arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

pushing up mutliple database changes from multiple different files, theres 998 lines left to change

Browse Source
This commit is contained in:
Muad Sakah 2025-02-03 03:04:15 +00:00
parent b8a393f0f0
commit e86f06f141
48 changed files with 1495 additions and 1488 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
admin/award_awardcreatedivisional.php
View File

@ -44,19 +44,19 @@ else if (get_value_from_array($_POST, 'award_types_id'))
// first, we can only do this if we dont have any type=divisional awards created yet
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year=?");
$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->num) {
echo error(i18n('%1 Divisional awards already exist. There must not be any divisional awards in order to run this wizard', array($r->num)));
} else {
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$div[$r->id] = $r->division;
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ))
$cat[$r->id] = $r->category;
@ -64,8 +64,8 @@ if ($r->num) {
$ckeys = array_keys($cat);
if ($config['filterdivisionbycategory'] == 'yes') {
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
$q->execute([$config['FAIRYEAR']]);
$divcat = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@ -110,22 +110,22 @@ if ($r->num) {
echo i18n('Creating %1 - %2', array($c_category, $d_division)) . '<br />';
$q = $pdo->prepare("INSERT INTO award_awards (sponsors_id,award_types_id,name,criteria,`order`,year) VALUES (
'{$_GET['sponsors_id']}',
?,
'1',
'$c_category - $d_division',
?-?,
'" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "',
'$ord',
'{$config['FAIRYEAR']}'
?,
?
)");
$q->execute();
$q->execute([$_GET['sponsors_id'],$c_category,$d_division,$ord, $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$award_awards_id = $pdo->lastInsertId();
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES ('$award_awards_id','$c_id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (?,?,?");
$q->execute([$award_awards_id,$c_id,$config['FAIRYEAR']]);
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES ('$award_awards_id','$d_id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
$q->execute([$award_awards_id,$d_id,$config['FAIRYEAR']]);
$ord++;
echo '&nbsp;&nbsp;' . i18n('Prizes: ');

94
admin/award_awards.php
View File

@ -33,8 +33,8 @@ $_GET['action'] = $_GET['action'] ?? '';
switch ($_GET['action']) {
case 'awardinfo_load':
$id = intval(get_value_from_array($_GET, 'id'));
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
// json_encode NEEDS UTF8 DATA, but we store it in the database as ISO :(
@ -57,8 +57,8 @@ switch ($_GET['action']) {
if ($id == -1) {
$q = $pdo->prepare("INSERT INTO award_awards (year,self_nominate,schedule_judges)
VALUES ('{$config['FAIRYEAR']}','yes','yes')");
$q->execute();
VALUES (?,'yes','yes')");
$q->execute([$config['FAIRYEAR']]);
$id = $pdo->lastInsertId();
happy_('Award Created');
/* Set the award_id in the client */
@ -83,9 +83,9 @@ switch ($_GET['action']) {
criteria='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['criteria'])) . "',
sponsors_id='" . intval($_POST['sponsors_id']) . "' ";
}
$q .= "WHERE id='$id'";
$q .= "WHERE id=?";
$q = $pdo->prepare($q);
$q->execute();
$q->execute([$id]);
print_r($_POST);
echo $q;
show_pdo_errors_if_any($pdo);
@ -97,15 +97,15 @@ switch ($_GET['action']) {
// select the current categories that this award is linked to
$ret = array('categories' => array(), 'divisions' => array());
$q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id=?");
$q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$ret['categories'][] = $r['projectcategories_id'];
}
// select the current categories that this award is linked to
$q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id=?");
$q->execute([$id]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$ret['divisions'][] = $r['projectdivisions_id'];
}
@ -122,8 +122,8 @@ switch ($_GET['action']) {
}
// wipe out any old award-category links
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
$q->execute([$id]);
foreach ($_POST['categories'] AS $key => $cat) {
$c = intval($cat);
$q = $pdo->prepare('INSERT INTO award_awards_projectcategories (award_awards_id, projectcategories_id, year)
@ -133,13 +133,13 @@ switch ($_GET['action']) {
$q->bindParam(':c', $c, PDO::PARAM_INT);
$q->bindParam(':year', $config['FAIRYEAR'], PDO::PARAM_INT);
$q->execute();
$q->execute([]);
}
// wipe out any old award-divisions links
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
$q->execute([$id]);
// now add the new ones
foreach ($_POST['divisions'] AS $key => $div) {
@ -165,8 +165,8 @@ switch ($_GET['action']) {
continue;
$order++;
$q = $pdo->prepare("UPDATE `award_prizes` SET `order`='$order' WHERE `id`='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE `award_prizes` SET `order`=? WHERE `id`=?");
$q->execute([$order, $id]);
}
// print_r($_GET);
happy_('Order Updated.');
@ -179,8 +179,8 @@ switch ($_GET['action']) {
continue;
$order++;
$q = $pdo->prepare("UPDATE `award_awards` SET `order`='$order' WHERE `id`='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE `award_awards` SET `order`=? WHERE `id`=?");
$q->execute([$order, $id]);
}
happy_('Order updated');
exit;
@ -191,8 +191,8 @@ switch ($_GET['action']) {
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE year='-1' AND award_awards_id='0' ORDER BY `order`");
$q->execute();
} else {
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$id' ORDER BY `order`");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=? ORDER BY `order`");
$q->execute([$id]);
}
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
foreach ($r AS $k => $v) {
@ -205,8 +205,8 @@ switch ($_GET['action']) {
case 'prize_load':
$id = intval($_GET['id']);
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE id=?");
$q->execute([$id]);
$ret = $q->fetch(PDO::FETCH_ASSOC);
foreach ($ret AS $k => $v) {
$ret[$k] = iconv('ISO-8859-1', 'UTF-8', $v);
@ -276,8 +276,8 @@ switch ($_GET['action']) {
$id = intval($_GET['id']);
/* Prepare two lists of fair IDs, for which fairs can upload and download this award */
$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id=?");
$q->execute([$id]);
$ul = array();
$dl = array();
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
@ -287,8 +287,8 @@ switch ($_GET['action']) {
$dl[$r['fairs_id']] = true;
}
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
$q->execute([$id]);
$a = $q->fetch(PDO::FETCH_ASSOC);
?>
<h4><?= i18n('Feeder Fairs') ?></h4>
@ -354,16 +354,16 @@ switch ($_GET['action']) {
/* Now save each one */
$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id='$id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id=?");
$q->execute([$id]);
show_pdo_errors_if_any($pdo);
foreach ($data as $fairs_id => $f) {
$dl = ($f['dl'] == true) ? 'yes' : 'no';
$ul = ($f['ul'] == true) ? 'yes' : 'no';
$q = $pdo->prepare("INSERT INTO fairs_awards_link (award_awards_id,fairs_id,download_award,upload_winners)
VALUES ('$id','$fairs_id','$dl','$ul')");
$q->execute();
VALUES (?,?,?,?)");
$q->execute([$id,$fairs_id,$dl,$ul]);
show_pdo_errors_if_any($pdo);
}
$ident = stripslashes($_POST['identifier']);
@ -371,12 +371,12 @@ switch ($_GET['action']) {
$mat = intval($_POST['additional_materials']);
$w = intval($_POST['register_winners']);
$q = $pdo->prepare("UPDATE award_awards SET external_identifier='$ident',
external_additional_materials='$mat',
external_register_winners='$w',
per_fair='$per_fair'
WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("UPDATE award_awards SET external_identifier=?,
external_additional_materials=?,
external_register_winners=?,
per_fair=?
WHERE id=?");
$q->execute([$ident, $mat,$w],$per_fair,$id);
happy_('Feeder Fair information saved');
exit;
@ -729,8 +729,8 @@ while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
</td></tr>
<tr><td><?= i18n('Type') ?>:</td><td>
<?
$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year='{$config['FAIRYEAR']}' ORDER BY type");
$tq->execute();
$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year=? ORDER BY type");
$tq->execute([$config['FAIRYEAR']]);
echo '<select id="awardinfo_award_types_id" name="award_types_id">';
// only show the "choose a type" option if we are adding,if we are editing, then they must have already chosen one.
echo $firsttype;
@ -1110,14 +1110,14 @@ award_awards
LEFT JOIN sponsors ON sponsors.id = award_awards.sponsors_id
LEFT JOIN award_types ON award_types.id = award_awards.award_types_id
WHERE
award_awards.year='{$config['FAIRYEAR']}'
$where_asi
$where_ati
AND \taward_types.year='{$config['FAIRYEAR']}'
$orderby
award_awards.year=?
?
?
AND \taward_types.year=?
?
");
$q->execute();
$q->execute([$config['FAIRYEAR'],$where_asi,$where_ati,$config['FAIRYEAR'],$orderby]);
show_pdo_errors_if_any($pdo);
@ -1147,8 +1147,8 @@ if ($q->rowCount()) {
echo " <td $eh>{$r->type}</td>\n";
echo " <td $eh>{$r->name}</td>\n";
$numq = $pdo->prepare("SELECT SUM(number) AS num FROM award_prizes WHERE award_awards_id='{$r->id}'");
$numq->execute();
$numq = $pdo->prepare("SELECT SUM(number) AS num FROM award_prizes WHERE award_awards_id=?");
$numq->execute([$r->id]);
$numr = $numq->fetch(PDO::FETCH_ASSOC);
if (!$numr['num'])
$numr['num'] = 0;

