALUES ( $stmt->execute(); '$k', @@ -182,13 +182,13 @@ show_pdo_errors_if_any($pdo); if($_GET['action']=="delete" && $_GET['delete']) { //first we need to make sure that this is their own! - $chq=$pdo->prepare("SELECT * FROM TC_ProjectForms WHERE id='".$_GET['delete']."' AND ProjectID='$r->id' AND `year`='$CURRENT_FAIRYEAR'"); - $chq->execute(); + $chq=$pdo->prepare("SELECT * FROM TC_ProjectForms WHERE id=? AND ProjectID=? AND `year`=?"); + $chq->execute([$_GET['delete'], $r->id, $CURRENT_FAIRYEAR]); if($chr=$chq->fetch(PDO::FETCH_OBJ)) { @unlink($TCFORMSLOCATION."/".$CURRENT_FAIRYEAR."/$r->id/$chr->FormID.pdf"); - $stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE id='".$_GET['delete']."' AND ProjectID='$r->id' AND `year`='$CURRENT_FAIRYEAR'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE id=? AND ProjectID=? AND `year`=?"); + $stmt->execute([$_GET['delete'], $r->id, $CURRENT_FAIRYEAR]); $display_happy=i18n("Form successfully deleted"); } else diff --git a/register_participants_main.php b/register_participants_main.php index 2994bf70..5819782f 100644 --- a/register_participants_main.php +++ b/register_participants_main.php @@ -66,8 +66,8 @@ echo '
'; if (registrationFormsReceived()) { // now select their project number - $q = $pdo->prepare("SELECT projectnumber FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT projectnumber FROM projects WHERE registrations_id=? AND year=?"); + $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); $projectinfo = $q->fetch(PDO::FETCH_OBJ); if ($r->status == 'complete') { @@ -242,8 +242,8 @@ if ($config['specialawardnomination'] != 'none') { if ($special_awards_open == true) { if ($config['specialawardnomination'] == 'date') { - $q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['specawardregopen'] . "' AND NOW()<'" . $config['dates']['specawardregclose'] . "') AS datecheck"); - $q->execute(); + $q = $pdo->prepare("SELECT (NOW()>? AND NOW()execute([$config['dates']['specawardregopen'], $config['dates']['specawardregclose']]); $r = $q->fetch(PDO::FETCH_OBJ); // this will return 1 if its between the dates, 0 otherwise. if ($r->datecheck == 1) { @@ -259,8 +259,8 @@ if ($config['specialawardnomination'] != 'none') { } } - $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='{$config['FAIRYEAR']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?"); + $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); $project = $q->fetch(PDO::FETCH_OBJ); $nominatedawards = getSpecialAwardsNominatedForProject($project->id); $num = count($nominatedawards); diff --git a/register_participants_mentor.php b/register_participants_mentor.php index c51a9f5a..4dc10239 100644 --- a/register_participants_mentor.php +++ b/register_participants_mentor.php @@ -111,11 +111,11 @@ if (get_value_from_array($_GET, 'action') == 'removementor') { echo error(i18n('Cannot make changes to forms once they have been received by the fair')); } else { // first make sure this is one belonging to this registration id - $q = $pdo->prepare("SELECT id FROM mentors WHERE id='" . $_GET['removementor'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM mentors WHERE id=?' AND registrations_id=?"); + $q->execute([$_GET['removementor'], $_SESSION['registration_id']]); if ($q->rowCount() == 1) { - $stmt = $pdo->prepare("DELETE FROM mentors WHERE id='" . $_GET['removementor'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM mentors WHERE id=? AND registrations_id=?"); + $stmt->execute([$_GET['removementor'], $_SESSION['registration_id']]); echo notice(i18n('Mentor successfully removed')); } else { echo error(i18n('Invalid mentor to remove')); @@ -125,18 +125,18 @@ if (get_value_from_array($_GET, 'action') == 'removementor') { // now query and display -$q = $pdo->prepare("SELECT nummentors FROM registrations WHERE id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT nummentors FROM registrations WHERE id=? AND year=?"); +$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); $r = $q->fetch(PDO::FETCH_OBJ); $registrations_nummentors = $r->nummentors; -$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=? AND year=?"); +$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); $numfound = $q->rowCount(); if (isset($_GET['nummentors'])) { - $stmt = $pdo->prepare("UPDATE registrations SET nummentors='" . $_GET['nummentors'] . "' WHERE id='" . $_SESSION['registration_id'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE registrations SET nummentors=? WHERE id=?"); + $stmt->execute([$_GET['nummentors'], $_SESSION['registration_id']]); $registrations_nummentors = $_GET['nummentors']; $numtoshow = $_GET['nummentors']; } else diff --git a/register_participants_namecheck.php b/register_participants_namecheck.php index 9c1f3e3f..260f1534 100644 --- a/register_participants_namecheck.php +++ b/register_participants_namecheck.php @@ -66,12 +66,12 @@ if ($_POST['action'] == 'save') { $pu = ($_POST['punc'] == 'yes') ? true : false; if ($sp && $ca && $pu) { - $q = $pdo->prepare("UPDATE students SET namecheck_complete='yes' WHERE registrations_id='{$_SESSION['registration_id']}'"); + $q = $pdo->prepare("UPDATE students SET namecheck_complete='yes' WHERE