46
admin/award_download.php
View File

@ -72,8 +72,8 @@ switch (get_value_from_array($_GET, 'action')) {
// get a list of all the existing awards for this external source
$aq = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
$aq->execute();
$aq = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
$aq->execute([$fairs_id,$config['FAIRYEAR']]);
$existingawards = array();
while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
$existingawards[$ar->id] = true;
@ -109,29 +109,29 @@ switch (get_value_from_array($_GET, 'action')) {
}
$tq = $pdo->prepare("SELECT * FROM award_awards WHERE
external_identifier='$identifier' AND
award_source_fairs_id='$fairs_id' AND
year='$year'");
$tq->execute();
external_identifier=? AND
award_source_fairs_id=? AND
year=?");
$tq->execute([$identifier,$fairs_id,$year]);
if ($tq->rowCount() == 0) {
/* Award doesn't exist, create it, then update it with the common code below */
$q = $pdo->prepare("INSERT INTO award_awards (award_types_id,
year, external_identifier,
award_source_fairs_id)
VALUES (2,'{$year}',
'" . $identifier . "',
'$fairs_id')");
$q->execute();
VALUES (2,?,
?,
?)");
$q->execute([$year,$identifier,$fairs_id]);
$award_id = $pdo->lastInsertId();
/* By default make all divs/cats eligible */
foreach ($divs as $id => $d)
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions(award_awards_id,projectdivisions_id,year) VALUES ('$award_id','$id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions(award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
$q->execute([$award_id,$id,$config['FAIRYEAR']]);
foreach ($cats as $id => $c)
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories(award_awards_id,projectcategories_id,year) VALUES ('$award_id','$id','{$config['FAIRYEAR']}')");
$q->execute();
$q = $pdo->prepare("INSERT INTO award_awards_projectcategories(award_awards_id,projectcategories_id,year) VALUES (?,?,?)");
$q->execute([$award_id,$id,$config['FAIRYEAR']]);
} else {
echo i18n('Award already exists, updating info') . '<br />';
$awardrecord = $q->fetch(PDO::FETCH_OBJ);
@ -144,14 +144,14 @@ switch (get_value_from_array($_GET, 'action')) {
// check if the sponsor exists, if not, add them
$sponsor_str = $award['sponsor'];
$sponsorq = $pdo->prepare("SELECT * FROM sponsors WHERE organization='$sponsor_str'");
$sponsorq->execute();
$sponsorq = $pdo->prepare("SELECT * FROM sponsors WHERE organization=?");
$sponsorq->execute([$sponsor_str]);
if ($sponsorr = $sponsorq->fetch(PDO::FETCH_OBJ)) {
$sponsor_id = $sponsorr->id;
} else {
$q = $pdo->prepare("INSERT INTO sponsors (organization,year,notes)
VALUES ('$sponsor_str','$year','" . "Imported from external source: $r->name" . "')");
$q->execute();
VALUES (?,?,'" . "Imported from external source: ?" . "')");
$q->execute([$sponsor_str,$year,$r->name]);
show_pdo_errors_if_any($pdo);
$sponsor_id = $pdo->lastInsertId();
}
@ -185,8 +185,8 @@ switch (get_value_from_array($_GET, 'action')) {
echo i18n('Number of prizes: %1', array(count($prizes))) . '<br />';
/* Get existing prizes */
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$award_id'");
$pq->execute();
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$pq->execute([$award_id]);
$existingprizes = array();
while ($pr = $pq->fetch(PDO::FETCH_ASSOC))
$existingprizes[$pr['prize']] = $pr;
@ -204,8 +204,8 @@ switch (get_value_from_array($_GET, 'action')) {
$p = stripslashes($prize['prize_en']);
$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,prize,year,external_identifier)
VALUES ('$award_id','$p','$year','$p')");
$q->execute();
VALUES (?,?,?,?)");
$q->execute([$award_id,$p,$year,$p]);
$prize_id = $pdo->lastInsertId();
} else {
$ep = $existingprizes[$prize['prize_en']];
@ -233,7 +233,7 @@ switch (get_value_from_array($_GET, 'action')) {
WHERE
id='$prize_id'");
$q->execute();
$q->execute([]);
show_pdo_errors_if_any($pdo);
// FIXME: update the translations

90
admin/award_upload.php
View File

@ -80,8 +80,8 @@ function get_winners($awardid, $fairs_id)
} else {
/* Get the award */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$awardid' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=? AND year=?");
$q->execute([$awardid,$config['FAIRYEAR']]);
if ($q->rowCount() != 1) {
error_("Can't find award id $awardid");
return false;
@ -92,8 +92,8 @@ function get_winners($awardid, $fairs_id)
/* Get the fair for the div/cat mappings */
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$award['award_source_fairs_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$award['award_source_fairs_id']]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$catmap = unserialize($fair['catmap']);
@ -113,8 +113,8 @@ function get_winners($awardid, $fairs_id)
/* Get the prizes */
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$award['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award['id']]);
while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
$pid = $prize['id'];
@ -122,24 +122,24 @@ function get_winners($awardid, $fairs_id)
LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
awards_prizes_id='$pid' AND
winners.year='{$config['FAIRYEAR']}'");
$wq->execute();
awards_prizes_id=? AND
winners.year=?");
$wq->execute([$pid,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Get all projects assigned to this prize */
$prizewinners = array();
while ($project = $wq->fetch(PDO::FETCH_ASSOC)) {
/* Get the students */
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='{$project['registrations_id']}'
AND year='{$config['FAIRYEAR']}'");
$sq->execute();
$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id=?
AND year=?");
$sq->execute([$project['registrations_id'],$config['FAIRYEAR']]);
$students = array();
while ($s = $sq->fetch(PDO::FETCH_ASSOC)) {
/* Get the student's school */
$schoolq = $pdo->prepare("SELECT * FROM schools WHERE id='{$s['schools_id']}'");
$schoolq->execute();
$schoolq = $pdo->prepare("SELECT * FROM schools WHERE id=?");
$schoolq->execute([$s['schools_id']]);
$schoolr = $schoolq->fetch(PDO::FETCH_ASSOC);
$school = array('xml_type' => 'school'); /* for ysc compatability */
foreach ($school_fields as $k => $v)
@ -191,8 +191,8 @@ function count_winners($awardid, $fairs_id)
if ($awardid == -1) {
/* Get all for this fair */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
$q->execute([$fairs_id,$config['FAIRYEAR']]);
if ($q->rowCount() == 0) {
error_("Can't find award id $awardid");
return 0;
@ -203,8 +203,8 @@ function count_winners($awardid, $fairs_id)
} else {
/* Get the award */
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$awardid' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=? AND year=?");
$q->execute([$awardid,$config['FAIRYEAR']]);
if ($q->rowcount() != 1) {
error_("Can't find award id $awardid");
return 0;
@ -216,8 +216,8 @@ function count_winners($awardid, $fairs_id)
foreach ($awards as $award) {
/* Get the prizes */
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$award['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award['id']]);
while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
$pid = $prize['id'];
@ -225,9 +225,9 @@ function count_winners($awardid, $fairs_id)
LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
awards_prizes_id='$pid' AND
winners.year='{$config['FAIRYEAR']}'");
$wq->execute();
awards_prizes_id=? AND
winners.year=?");
$wq->execute([$pid,$config['FAIRYEAR']]);
$wc = $wq->fetch(PDO::FETCH_ASSOC);
$count += $wc['C'];
}
@ -239,8 +239,8 @@ function load_server_cats_divs($fairs_id)
{
global $config, $pdo;
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$req = array('get_categories' => array('year' => $config['FAIRYEAR']),
@ -254,8 +254,8 @@ function load_server_cats_divs($fairs_id)
$catmap = array();
/* Load ours */
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
foreach ($data['categories'] as $id => $c) {
if ($c['mingrade'] == $r->mingrade) {
@ -270,8 +270,8 @@ function load_server_cats_divs($fairs_id)
} else {
$ret['divmap'] = array();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$lowest = 999;
$lowest_id = 0;
@ -300,8 +300,8 @@ switch (get_value_from_array($_GET, 'action')) {
/* Get the fair */
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
echo '<br />';
@ -393,8 +393,8 @@ switch (get_value_from_array($_GET, 'action')) {
list($c, $d, $cm, $dm) = load_server_cats_divs($fairs_id);
$divs = projectdivisions_load();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
?> <h4><?= i18n('Division Mapping') ?></h4>
@ -439,9 +439,9 @@ switch (get_value_from_array($_GET, 'action')) {
$catmap = serialize($cat);
$divmap = serialize($div);
$q = $pdo->prepare("UPDATE fairs SET catmap='$catmap',divmap='$divmap' WHERE id='$fairs_id'");
$q = $pdo->prepare("UPDATE fairs SET catmap=?,divmap=? WHERE id=?");
$q->execute();
$q->execute([$catmap,$divmap,$fairs_id]);
show_pdo_errors_if_any($pdo);
happy_('Category/Division mapping information saved');
@ -450,12 +450,12 @@ switch (get_value_from_array($_GET, 'action')) {
case 'additional_materials':
$award_awards_id = intval($_GET['award_awards_id']);
$q = $pdo->prepare("SELECT award_source_fairs_id,external_identifier FROM award_awards WHERE id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("SELECT award_source_fairs_id,external_identifier FROM award_awards WHERE id=?");
$q->execute([$award_awards_id]);
$a = $q->fetch(PDO::FETCH_ASSOC);
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$a['award_source_fairs_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$a['award_source_fairs_id']]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
$req = array('award_additional_materials' => array(
'year' => $config['FAIRYEAR'],
@ -474,8 +474,8 @@ switch (get_value_from_array($_GET, 'action')) {
$winners = get_winners($award_awards_id, $fairs_id);
$divs = projectdivisions_load();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
$q->execute([$fairs_id]);
$fair = $q->fetch(PDO::FETCH_ASSOC);
echo i18n("The following list of winning projects/students will be sent to: <b>%1</b>. Use the 'Edit Default Division Assignments' button to change the default mappings for divisions. You can over-ride any division assignment by changing it in the list below. Category assignments are done automatically based on grade. When you are happy with the list below, click the 'Upload Winners' button.", array($fair['name']));
@ -702,10 +702,10 @@ if (!function_exists('curl_init')) {
$q = $pdo->prepare("SELECT fairs.id, fairs.name, fairs.type, COUNT(award_awards.id) as AWARD_COUNT FROM fairs
LEFT JOIN award_awards ON award_awards.award_source_fairs_id=fairs.id
WHERE award_awards.award_source_fairs_id IS NOT NULL
AND award_awards.year='{$config['FAIRYEAR']}'
AND award_awards.year=?
GROUP BY fairs.id
ORDER BY fairs.name ");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
?>
@ -747,9 +747,9 @@ $q = $pdo->prepare("SELECT award_awards.id, award_awards.name AS awardname,
FROM award_awards
LEFT JOIN fairs ON fairs.id=award_awards.award_source_fairs_id
WHERE award_awards.award_source_fairs_id IS NOT NULL
AND award_awards.year='{$config['FAIRYEAR']}'
AND award_awards.year=?
ORDER BY fairs.name, award_awards.name");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
?>

28
admin/awards.inc.php
View File

@ -27,8 +27,8 @@ function award_delete($award_awards_id)
{
/* Delete all winners attached to this award */
$q = $pdo->prepare("SELECT id FROM award_prizes WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
while (($p = $q->fetch(PDO::FETCH_ASSOC))) {
$q = $pdo->prepare();
@ -40,26 +40,26 @@ function award_delete($award_awards_id)
/* Delete the award */
$q = $pdo->prepare("DELETE FROM award_prizes WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_prizes WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
$q->execute([$award_awards_id]);
$q = $pdo->prepare("DELETE FROM award_awards WHERE id='$award_awards_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_awards WHERE id=?");
$q->execute([$award_awards_id]);
}
function award_prize_delete($award_prizes_id)
{
$q = $pdo->prepare("DELETE FROM winners WHERE award_prizes_id='$award_prizes_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM winners WHERE award_prizes_id=?");
$q->execute([$award_prizes_id]);
$q = $pdo->prepare("DELETE FROM award_prizes WHERE id='$award_prizes_id'");
$q->execute();
$q = $pdo->prepare("DELETE FROM award_prizes WHERE id=?");
$q->execute([$award_prizes_id]);
}
?>