registrations_id=?"); - $q->execute(); + $q->execute([$_SESSION['registration_id']]); } else if ($s->namecheck_complete != 'no') { - $q = $pdo->prepare("UPDATE students SET namecheck_complete='no' WHERE registrations_id='{$_SESSION['registration_id']}'"); - $q->execute(); + $q = $pdo->prepare("UPDATE students SET namecheck_complete='no' WHERE registrations_id=?"); + $q->execute([$_SESSION['registration_id']]); } } } diff --git a/register_participants_project.php b/register_participants_project.php index cbe9fd98..39946807 100644 --- a/register_participants_project.php +++ b/register_participants_project.php @@ -78,8 +78,8 @@ if (get_value_from_array($_POST, 'action') == 'save') { echo error(i18n('Cannot make changes to forms after registration deadline')); } else { // first, lets make sure this project really does belong to them - $q = $pdo->prepare("SELECT * FROM projects WHERE id='" . $_POST['id'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE id=? AND registrations_id=? AND year=?"); + $q->execute([$_POST['id'], $_SESSION['registration_id'], $config['FAIRYEAR']]); if ($q->rowCount() == 1) { $summarywords = preg_split('/[\s,]+/', $_POST['summary']); $summarywordcount = count($summarywords); @@ -128,13 +128,13 @@ if (get_value_from_array($_POST, 'action') == 'save') { } // now lets find out their MAX grade, so we can pre-set the Age Category -$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id=?"); +$q->execute([$_SESSION['registration_id']]); $gradeinfo = $q->fetch(PDO::FETCH_OBJ); // now lets grab all the age categories, so we can choose one based on the max grade -$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); +$q->execute([$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { // save these in an array, just incase we need them later (FIXME: remove this array if we dont need it) $agecategories[$r->id]['category'] = $r->category; @@ -146,24 +146,24 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { } } // now select their project info -$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?"); +$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); // check if it exists, if we didnt find any record, lets insert one if ($q->rowCount() == 0) { $stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $_SESSION['registration_id'] . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')"); $stmt->execute(); // now query the one we just inserted - $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?"); + $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]); } $projectinfo = $q->fetch(PDO::FETCH_OBJ); // make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) { echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category']))); - $stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE projects SET projectcategories_id=? WHERE id=?"); + $stmt->execute([$projectcategories_id, $projectinfo->id]); } // output the current status @@ -219,12 +219,12 @@ echo '
 
' . i18n('Division') . ': '; // ###### Feature Specific - filtering divisions by category if ($config['filterdivisionbycategory'] == 'yes') { - $q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year='" . $config['FAIRYEAR'] . "' AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' ORDER BY division"); - $q->execute(); + $q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year=? AND projectcategoriesdivisions_link.year=? ORDER BY division"); + $q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); } else - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division"); -$q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division"); +$q->execute([$config['FAIRYEAR']]); echo '' . i18n('School') . ''; if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) { $schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school"); - $schoolq->execute(); + $schoolq->execute([]); echo "' . REQUIREDFIELD; } else { - $schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'"); - $schoolq->execute(); + $schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?"); + $schoolq->execute([$config['FAIRYEAR'], $studentinfo->schools_id]); $r = $schoolq->fetch(PDO::FETCH_OBJ); echo $r->school; } @@ -466,8 +466,8 @@ for ($x = 1; $x <= $numtoshow; $x++) { if ($config['participant_regfee_items_enable'] == 'yes') { $sel_q = $pdo->prepare("SELECT * FROM regfee_items_link - WHERE students_id=$id"); - $sel_q->execute(); + WHERE students_id=?"); + $sel_q->execute([$id]); $sel = array(); while ($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) { $sel[$info_q['regfee_items_id']] = $info_q['id']; diff --git a/register_participants_tours.php b/register_participants_tours.php index 67ad6f05..525d0074 100644 --- a/register_participants_tours.php +++ b/register_participants_tours.php @@ -71,10 +71,10 @@ if ($_POST['action'] == 'save') { } else { // first we will delete all their old answer, its easier to delete and re-insert in this case then it would be to find the corresponding answers and update them $stmt = $pdo->prepare("DELETE FROM tours_choice - WHERE registrations_id='{$_SESSION['registration_id']}' - AND year='{$config['FAIRYEAR']}' + WHERE registrations_id=? + AND year=? AND rank!