26
admin/cms.php
View File

@ -71,14 +71,14 @@ if (get_value_from_array($_POST, 'action') == 'save') {
$text = stripslashes(get_value_from_array($_POST, $textname, ''));
$q = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,title,showlogo) VALUES (
'" . $filename . "',
'$insertdt',
'$lang',
'" . $text . "',
'" . get_value_from_array($_POST, $titlename, '') . "',
'" . get_value_from_array($_POST, $showlogoname, '') . "'
?,
?,
?,
?,
?,
?
)");
$q->execute();
$q->execute([$filename,$insertdt,$lang,$text,get_value_from_array($_POST, $titlename, ''),get_value_from_array($_POST, $showlogoname, '')]);
if ($pdo->errorInfo()) {
echo error(i18n('An error occurred saving %1 in %2', array($filename, $langname)));
$err = true;
@ -103,8 +103,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
echo '<table class="tableview" width="100%">';
echo '<tr><th colspan="2">';
$q = $pdo->prepare("SELECT * FROM cms WHERE filename='" . get_value_from_array($_GET, 'filename', '') . "' AND lang='$lang' ORDER BY dt DESC LIMIT 1");
$q->execute();
$q = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? ORDER BY dt DESC LIMIT 1");
$q->execute([get_value_from_array($_GET, 'filename', ''),$lang]);
if ($r = $q->fetch(PDO::FETCH_OBJ)) {
if ($r->dt == '0000-00-00 00:00:00' || !$r->dt)
$dt = 'Never';
@ -112,8 +112,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
$dt = $r->dt;
echo '<b>' . htmlspecialchars($_GET['filename']) . " - $langname</b> &nbsp;&nbsp; " . i18n('Last updated') . ": $dt<br />";
if ($_GET['dt']) {
$q2 = $pdo->prepare("SELECT * FROM cms WHERE filename='" . $_GET['filename'] . "' AND lang='$lang' AND dt<='" . $_GET['dt'] . "' ORDER BY dt DESC LIMIT 1");
$q2->execute();
$q2 = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? AND dt<=? ORDER BY dt DESC LIMIT 1");
$q2->execute([$_GET['filename'], $lang, $_GET['dt']]);
$r2 = $q2->fetch(PDO::FETCH_OBJ);
if ($r2->dt != $r->dt) {
echo "Displaying historical file. Date: $r->dt";
@ -163,8 +163,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
echo '<tr><th>' . i18n('File History') . "</th></tr>\n";
$q = $pdo->prepare("SELECT DISTINCT(dt) FROM cms WHERE filename='" . get_value_from_array($_GET, 'filename', '') . "' ORDER BY dt DESC LIMIT $historylimit");
$q->execute();
$q = $pdo->prepare("SELECT DISTINCT(dt) FROM cms WHERE filename=? ORDER BY dt DESC LIMIT ?");
$q->execute([get_value_from_array($_GET, 'filename', ''),$historylimit]);
$first = true;
if ($q->rowCount()) {
while ($r = $q->fetch(PDO::FETCH_OBJ)) {

34
admin/committees.php
View File

@ -127,8 +127,8 @@ global $uid;
if (get_value_from_array($_POST, 'addcommittee')) {
// add a new committee
// re-order the committees
$q = $pdo->prepare("INSERT INTO committees (name) VALUES ('" . $_POST['addcommittee'] . "')");
$q->execute();
$q = $pdo->prepare("INSERT INTO committees (name) VALUES (?)");
$q->execute([$_POST['addcommittee']]);
echo happy(i18n('Committee successfully added'));
}
@ -143,8 +143,8 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
while (get_value_from_array($ids, $x)) {
$cid = intval($ids[$x]);
$q = $pdo->prepare("UPDATE committees SET ord='" . intval($ords[$x]) . "' WHERE id='$cid'");
$q->execute();
$q = $pdo->prepare("UPDATE committees SET ord=? WHERE id=?");
$q->execute([intval($ords[$x]),$cid]);
$x++;
$ctitle = $titles[$cid];
@ -163,9 +163,9 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
$t = stripslashes($title);
$u = intval($uid);
$q = $pdo->prepare("UPDATE committees_link SET title='$t', ord='$o'
WHERE committees_id='$cid' AND users_uid='$u'");
$q->execute();
$q = $pdo->prepare("UPDATE committees_link SET title=?, ord=?
WHERE committees_id=? AND users_uid=?");
$q->execute([$t,$o,$cid,$u]);
}
}
echo happy(i18n('Committees successfully saved'));
@ -174,12 +174,12 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
if (get_value_from_array($_POST, 'action') == 'assign') {
if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST, 'users_uid')) {
$cid = intval($_POST['committees_id']);
$q = $pdo->prepare("SELECT * FROM committees_link WHERE committees_id='$cid' AND users_uid='$uid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM committees_link WHERE committees_id=? AND users_uid=?");
$q->execute([$cid,$uid]);
if (!$q->rowCount()) {
$q = $pdo->prepare("INSERT INTO committees_link (committees_id,users_uid) VALUES ('$cid','$uid')");
$q->execute();
$q = $pdo->prepare("INSERT INTO committees_link (committees_id,users_uid) VALUES (?,?)");
$q->execute([$cid,$uid]);
echo happy(i18n('Successfully added member to committee'));
} else
echo error(i18n('That member already exists in that committee'));
@ -190,8 +190,8 @@ if (get_value_from_array($_POST, 'action') == 'assign') {
if (get_value_from_array($_GET, 'deletecommittee')) {
$del = intval($_GET['deletecommittee']);
$q = $pdo->prepare("DELETE FROM committees WHERE id='$del'");
$q->execute();
$q = $pdo->prepare("DELETE FROM committees WHERE id=?");
$q->execute([$del]);
echo happy(i18n('Committee removed'));
}
@ -206,8 +206,8 @@ if (get_value_from_array($_GET, 'unlinkmember') && get_value_from_array($_GET, '
$com = intval($_GET['unlinkcommittee']);
// unlink the member from the committee
$q = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='$mem' AND committees_id='$com'");
$q->execute();
$q = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=? AND committees_id=?");
$q->execute([$mem,$com]);
echo happy(i18n('Committee member unlinked from committee'));
}
@ -313,11 +313,11 @@ if ($q->rowCount()) {
users.lastname
FROM committees_link
JOIN users ON users.uid = committees_link.users_uid
WHERE committees_id='{$r->id}'
WHERE committees_id=?
GROUP BY users.uid
ORDER BY ord,
users.lastname ");
$q2->execute();
$q2->execute([$r->id]);
if ($q2->rowCount() == 0) {
echo '&nbsp; &nbsp;';

62
admin/communication.php
View File

@ -46,8 +46,8 @@ function launchQueue()
switch (get_value_from_array($_GET, 'action')) {
case 'dialog_choose_load':
$emails_id = intval($_GET['emails_id']);
$q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute([$emails_id]);
$e = $q->fetch(PDO::FETCH_ASSOC);
?>
<table class="editor">
@ -70,8 +70,8 @@ case 'dialog_choose':
<option value="-1">-- <?= i18n('Choose a Communication') ?> --</option>
<?
$type = $pdo->quote($_GET['type']);
$q = $pdo->prepare("SELECT * FROM emails WHERE type='$type'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE type=?");
$q->execute([$type]);
while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
echo "<option value=\"{$e['id']}\">{$e['name']}</option>";
}
@ -173,8 +173,8 @@ case 'email_save':
if ($id == 0) {
if ($key && $name) {
$q = $pdo->prepare("INSERT INTO emails(type,val) VALUES('$type','$key')");
$q->execute();
$q = $pdo->prepare("INSERT INTO emails(type,val) VALUES(?,?)");
$q->execute([$type,$key]);
show_pdo_errors_if_any($pdo);
$id = lastInsertId();
} else {
@ -188,15 +188,15 @@ case 'email_save':
$body = getTextFromHtml($bodyhtml);
$q = $pdo->prepare("UPDATE emails SET
name='$name',
description='$description',
`from`='$from',
subject='$subject',
body='$body',
bodyhtml='$bodyhtml',
fundraising_campaigns_id=$fcstr
WHERE id='$id'");
$q->execute();
name=?,
description=?,
`from`=?,
subject=?,
body=?,
bodyhtml=?,
fundraising_campaigns_id=?
WHERE id=?");
$q->execute([$name,$description,$from,$subject,$body,$bodyhtml,$fcstr,$id]);
show_pdo_errors_if_any($pdo);
happy_('Email Saved');
exit;
@ -215,8 +215,8 @@ case 'dialog_edit':
if (array_key_exists('fundraising_campaigns_id', $_GET)) {
$fcid = intval($_GET['fundraising_campaigns_id']);
$type = 'fundraising';
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$q->execute([$fcid]);
$fc = $q->fetch(PDO::FETCH_OBJ);
$name = i18n('%1 communication for %2', array(ucfirst($key), $fc->name));
} else {
@ -227,8 +227,8 @@ case 'dialog_edit':
$from = $_SESSION['name'] . ' <' . $_SESSION['email'] . '>';
}
if ($id) {
$q = $pdo->prepare("SELECT * FROM emails WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$q->execute([$id]);
if ($q->rowCount() != 1) {
echo 'Ambiguous edit';
exit;
@ -408,20 +408,20 @@ case 'dialog_send':
$fcid = intval($_GET['fundraising_campaigns_id']);
$emailid = intval($_GET['emails_id']);
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
$fcq->execute();
$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
$fcq->execute([$fcid]);
$fc = $fcq->fetch(PDO::FETCH_OBJ);
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
$emailq->execute();
$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
$emailq->execute([$emailid]);
$email = $email->fetch(PDO::FETCH_OBJ);
?>
<form id="send">
<table style="width:100%">
<?
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
$q->execute([$fcid]);
$r = $q->fetch(PDO::FETCH_OBJ);
$numrecipients = $r->num;
@ -513,8 +513,8 @@ case 'dialog_sender':
$u = user_load_by_uid(intval($_GET['uid']));
if ($_GET['template']) {
$emailq = $pdo->prepare("SELECT * FROM emails WHERE `val`='" . $_GET['template'] . "'");
$emailq->execute();
$emailq = $pdo->prepare("SELECT * FROM emails WHERE `val`=?");
$emailq->execute([$_GET['template']]);
$e = $emailq->fetch(PDO::FETCH_ASSOC);
} else
$e = null;
@ -657,11 +657,11 @@ case 'dialog_sender':
case 'cancel':
if ($_GET['cancel']) {
$q = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='" . intval($_GET['cancel']) . "'");
$q->execute();
$q = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
$q->execute([intval($_GET['cancel'])]);
$q = $pdo->prepare("UPDATE emailqueue_recipients SET result='cancelled' WHERE emailqueue_id='" . intval($_GET['cancel']) . "' AND sent IS NULL AND result IS NULL");
$q->execute();
$q = $pdo->prepare("UPDATE emailqueue_recipients SET result='cancelled' WHERE emailqueue_id=? AND sent IS NULL AND result IS NULL");
$q->execute([intval($_GET['cancel'])]);
echo 'ok';
}
exit;

1585
common.inc.php
View File

File diff suppressed because it is too large Load Diff

14
config_editor.inc.php
View File

@ -29,9 +29,9 @@ include_once ('helper.inc.php');
function config_editor_load($category, $year)
{
global $pdo;
$query = "SELECT * FROM config WHERE year='$year' AND category='$category' ORDER BY ord";
$query = "SELECT * FROM config WHERE year=? AND category=? ORDER BY ord";
$q = $pdo->prepare($query);
$q->execute();
$q->execute([$year, $category]);
// print_r($pdo->errorInfo());
$var = array();
@ -94,10 +94,10 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
*/
$q = $pdo->prepare("SELECT config.var FROM `config`
LEFT JOIN `config` AS C2 ON(config.var=C2.var
AND C2.year='$fairyear')
AND C2.year=?)
WHERE config.year=-1 AND C2.year IS NULL");
$q->execute();
$q->execute([$fairyear]);
show_pdo_errors_if_any($pdo);
while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
@ -108,11 +108,11 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
* the -1 year, prefer last year's value
*/
$r2 = $pdo->prepare("SELECT * FROM `config`
WHERE config.var='$var'
AND (config.year='$lastfairyear'
WHERE config.var=?
AND (config.year=?
OR config.year='-1')
ORDER BY config.year DESC");
$r2->execute();
$r2->execute([$var, $lastfairyear]);
show_pdo_errors_if_any($pdo);
if ($r2->rowCount() < 1) {

14
judge.inc.php
View File

@ -48,15 +48,15 @@ function judge_status_expertise(&$u)
}
/* Check to see if they have ranked all project age categories, and all divisions */
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectcategories WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$numcats = $r->num;
if ($numcats != count(get_value_from_array($u, 'cat_prefs', [])))
return 'incomplete';
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectdivisions WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$numdivisions = $r->num;
if ($numdivisions != count($u['div_prefs']))
@ -86,7 +86,7 @@ function judge_status_questions($u)
global $config, $pdo;
// get the questions we're looking for
$q = $pdo->prepare('SELECT id FROM questions WHERE year=' . $config['FAIRYEAR'] . " AND required='yes'");
$q->execute();
$q->execute([]);
$idList = array();
while ($row = $q->fetch(PDO::FETCH_ASSOC))
$idList[] = $row['id'];
@ -116,8 +116,8 @@ function judge_status_special_awards(&$u)
*/
$qq = $pdo->prepare("SELECT COUNT(id) AS num FROM judges_specialaward_sel
WHERE users_id='{$u['id']}'");
$qq->execute();
WHERE users_id=?");
$qq->execute([$u['id']]);
$rr = $qq->fetch(PDO::FETCH_OBJ);
$awards_selected = $rr->num;
// echo "$awards_selected awards selected, ({$config['judges_specialaward_min']} - {$config['judges_specialaward_max']})";

12
judge_availability.php
View File

@ -49,8 +49,8 @@ $u = user_load($eid);
$times = array();
/* Load the judging rounds */
$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type");
$q->execute();
$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type");
$q->execute([$config['FAIRYEAR']]);
$x = 0;
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$found = false;
@ -72,8 +72,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
switch (get_value_from_array($_GET, 'action')) {
case 'save':
$stmt = $pdo->prepare("DELETE FROM judges_availability WHERE users_id='{$u['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_availability WHERE users_id=?");
$stmt->execute([$u['id']]);
if (is_array($_POST['time'])) {
foreach ($_POST['time'] as $x) {
@ -129,8 +129,8 @@ if (get_value_from_array($_SESSION, 'embed') != true) {
<table>
<?
/* Get all their available times */
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=\"{$u['id']}\" ORDER BY `start`");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
$q->execute([$u['id']]);
$sel = array();
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
foreach ($times as $x => $t) {