='0'"); - $stmt->execute(); + $stmt->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]); if (is_array($_POST['toursel'])) { foreach ($_POST['toursel'] AS $students_id => $ts) { $selarray = array(); @@ -131,8 +131,8 @@ if ($newstatus != 'complete') { } $assigned_tour = array(); -$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id=? AND year=?"); +$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { if ($r->rank == 0) $assigned_tour[$r->students_id] = $r->tour_id; @@ -140,8 +140,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) { } $tours = array(); -$q = $pdo->prepare("SELECT * FROM tours WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM tours WHERE year=? ORDER BY id"); +$q->execute([$config['FAIRYEAR']]); if ($q->rowCount() == 0) { echo notice(i18n('There is not tour information')); send_footer(); @@ -163,8 +163,8 @@ $max = $config['tours_choices_max']; echo "\n"; echo "\n"; -$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'"); -$q->execute(); +$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?"); +$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]); $num_found = $q->rowCount(); $print_submit = false; diff --git a/remote.php b/remote.php index 71310813..b6ffbb85 100644 --- a/remote.php +++ b/remote.php @@ -39,9 +39,9 @@ function handle_getstats(&$u, $fair, &$data, &$response) $response['statconfig'] = explode(',', $fair['gather_stats']); /* Send back the stats we currently have */ - $q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}' - AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id=? + AND year=?"); + $q->execute([$u['fairs_id'],$year]); $response['stats'] = $q->fetch(PDO::FETCH_ASSOC); unset($response['stats']['id']); $response['error'] = 0; @@ -59,12 +59,12 @@ function handle_stats(&$u, $fair, &$data, &$response) // $str = join(',',$stats); $keys = '`fairs_id`,`' . join('`,`', array_keys($stats)) . '`'; $vals = "'{$u['fairs_id']}','" . join("','", array_values($stats)) . "'"; - $stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}' - AND year='{$stats['year']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id=? + AND year=?"); + $stmt->execute([$u['fairs_id'],$stats['year']]); show_pdo_errors_if_any($pdo); - $stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,?) VALUES ('',?)"); + $stmt->execute([$keys,$vals]); show_pdo_errors_if_any($pdo); $response['message'] = 'Stats saved'; @@ -80,8 +80,8 @@ function handle_getawards(&$u, $fair, &$data, &$response) $ids = array(); /* Load a list of awards linked to the fair id */ - $q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE fairs_id='{$fair['id']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE fairs_id=?"); + $q->execute([$fair['id']]); while ($r = $q->fetch(PDO::FETCH_ASSOC)) { $aaid = $r['award_awards_id']; if ($r['download_award'] == 'yes') @@ -91,8 +91,8 @@ function handle_getawards(&$u, $fair, &$data, &$response) /* Load the awards this fair is allowed to download */ $where = "(id='" . join("' OR id='", $ids) . "')"; - $q = $pdo->prepare("SELECT * FROM award_awards WHERE $where AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE ? AND year=?"); + $q->execute([$where, $year]); while ($a = $q->fetch(PDO::FETCH_ASSOC)) { $award = array(); @@ -107,8 +107,8 @@ function handle_getawards(&$u, $fair, &$data, &$response) $award['schedule_judges'] = $a['schedule_judges']; if ($a['sponsors_id']) { - $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$a['sponsors_id']}'"); - $sq->execute(); + $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?"); + $sq->execute([$a['sponsors_id']]); if ($sq->rowCount()) { $s = $sq->fetch(PDO::FETCH_ASSOC); $award['sponsor'] = $s['organization']; @@ -116,8 +116,8 @@ function handle_getawards(&$u, $fair, &$data, &$response) } $award['prizes'] = array(); - $pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$a['id']}'"); - $pq->execute(); + $pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?"); + $pq->execute([$a['id']]); while ($p = $pq->fetch(PDO::FETCH_ASSOC)) { /* Map array keys -> local database field */ $map = array('cash' => 'cash', 'scholarship' => 'scholarship', @@ -176,8 +176,8 @@ function award_upload_update_school(&$mysql_query, &$school, $school_id = -1) $set .= ','; $set .= "`$m`='" . $school[$t] . "'"; } - $stmt = $pdo->prepare("UPDATE schools SET $set WHERE id='$sid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE schools SET ? WHERE id=?"); + $stmt->execute([$set,$sid]); return $sid; } @@ -192,33 +192,33 @@ function award_upload_school(&$student, &$school, $year, &$response) $student_city = $student['city']; /* Find school by matching name, city, phone, year */ - $q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND phone='$school_phone' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND phone=? AND year=?"); + $q->execute([$school_name,$school_city,$school_phone,$year]); if ($q->rowCount() == 1) return award_upload_update_school($q, $school); /* Find school by matching name, city, address, year */ - $q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND address='$school_addr' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND address=? AND year=?"); + $q->execute([$school_name,$school_city,$school_addr,$year]); if ($q->rowCount() == 1) return