12
judge_expertise.php
View File

@ -133,8 +133,8 @@ if ($u['special_award_only'] == 'yes') {
echo "<form name=\"expertiseform\" id=\"judgeexpertise_form\">\n";
echo "<input type=\"hidden\" name=\"users_id\" value=\"{$u['id']}\">\n";
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
$q->execute([$config['FAIRYEAR']]);
echo '<br /><h4>' . i18n('Age Category Preferences') . '</h4><br>';
echo '<table class="editor" style="width: 300px;" >';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -171,8 +171,8 @@ echo '<br />';
echo "<table>\n";
// query all of the categories
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY division");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
$q->execute([$config['FAIRYEAR']]);
$first = true;
$trclass = '';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -199,8 +199,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
// only show the sub-divisions if the 'main' division is scored >=3
if ($u['div_prefs'][$r->id] >= 3) {
$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE projectdivisions_id='$r->id' AND year='" . $config['FAIRYEAR'] . "' ORDER BY subdivision");
$subq->execute();
$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE projectdivisions_id=? AND year=? ORDER BY subdivision");
$subq->execute([$r->id, $config['FAIRYEAR']]);
while ($subr = $subq->fetch(PDO::FETCH_OBJ)) {
echo '<tr>';
echo '<td>&nbsp;</td>';

8
judge_main.php
View File

@ -49,8 +49,8 @@ echo '<br />';
$scheduleok = false;
if ($config['dates']['judgescheduleavailable'] && $config['dates']['judgescheduleavailable'] != '0000-00-00 00:00:00') {
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['judgescheduleavailable'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>?) AS test");
$q->execute([$config['dates']['judgescheduleavailable']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$scheduleok = $r->test;
} else {
@ -64,8 +64,8 @@ if ($scheduleok) {
* it's less obvious below
*/
$q = $pdo->prepare("SELECT id FROM judges_teams_link WHERE
users_id='{$u['id']}' AND year='{$config['FAIRYEAR']}'");
$q->execute();
users_id=? AND year=?");
$q->execute([$u['id'], $config['FAIRYEAR']]);
if ($q->rowCount() > 0) {
echo '<span style="font-size: 1.2em; font-weight: bold;">';
echo i18n('You have been assigned to a judging team. %1Click here%2 to view the judging schedule',

12
judge_project_summary.php
View File

@ -31,9 +31,9 @@ user_auth_required(array('judge', 'committee'));
$pn = stripslashes($_GET['pn']);
$q = $pdo->prepare("SELECT * FROM projects WHERE
projectnumber='$pn'
AND year='{$config['FAIRYEAR']}'");
$q->execute();
projectnumber=?
AND year=?");
$q->execute([$pn, $config['FAIRYEAR']]);
if ($q->rowCount() == 0) {
echo 'not found';
exit;
@ -43,9 +43,9 @@ $pi = $q->fetch(PDO::FETCH_OBJ);
$sq = $pdo->prepare("SELECT firstname,lastname,school FROM students
LEFT JOIN schools ON schools.id = students.schools_id
WHERE
registrations_id='{$pi->registrations_id}'
AND students.year='{$config['FAIRYEAR']}'");
$sq->execute();
registrations_id=?
AND students.year=?");
$sq->execute([$pi->registrations_id, $config['FAIRYEAR']]);
$student = array();
while ($si = $sq->fetch(PDO::FETCH_OBJ)) {

26
judge_schedule.php
View File

@ -57,8 +57,8 @@ send_header('Schedule',
$scheduleok = false;
if ($config['dates']['judgescheduleavailable'] && $config['dates']['judgescheduleavailable'] != '0000-00-00 00:00:00') {
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['judgescheduleavailable'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>?");
$q->execute([$config['dates']['judgescheduleavailable']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$scheduleok = $r->test;
} else {
@ -76,17 +76,17 @@ if (!$scheduleok) {
/* Find all judging teams this judge is on */
$q = $pdo->prepare("SELECT * FROM judges_teams_link
LEFT JOIN judges_teams ON judges_teams.id=judges_teams_link.judges_teams_id
WHERE judges_teams_link.users_id='{$u['id']}'
AND judges_teams_link.year='{$config['FAIRYEAR']}'");
$q->execute();
WHERE judges_teams_link.users_id=?
AND judges_teams_link.year=?");
$q->execute([$u['id'], $config['FAIRYEAR']]);
$teams = array();
while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
/* Load timeslot data for this team (team -> judges_timeslots_link -> timeslot -> parent timeslot */
$qq = $pdo->prepare("SELECT T.* FROM judges_teams_timeslots_link
LEFT JOIN judges_timeslots ON judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
LEFT JOIN judges_timeslots AS T ON T.id=judges_timeslots.round_id
WHERE judges_teams_timeslots_link.judges_teams_id={$t['judges_teams_id']}");
$qq->execute();
WHERE judges_teams_timeslots_link.judges_teams_id=?");
$qq->execute([$t['judges_teams_id']]);
$tt = $qq->fetch(PDO::FETCH_ASSOC);
show_pdo_errors_if_any($pdo);
$t['timeslot'] = $tt;
@ -95,8 +95,8 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
$qq = $pdo->prepare("SELECT award_awards.*,T.type FROM judges_teams_awards_link
LEFT JOIN award_awards ON award_awards.id=judges_teams_awards_link.award_awards_id
LEFT JOIN award_types as T ON T.id=award_awards.award_types_id
WHERE judges_teams_awards_link.judges_teams_id={$t['judges_teams_id']}");
$qq->execute();
WHERE judges_teams_awards_link.judges_teams_id=?");
$qq->execute([$t['judges_teams_id']]);
show_pdo_errors_if_any($pdo);
$aa = $qq->fetch(PDO::FETCH_ASSOC);
$t['award'] = $aa;
@ -104,9 +104,9 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
/* Load team members */
$qq = $pdo->prepare("SELECT * FROM judges_teams_link
LEFT JOIN users ON users.id=judges_teams_link.users_id
WHERE judges_teams_link.judges_teams_id={$t['judges_teams_id']}
WHERE judges_teams_link.judges_teams_id=?
ORDER BY judges_teams_link.captain,users.lastname,users.firstname");
$qq->execute();
$qq->execute([$t['judges_teams_id']]);
$t['members'] = array();
while (($mm = $qq->fetch(PDO::FETCH_ASSOC))) {
@ -116,8 +116,8 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
/* Load projects */
$qq = $do->prepare("SELECT projects.id,projects.projectnumber,projects.title FROM judges_teams_timeslots_projects_link
LEFT JOIN projects ON projects.id=judges_teams_timeslots_projects_link.projects_id
WHERE judges_teams_id={$t['judges_teams_id']}");
$qq->execute();
WHERE judges_teams_id=?");
$qq->execute([$t['judges_teams_id']]);
$p = array();
while (($pp = $qq->fetch(PDO::FETCH_ASSOC)))
$p[] = $pp;

18
judge_special_awards.php
View File

@ -50,14 +50,14 @@ $u = user_load($eid);
switch (get_value_from_array($_GET, 'action')) {
case 'save':
// first delete all their old associations for this year..
$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id='{$u['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id=?");
$stmt->execute([$u['id']]);
if (array_key_exists('spaward', $_POST)) {
foreach ($_POST['spaward'] AS $aid) {
$stmt = $pdo->prepare("INSERT INTO judges_specialaward_sel (users_id, award_awards_id)
VALUES ('{$u['id']}','$aid')");
$stmt->execute();
VALUES (?,?)");
$stmt->execute([$u['id'], $aid]);
}
}
happy_('Special Award preferences successfully saved');
@ -110,8 +110,8 @@ if ($u['special_award_only'] == 'yes') {
echo '<br />';
echo '<br />';
$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id='{$u['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id=?");
$q->execute([$u['id']]);
$spawards = array();
while ($r = $q->fetch(PDO::FETCH_OBJ))
$spawards[] = $r->award_awards_id;
@ -131,11 +131,11 @@ $q = $pdo->prepare("SELECT award_awards.id,
award_types.id=award_awards.award_types_id\t\t
AND sponsors.id=award_awards.sponsors_id\t\t
AND (award_types.type='Special' OR award_types.type='Other')
AND award_awards.year='{$config['FAIRYEAR']}'
AND award_types.year='{$config['FAIRYEAR']}'
AND award_awards.year=?
AND award_types.year=?
ORDER BY
name");
$q->execute();
$q->execute([$config['FAIRYEAR'], $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
?>

4
lpdf.php
View File

@ -223,8 +223,8 @@ class lpdf
// echo "breaking because nr==prevnr ($nr==$prevnr) trying to output [$textstr] (debug: fontsize=$fontsize, lineheight=$lineheight, stringwidth=$stringwidth, left=".$this->loc(0.75).", top=".$this->loc($this->yloc).", width=".$this->loc(7).", height=$lineheight)\n";
break;
}
$q=$pdo->prepare("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
$q->execute([$_SESSION['lang'], md5($str)]);
if($r=$q->fetch(PDO::FETCH_OBJ))
$prevnr=$nr;

68
projects.inc.php
View File

@ -42,17 +42,17 @@ function getProjectsEligibleForAward($award_id)
award_awards_projectdivisions,
projects
WHERE
award_awards.id='$award_id'
award_awards.id=?
AND award_awards.id=award_awards_projectcategories.award_awards_id
AND award_awards.id=award_awards_projectdivisions.award_awards_id
AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id
AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
AND projects.projectnumber is not null
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.year=?'
ORDER BY
projectsort
");
$prjq->execute();
$prjq->execute($award_id, [$config['FAIRYEAR']]);
$projects = array();
while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) {
$projects[$prjr->projectnumber] = array(
@ -76,17 +76,17 @@ function getLanguagesOfProjectsEligibleForAward($award_id)
award_awards_projectdivisions,
projects
WHERE
award_awards.id='$award_id'
award_awards.id=?
AND award_awards.id=award_awards_projectcategories.award_awards_id
AND award_awards.id=award_awards_projectdivisions.award_awards_id
AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id
AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
AND projects.projectnumber is not null
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.year=?
ORDER BY
language
");
$prjq->execute();
$prjq->execute([$award_id, $config['FAIRYEAR']]);
$languages = array();
while ($r = $prjq->fetch(PDO::FETCH_OBJ)) {
if ($r->language)
@ -100,8 +100,8 @@ function getProjectsEligibleOrNominatedForAwards($awards_ids_array)
global $pdo;
$projects = array();
foreach ($awards_ids_array AS $award_id) {
$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.id='$award_id' AND award_awards.award_types_id=award_types.id");
$q->execute();
$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.id=? AND award_awards.award_types_id=award_types.id");
$q->execute([$award_id]);
$r = $q->fetch(PDO::FETCH_OBJ);
$awardprojects = array();
@ -149,14 +149,14 @@ function getSpecialAwardsEligibleForProject($projectid)
AND projects.projectcategories_ipreparequeryd=award_awards_projectcategories.projectcategories_id
AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
AND award_awards.id is not null
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.id='$projectid'
AND award_types.year='" . $config['FAIRYEAR'] . "'
AND award_awards.year='" . $config['FAIRYEAR'] . "'
AND projects.year=?
AND projects.id=?
AND award_types.year=?
AND award_awards.year=?
ORDER BY
award_awards.name
");
$awardsq->execute();
$awardsq->execute([$config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
$awards = array();
show_pdo_errors_if_any($pdo);
while ($r = $awardsq->fetch(PDO::FETCH_OBJ)) {
@ -185,14 +185,14 @@ function getSpecialAwardsNominatedForProject($projectid)
project_specialawards_link,
projects
WHERE
project_specialawards_link.projects_id='$projectid'
project_specialawards_link.projects_id=?
AND project_specialawards_link.award_awards_id=award_awards.id
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.id='$projectid'
AND projects.year=?
AND projects.id=?
ORDER BY
award_awards.name
");
$awardsq->execute();
$awardsq->execute([$projectid, $config['FAIRYEAR'], $projectid]);
$awards = array();
show_pdo_errors_if_any($pdo);
while ($r = $awardsq->fetch(PDO::FETCH_OBJ)) {
@ -215,12 +215,12 @@ function getNominatedForNoSpecialAwardsForProject($projectid)
project_specialawards_link,
projects
WHERE
project_specialawards_link.projects_id='$projectid'
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.id='$projectid'
project_specialawards_link.projects_id=?
AND projects.year=?
AND projects.id=?
AND project_specialawards_link.award_awards_id IS NULL
");
$awardsq->execute();
$awardsq->execute([$projectid, $config['FAIRYEAR'], $projectid]);
if ($awardsq->rowCount() == 1)
return true;
return false;
@ -242,14 +242,14 @@ function getProjectsNominatedForSpecialAward($award_id)
project_specialawards_link,
projects
WHERE
project_specialawards_link.award_awards_id='$award_id'
project_specialawards_link.award_awards_id=?
AND project_specialawards_link.projects_id=projects.id
AND projects.projectnumber is not null
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.year=?
ORDER BY
projectsort
");
$prjq->execute();
$prjq->execute([$award_id, $config['FAIRYEAR']]);
$projects = array();
while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) {
$projects[$prjr->projectnumber] = array(
@ -279,13 +279,13 @@ function getLanguagesOfProjectsNominatedForSpecialAward($award_id)
project_specialawards_link,
projects
WHERE
project_specialawards_link.award_awards_id='$award_id'
project_specialawards_link.award_awards_id=?
AND project_specialawards_link.projects_id=projects.id
AND projects.projectnumber is not null
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.year=?
ORDER BY language
");
$prjq->execute();
$prjq->execute([$award_id, $config['FAIRYEAR']]);
$languages = array();
while ($r = $prjq->fetch(PDO::FETCH_OBJ)) {
// dont count "" as a language, if the project doesnt have a language specified too bad they're up shit creek without a paddle
@ -316,17 +316,17 @@ function getSpecialAwardsNominatedByRegistrationID($id)
award_awards_projectdivisions,
projects
WHERE
award_awards.id='$award_id'
award_awards.id=?
AND award_awards.id=award_awards_projectcategories.award_awards_id
AND award_awards.id=award_awards_projectdivisions.award_awards_id
AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id
AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
AND projects.projectnumber is not null
AND projects.year='" . $config['FAIRYEAR'] . "'
AND projects.year=?
ORDER BY
projectsort
");
$awardq->execute();
$awardq->execute([$award_id, $config['FAIRYEAR']]);
$projects = array();
while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) {
$projects[$prjr->projectnumber] = array(
@ -342,15 +342,15 @@ function project_load($pid)
{
global $pdo;
/* Load this project */
$q = $pdo->prepare("SELECT * FROM projects WHERE id='$pid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE id=?");
$q->execute([$pid]);
$proj = $q->fetch();
/* Load the students */
$q = $pdo->prepare("SELECT students.*,schools.school FROM students
LEFT JOIN schools ON schools.id=students.schools_id
WHERE registrations_id='{$proj['registrations_id']}' AND students.year='{$proj['year']}' ORDER BY students.id");
$q->execute();
WHERE registrations_id=? AND students.year=? ORDER BY students.id");
$q->execute([$proj['registrations_id'], $proj['year']]);
$proj['num_students'] = 0;
while ($s = $q->fetch(PDO::FETCH_OBJ)) {
$proj['num_students']++;