award_upload_update_school($q, $school); /* Find school by matching name, city, year */ - $q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND year=?"); + $q->execute([$school_name,$school_city,$year]); if ($q->rowCount() == 1) return award_upload_update_school($q, $school); /* Find school by matching name, student city, year */ - $q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$student_city' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND year=?"); + $q->execute([$school_name,$student_city,$year]); if ($q->rowCount() == 1) return award_upload_update_school($q, $school); $response['notice'][] = " - Creating new school: $school_name"; /* No? ok, make a new school */ - $stmt = $pdo->prepare("INSERT INTO schools(`school`,`year`) VALUES ('" . $school['schoolname'] . "','$year')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO schools(`school`,`year`) VALUES (?,?)"); + $stmt->execute([$school['schoolname'], $year]); $school_id = $pdo->lastInsertId(); return award_upload_update_school($q, $school, $school_id); } @@ -251,8 +251,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo /* See if this project already exists */ $pn = $project['projectnumber']; - $q = $pdo->prepare("SELECT * FROM projects WHERE projectnumber='$pn' AND fairs_id='{$fair['id']}' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projects WHERE projectnumber=? AND fairs_id=? AND year=?"); + $q->execute([$pn,$fair['id'],$year]); show_pdo_errors_if_any($pdo); if ($q->rowCount() == 1) { $our_project = $q->fetch(PDO::FETCH_ASSOC); @@ -268,8 +268,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo // random number between // 100000 and 999999 (six digit integer) $regnum = rand(100000, 999999); - $q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=$year"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?"); + $q->execute([$regnum,$year]); show_pdo_errors_if_any($pdo); } while ($q->rowCount() > 0); @@ -290,8 +290,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo $reg_email_needs_update = true; $new_reg = true; } - $q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM registrations WHERE id=?"); + $q->execute([$registrations_id]); $registration = $q->fetch(PDO::FETCH_ASSOC); /* Update the project in case anythign changed */ @@ -307,8 +307,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo VALUES('{$prize['id']}','$pid','$year','{$fair['id']}')"); $stmt->execute(); /* Delete the students attached to this project */ - $stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$registrations_id'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?"); + $stmt->execute([$registrations_id]); /* Add new */ foreach ($project['students'] as &$student) { @@ -327,9 +327,9 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo /* Update the registration email */ if ($reg_email_needs_update) { - $stmt = $pdo->prepare("UPDATE registrations SET email='" . $student['email'] . "' - WHERE id='$registrations_id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE registrations SET email=? + WHERE id=?"); + $stmt->execute([$student['email'],$registrations_id]); $reg_email_needs_update = false; } @@ -350,8 +350,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo * or antyhing, we probably want to include it in reports, so set * it to complete */ - $stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE id='$registrations_id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE id=?"); + $stmt->execute([$registrations_id]); } } @@ -374,8 +374,8 @@ function handle_awards_upload(&$u, &$fair, &$data, &$response) /* Find the award */ $eid = $external_identifier; - $q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier='$eid' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier=? AND year=?"); + $q->execute([$eid,$year]); if ($q->rowCount() != 1) { $response['message'] = "Unknown award identifier '$eid' for year $year"; $response['error'] = 1; @@ -391,16 +391,16 @@ function handle_awards_upload(&$u, &$fair, &$data, &$response) * check the year as long as we query by aaid */ $prizes = array(); - $q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$aaid'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?"); + $q->execute([$aaid]); while ($prize = $q->fetch(PDO::FETCH_ASSOC)) { $response['notice'][] = " - Prize: {$prize['prize']}"; /* Clean out existing winners for this prize */ $stmt = $pdo->prepare("DELETE FROM winners WHERE - award_prize_id='{$prize['id']}' - AND fairs_id='{$fair['id']}'"); - $stmt->execute(); + award_prize_id=? + AND fairs_id=?"); + $stmt->execute([$prize['id'],$fair['id']]); /* Assign projects to this prize */ $ul_p = &$award_data['prizes'][$prize['prize']]; @@ -421,8 +421,8 @@ function handle_get_categories(&$u, &$fair, &$data, &$response) global $pdo; $year = intval($data['get_categories']['year']); $cat = array(); - $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id"); + $q->execute([$year]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $cat[$r->id] = array('id' => $r->id, 'category' => $r->category, @@ -438,8 +438,8 @@ function handle_get_divisions(&$u, &$fair, &$data, &$response) global $pdo; $year = intval($data['get_divisions']['year']); $div = array(); - $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id"); + $q->execute([$year]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $div[$r->id] = array('id' => $r->id, 'division' => $r->division); @@ -455,8 +455,8 @@ function handle_award_additional_materials(&$u, &$fair, &$data, &$response) $external_identifier = $data['award_additional_materials']['identifier']; $eid = $external_identifier; - $q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier='$eid' AND year='$year'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier=? AND year=?"); + $q->execute([$eid,$year]); if ($q->rowCount() != 1) { $response['message'] = "Unknown award identifier '$eid'"; $response['error'] = 1; diff --git a/schoolaccess.php b/schoolaccess.php index 19da60e4..48d64d13 100644 --- a/schoolaccess.php +++ b/schoolaccess.php @@ -8,13 +8,13 @@ $happymsg = null; $errormsg = null; if (get_value_from_array($_POST, 'schoolid') && get_value_from_array($_POST, 'accesscode')) { - $q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_POST['schoolid'] . "' AND accesscode='" . $_POST['accesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?"); + $q->execute([$_POST['schoolid'], $_POST['accesscode'], $config['FAIRYEAR']]); if ($q->rowCount() == 1) { $_SESSION['schoolid'] = $_POST['schoolid']; $_SESSION['schoolaccesscode'] = $_POST['accesscode']; - $stmt = $pdo->prepare("UPDATE schools SET lastlogin=NOW() WHERE id='" . $_POST['schoolid'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE schools SET lastlogin=NOW() WHERE id=?"); + $stmt->execute([$_POST['schoolid']]); } else $errormsg = 'Invalid School ID or Access Code'; } @@ -27,8 +27,8 @@ if (get_value_from_array($_GET, 'action') == 'logout') { send_header('School Access'); if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']) { - $q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?"); + $q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $school = $q->fetch(PDO::FETCH_OBJ); if ($school) { @@ -86,8 +86,8 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode'] echo happy(i18n('School information successfully updated')); // and reselect it - $q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?"); + $q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $school = $q->fetch(PDO::FETCH_OBJ); } @@ -220,8 +220,8 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode'] "; @@ -98,8 +98,8 @@ echo "
\n"; echo "

Donor Levels

\n"; - $q=$pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE year='".$config['FISCALYEAR']."' ORDER BY max DESC"); - $q->execute(); + $q=$pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE year=? ORDER BY max DESC"); + $q->execute([$config['FISCALYEAR']]); echo "
"; echo ""; echo "\n"; diff --git a/tableeditor.class.php b/tableeditor.class.php index 3cdacf1e..99329b50 100644 --- a/tableeditor.class.php +++ b/tableeditor.class.php @@ -369,7 +369,7 @@ class TableEditor // figure out what kind of input this should be $q = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'"); - $q->execute(); + $q->execute([]); $r = $q->fetch(PDO::FETCH_OBJ); if (preg_match('([a-z]*)\(([0-9,]*)\)', $r->Type, $regs)) { @@ -785,8 +785,8 @@ class TableEditor case 'enum': break; case 'select_or_text': - $optq = $pdo->prepare("SELECT DISTINCT($f) AS $f FROM `{$this->table}` ORDER BY $f"); - $optq->execute(); + $optq = $pdo->prepare("SELECT DISTINCT(?) AS ? FROM ? ORDER BY ?"); + $optq->execute([$f,$f,$this->table, $f]); if ($this->fieldInputOptions[$f]) echo ''; foreach ($this->listfields AS $f => $n) { // figure out what kind of input this should be - $typeq = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'"); - $typeq->execute(); + $typeq = $pdo->prepare("SHOW COLUMNS FROM ? LIKE ?"); + $typeq->execute([$this->table,$f]); $typer = $typeq->fetCh(PDO::FETCH_OBJ); if ($typer->Type == 'time') echo ''; diff --git a/tours.class.php b/tours.class.php index 947e3f2b..0997d84e 100644 --- a/tours.class.php +++ b/tours.class.php @@ -85,8 +85,8 @@ class tours $q = $pdo->prepare("SELECT\ttours.* FROM \ttours - WHERE \ttours.id='$id'"); - $q->execute(); + WHERE \ttours.id=?"); + $q->execute([$id]); show_pdo_errors_if_any($pdo); /* @@ -114,7 +114,7 @@ class tours if ($this->id == false) { $query = "INSERT INTO tours (id) VALUES ('')"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([]); $this->id = $pdo->lastInsertId(); } @@ -143,10 +143,10 @@ class tours $id = $this->id; - $stmt = $pdo->prepare("DELETE FROM tours_choice WHERE tour_id='$id' AND year=" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); - $stmt = $pdo->prepare("DELETE FROM tours WHERE id='$id' AND year='" . $config['FAIRYEAR'] . "'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM tours_choice WHERE tour_id=? AND year=?"); + $stmt->execute([$id, $config['FAIRYEAR']]); + $stmt = $pdo->prepare("DELETE FROM tours WHERE id=? AND year=?"); + $stmt->execute([$id, $config['FAIRYEAR']]); echo happy(i18n("Successfully removed tour from this year's fair")); } diff --git a/user.inc.php b/user.inc.php index 968f9562..953ce8cb 100644 --- a/user.inc.php +++ b/user.inc.php @@ -111,8 +111,8 @@ function user_load_judge(&$u) } $specialawards = array(); if ($u['special_award_only'] == 'yes') { - $q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id='{$u['id']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id=?"); + $q->execute([$u['id']]); while ($r = $q->fetch(PDO::FETCH_OBJ)) { $specialawards[] = $r->award_awards_id; } @@ -149,8 +149,8 @@ function user_load_sponsor(&$u) $u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no'; $u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no'; if ($u['sponsors_id']) { - $q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?"); + $q->execute([$u['sponsors_id']]); $u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC); } return true; @@ -317,8 +317,8 @@ function user_load_by_email($email) global $pdo; /* Find the most recent uid for the email, regardless of deleted status */ $e = $email; - $q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1"); + $q->execute([$e, $e]); if ($q->rowCount() == 1) { $i = $q->fetch(PDO::FETCH_ASSOC); return user_load_by_uid($i['uid']); @@ -365,9 +365,9 @@ function user_set_password($id, $password = NULL) $set .= "password='" . password_hash($p, PASSWORD_BCRYPT) . "', passwordset=$save_set "; ////FIXME This one may be tricky - $query = "UPDATE users SET $set WHERE id=$id"; + $query = "UPDATE users SET ? WHERE id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$set,$id]); show_pdo_errors_if_any($pdo); return $password; @@ -402,9 +402,9 @@ function user_save_type_list($u, $db, $fields) $set .= "`$f`='$data'"; } if ($set != '') { - $query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'"; + $query = "UPDATE ? SET ? WHERE users_id=?"; $stmt = $pdo->prepare($query); - $stmt->execute(); + $stmt->execute([$db,$set,$u['id']]); if ($pdo->errorInfo()) { show_pdo_errors_if_any($pdo); } @@ -539,8 +539,8 @@ function user_save(&$u) function user_delete_committee($u) { global $pdo; - $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?"); + $stmt->execute([$u['uid']]); } function user_delete_volunteer($u) {} @@ -550,17 +550,17 @@ function user_delete_judge($u) global $config; global $pdo; $ids = array(); - $q = $pdo->prepare("SELECT id FROM users WHERE uid = '{$u['uid']}'"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM users WHERE uid =?"); + $q->execute([$u['uid']]); while ($row = $q->fetch(PDO::FETCH_ASSOC)) $ids[] = $row['id']; if (count($ids) > 0) { $idlist = implode(',', $ids); - $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id IN ($idlist)"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id IN (?)"); + $stmt->execute([$idlist]); - $stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id IN($idlist)"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id IN(?)"); + $stmt->execute([$idlist]); } } @@ -608,8 +608,8 @@ function user_delete($u, $type = false) $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE uid='{$u['uid']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE uid=?"); + $stmt->execute([$u['uid']]); } else { $finish_delete = true; } @@ -623,8 +623,8 @@ function user_delete($u, $type = false) $finish_delete = true; } if ($finish_delete == true) { - $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE uid='{$u['uid']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE uid=?"); + $stmt->execute([$u['uid']]); } } @@ -660,8 +660,8 @@ function user_purge($u, $type = false) $types .= ','; $types .= $t; } - $stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?"); + $stmt->execute([$types, $u['id']]); } else { $finish_purge = true; } @@ -672,21 +672,21 @@ function user_purge($u, $type = false) */ call_user_func("user_delete_$type", $u); // call_user_func("user_purge_$type", $u); - $stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id=?"); + $stmt->execute([$u['id']]); } else { /* Delete the whole user */ foreach ($u['types'] as $t) { call_user_func("user_delete_$t", $u); // call_user_func("user_purge_$t", $u); - $stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id=?"); + $stmt->execute([$u['id']]); } $finish_purge = true; } if ($finish_purge == true) { - $stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'"); - $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM users WHERE id=?"); + $stmt->execute([$u['id']]); } } @@ -695,8 +695,8 @@ function user_dupe_row($table, $key, $val, $newval) { global $config, $pdo; $nullfields = array('id','sex','deleteddatetime'); /* Fields that can be null */ - $q = $pdo->prepare("SELECT * FROM $table WHERE $key='$val'"); - $q->execute(); + $q = $pdo->prepare("SELECT * FROM ? WHERE ?"); + $q->execute([$table, $key='$val']); if ($q->rowCount() != 1) { echo "ERROR duplicating row in $table: $key=$val NOT FOUND.\n"; exit; @@ -740,9 +740,9 @@ function user_dupe($u, $new_year) */ /* Find the last entry */ - $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}' + $q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=? ORDER BY year DESC LIMIT 1"); - $q->execute(); + $q->execute([$u['uid']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->deleted == 'yes') { @@ -757,8 +757,8 @@ function user_dupe($u, $new_year) $id = user_dupe_row('users', 'id', $u['id'], NULL); - $q = $pdo->prepare("UPDATE users SET year = $new_year WHERE id = $id"); - $q->execute(); + $q = $pdo->prepare("UPDATE users SET year =? WHERE id =?"); + $q->execute([$new_year, $id]); /* Load the new user */ $u2 = user_load($id); @@ -808,26 +808,26 @@ function user_create($type, $username, $u = NULL) global $pdo; if (!is_array($u)) { $stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`,`deleted`) - VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}','no')"); - $stmt->execute(); + VALUES (?,?,'0000-00-00', NOW(),?,'no')"); + $stmt->execute([$type,$username,$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); $uid = $pdo->lastInsertId(); if (user_valid_email($username)) { - $stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?"); + $stmt->execute([$username,$uid]); } - $stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?"); + $stmt->execute([$uid,$uid]); show_pdo_errors_if_any($pdo); /* * Since the user already has a type, user_save won't create this * entry for us, so do it here */ - $stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')"); - $stmt->execute(); + $stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)"); + $stmt->execute([$type, $uid]); show_pdo_errors_if_any($pdo); /* Load the complete user */ $u = user_load($uid); diff --git a/user_invite.php b/user_invite.php index d4c0c68f..4a33f6db 100644 --- a/user_invite.php +++ b/user_invite.php @@ -47,8 +47,8 @@ if (intval(get_value_from_array($_GET, 'ajax')) == 1) { exit; } - $q = $pdo->prepare("SELECT id FROM users WHERE email='$email' ORDER BY year DESC"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM users WHERE email=? ORDER BY year DESC"); + $q->execute([$email]); if ($q->rowCount() == 0) { /* User doesn't exist */ echo "notexist\n"; @@ -182,8 +182,8 @@ if (get_value_from_array($_POST, 'action', '') && get_value_from_array($_POST, ' if (!in_array($action, $allowed_actions)) exit; - $q = $pdo->prepare("SELECT id FROM users WHERE email='$email' ORDER BY year DESC"); - $q->execute(); + $q = $pdo->prepare("SELECT id FROM users WHERE email=? ORDER BY year DESC"); + $q->execute([$email]); if ($q->rowCount() > 0) { $u = $q->fetch(PDO::FETCH_ASSOC); $u = user_load($u['id']); diff --git a/user_new.php b/user_new.php index 4617c18e..07a9e979 100644 --- a/user_new.php +++ b/user_new.php @@ -136,8 +136,8 @@ switch ($action) { $types = explode(',', $r->types); if ($r->year == $config['FAIRYEAR'] && $r->deleted == 'yes') { - $stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'"); - $stmt->execute(); + $stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?"); + $stmt->execute([$r->id]); message_push(happy(i18n('Your account has been undeleted'))); message_push(notice(i18n("Use the 'recover password' option on the %1 {$user_what[$type]} login page %2 if you have forgotten your password", array("", '')))); diff --git a/user_personal.php b/user_personal.php index 86491ded..7f219546 100644 --- a/user_personal.php +++ b/user_personal.php @@ -147,8 +147,8 @@ switch (get_value_from_array($_GET, 'action')) { /* Check for an email collision */ $em = stripslashes($_POST['email']); - $q = $pdo->prepare("SELECT *,max(year) FROM users WHERE email='$em' HAVING uid!='{$u['uid']}' AND deleted='no' "); - $q->execute(); + $q = $pdo->prepare("SELECT *,max(year) FROM users WHERE email=? HAVING uid!=? AND deleted='no' "); + $q->execute([$em,$u['uid']]); if ($q->rowCount() > 0) { error_('That email address is in use by another user'); echo 'email error'; diff --git a/volunteer.inc.php b/volunteer.inc.php index 28406591..fdddf303 100644 --- a/volunteer.inc.php +++ b/volunteer.inc.php @@ -29,10 +29,10 @@ function volunteer_status_position($u) { global $config, $pdo; /* See if they have selected something */ - $q = "SELECT * FROM volunteer_positions_signup WHERE users_id='{$u['id']}' - AND year='{$config['FAIRYEAR']}'"; + $q = "SELECT * FROM volunteer_positions_signup WHERE users_id=? + AND year=?"; $r = $pdo->prepare($q); - $r->execute(); + $r->execute([$u['id'],$config['FAIRYEAR']]); if ($r->rowCount() >= 1) { return 'complete'; } diff --git a/volunteer_position.php b/volunteer_position.php index fc5576a4..67fa401e 100644 --- a/volunteer_position.php +++ b/volunteer_position.php @@ -42,9 +42,9 @@ if ($_POST['action'] == 'save') { if (is_array($_POST['posn'])) { /* Load available IDs */ $posns = array(); - $q = "SELECT * FROM volunteer_positions WHERE year='{$config['FAIRYEAR']}'"; + $q = "SELECT * FROM volunteer_positions WHERE year=?"; $r = $pdo->prepare($q); - $r->execute(); + $r->execute([$config['FAIRYEAR']]); while ($p = $r->fetch(PDO::FETCH_OBJ)) { $posns[] = $p->id; } @@ -63,17 +63,17 @@ if ($_POST['action'] == 'save') { /* Delete existing selections */ $stmt = $pdo->prepare("DELETE FROM volunteer_positions_signup WHERE - users_id='{$u['id']}' - AND year='{$config['FAIRYEAR']}' "); - $stmt->execute(); + users_id=? + AND year=?"); + $stmt->execute([$u['id'],$config['FAIRYEAR']]); show_pdo_errors_if_any($pdo); /* Add new selections if there are any */ if ($vals != '') { $q = "INSERT INTO volunteer_positions_signup (users_id, volunteer_positions_id,year) - VALUES $vals"; + VALUES ?"; $r = $po->prepare($q); - $r->execute(); + $r->execute([$vals]); show_pdo_errors_if_any($pdo); } @@ -110,10 +110,10 @@ echo "
".i18n("Level")."".i18n("Description / Benefits")."
' . $this->format_time($r->$f) . '
\n"; /* Read current selections */ $q = "SELECT * FROM volunteer_positions_signup WHERE - \t\tusers_id = '{$u['id']}' - \t\tAND year='{$config['FAIRYEAR']}'"; + \t\tusers_id =? + \t\tAND year=?"; $r = $pdo->prepare($q); -$r->execute(); +$r->execute([$u['id'],$config['FAIRYEAR']]); $checked_positions = array(); while ($p = $r->fetch(PDO::FETCH_OBJ)) { $checked_positions[] = $p->volunteer_positions_id; @@ -121,9 +121,9 @@ while ($p = $r->fetch(PDO::FETCH_OBJ)) { /* Load available volunteer positions */ $q = "SELECT *,UNIX_TIMESTAMP(start) as ustart, UNIX_TIMESTAMP(end) as uend - \t\t\tFROM volunteer_positions WHERE year='{$config['FAIRYEAR']}'"; + \t\t\tFROM volunteer_positions WHERE year=?"; $r = $pdo->prepare($q); -$r->execute(); +$r->execute([$config['FAIRYEAR']]); while ($p = $r->fetch(PDO::FETCH_OBJ)) { echo '
'; diff --git a/winners.php b/winners.php index 2bb737f2..54695193 100644 --- a/winners.php +++ b/winners.php @@ -53,8 +53,8 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type')) // first, lets make sure someone isnt tryint to see something that they arent allowed to! // but only if the year they want is the FAIRYEAR. If they want a past year, thats cool if ($_GET['year'] >= $config['FAIRYEAR']) { - $q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['postwinners'] . "') AS test"); - $q->execute(); + $q = $pdo->prepare("SELECT (NOW()>?) AS test"); + $q->execute([$config['dates']['postwinners']]); $r = $q->fetch(PDO::FETCH_OBJ); if ($r->test != 1) { echo error(i18n('Crystal ball says future is very hard to see!')); @@ -72,14 +72,14 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type')) award_awards, award_types WHERE - award_awards.year='$year' + award_awards.year=? AND\taward_awards.award_types_id=award_types.id - AND\taward_types.type='$type' - AND\taward_types.year='$year' + AND\taward_types.type=? + AND\taward_types.year=? ORDER BY awards_order"); - $q->execute(); + $q->execute([$year,$type,$year]); show_pdo_errors_if_any($pdo); if ($q->rowCount()) { @@ -101,11 +101,11 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type')) LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id LEFT JOIN projects ON projects.id=winners.projects_id WHERE - award_awards_id='$r->id' - AND award_prizes.year='$year' + award_awards_id=? + AND award_prizes.year=? ORDER BY `order`"); - $pq->execute(); + $pq->execute([$r->id,$year]); show_pdo_errors_if_any($pdo); $awarded_count = 0; if ($show_unawarded_awards == 'no') { @@ -161,10 +161,10 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type')) students, schools WHERE - students.registrations_id='$pr->reg_id' + students.registrations_id=? AND students.schools_id=schools.id "); - $sq->execute(); + $sq->execute([$pr->reg_id]); $studnum = 0; $students = ''; @@ -262,11 +262,11 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type')) award_awards.award_types_id=award_types.id AND winners.awards_prizes_id=award_prizes.id AND award_prizes.award_awards_id=award_awards.id - AND winners.year='$r->year' + AND winners.year=? ORDER BY award_types.order "); - $tq->execute(); + $tq->execute([$r->year]); $errorInfo = $pdo->errorInfo(); if ($errorInfo[0] != '00000') { // If there's an error (the SQLSTATE isn't '00000', which means no error)