72
questions.inc.php
View File

@ -27,15 +27,15 @@
function questions_load_answers($section, $users_id)
{
global $pdo, $config;
$yearq = $pdo->prepare("SELECT `year` FROM users WHERE id='$users_id'");
$yearq->execute();
$yearq = $pdo->prepare("SELECT `year` FROM users WHERE id=?");
$yearq->execute([$users_id]);
$yearr = $yearq->fetch(PDO::FETCH_OBJ);
$ans = array();
$qs = questions_load_questions($section, $yearr->year);
foreach ($qs AS $id => $question) {
$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?");
$q->execute([$users_id, $id]);
$r = $q->fetch(PDO::FETCH_OBJ);
$ans[$id] = get_value_or_default($r, 'answer', '');
}
@ -46,10 +46,10 @@ function questions_load_questions($section, $year)
{
global $pdo;
$q = $pdo->prepare('SELECT * FROM questions '
. "WHERE year='$year' "
. " AND section='$section' "
. "WHERE year=?"
. " AND section=?"
. 'ORDER BY ord ASC');
$q->execute();
$q->execute([$year, $section]);
show_pdo_errors_if_any($pdo);
@ -71,11 +71,11 @@ function questions_save_answers($section, $id, $answers)
global $config, $pdo;
$qs = questions_load_questions($section, $config['FAIRYEAR']);
$keys = array_keys($answers);
$q = $pdo->prepare("SELECT * FROM questions WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$stmt = $pdo->prepare("DELETE FROM question_answers WHERE users_id='$id' AND questions_id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM question_answers WHERE users_id=? AND questions_id=?");
$stmt->execute([$id, $r->id]);
show_pdo_errors_if_any($pdo);
}
@ -83,10 +83,8 @@ function questions_save_answers($section, $id, $answers)
foreach ($keys as $qid) {
/* Poll key */
$stmt = $pdo->prepare("INSERT INTO question_answers
(users_id,questions_id,answer) VALUES(
'$id','$qid',
'" . $answers[$qid] . "')");
$stmt->execute();
(users_id,questions_id,answer) VALUES(?,?,?)");
$stmt->execute([$id, $qid, $answers[$qid]]);
}
}
@ -94,9 +92,9 @@ function questions_find_question_id($section, $dbheading)
{
global $pdo;
$q = $pdo->prepare('SELECT id FROM questions WHERE '
. " section='$section' "
. " AND db_heading='$dbheading' ");
$q->execute();
. " section=?"
. " AND db_heading=?");
$q->execute([$section, $dbheading]);
if ($q->rowCount() == 1) {
$r = $q->fetch(PDO::FETCH_OBJ);
return $r->id;
@ -182,13 +180,13 @@ function questions_update_question($qs)
global $pdo;
$qs['ord'] = $qs['ord'] ?? '';
$stmt = $pdo->prepare("UPDATE questions SET
`question`='" . $qs['question'] . "',
`type`='" . $qs['type'] . "',
`db_heading`='" . $qs['db_heading'] . "',
`required`='" . $qs['required'] . "',
`ord`=" . intval($qs['ord'] . "
WHERE id='{$qs['id']}' "));
$stmt->execute();
`question`=?,
`type`=?,
`db_heading`=?,
`required`=?,
`ord`=?
WHERE id=?"));
$stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord'], $qs['id']]);
show_pdo_errors_if_any($pdo);
}
@ -251,8 +249,8 @@ function questions_editor($section, $year, $array_name, $self)
$qs = questions_load_questions($section, $year);
/* Delete this question */
$stmt = $pdo->prepare("DELETE FROM questions WHERE id='$qid'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM questions WHERE id=?");
$stmt->execute([$qid]);
/* Update the order of all questions after this one */
$keys = array_keys($qs);
@ -261,8 +259,8 @@ function questions_editor($section, $year, $array_name, $self)
continue;
if ($qs[$q]['ord'] > $qs[$qid]['ord']) {
$qs[$q]['ord']--;
$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE questions SET ord='{}' WHERE id=?");
$stmt->execute([$qs[$q]['ord'], $q]);
}
}
echo happy(i18n('Question successfully removed'));
@ -270,8 +268,8 @@ function questions_editor($section, $year, $array_name, $self)
if (get_value_from_array($_GET, 'action') == 'import' && get_value_from_array($_GET, 'impyear')) {
$x = 0;
$q = $pdo->prepare("SELECT * FROM questions WHERE year='{$_GET['impyear']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
$q->execute([$_GET['impyear']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$x++;
$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord)
@ -331,8 +329,8 @@ function questions_editor($section, $year, $array_name, $self)
if ($qdir != 0) {
$qs[$qid]['ord'] += $qdir;
/* Update the db */
$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$qid]['ord']}' WHERE id='$qid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?");
$stmt->execute([$qs[$qid]['ord'], $qid]);
$keys = array_keys($qs);
$originalq = $qs[$qid];
@ -343,12 +341,12 @@ function questions_editor($section, $year, $array_name, $self)
continue;
if ($qdir == 1) {
$qs[$q]['ord']--;
$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?");
$stmt->execute([$qs[$q]['ord'], $q]);
} else {
$qs[$q]['ord']++;
$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?");
$stmt->execute([$qs[$q]['ord'], $q]);
}
/*

92
register_participants.inc.php
View File

@ -26,8 +26,8 @@ function registrationFormsReceived($reg_id="")
{ global $pdo;
if($reg_id) $rid=$reg_id;
else $rid=$_SESSION['registration_id'];
$q=$pdo->prepare("SELECT status FROM registrations WHERE id='$rid'");
$q->execute();
$q=$pdo->prepare("SELECT status FROM registrations WHERE id=?");
$q->execute([$rid]);
$r=$q->fetch(PDO::FETCH_OBJ);
if($r->status=="complete" || $r->status=="paymentpending")
return true;
@ -38,8 +38,8 @@ function registrationFormsReceived($reg_id="")
function registrationDeadlinePassed()
{
global $config, $pdo;
$q=$pdo->prepare("SELECT (NOW()<'".$config['dates']['regclose']."') AS datecheck");
$q->execute();
$q=$pdo->prepare("SELECT (NOW()<?) AS datecheck");
$q->execute([$config['dates']['regclose']]);
$datecheck=$q->fetch(PDO::FETCH_OBJ);
if($datecheck->datecheck==1)
return false;
@ -62,8 +62,8 @@ function studentStatus($reg_id="")
if($reg_id) $rid=$reg_id;
else $rid=$_SESSION['registration_id'];
$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$rid,$config['FAIRYEAR']]);
//if we dont have the minimum, return incomplete
if($q->rowCount()<$config['minstudentsperproject'])
return "incomplete";
@ -97,14 +97,14 @@ function emergencycontactStatus($reg_id="")
if($reg_id) $rid=$reg_id;
else $rid=$_SESSION['registration_id'];
$sq=$pdo->prepare("SELECT id FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
$sq->execute();
$sq=$pdo->prepare("SELECT id FROM students WHERE registrations_id=? AND year=?");
$sq->execute([$rid, $config['FAIRYEAR']]);
$numstudents=$sq->rowCount();
while($sr=$sq->fetch(PDO::FETCH_OBJ))
{
$q=$pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."' AND students_id='$sr->id'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id=? AND year=? AND students_id=?");
$q->execute([$rid, $config['FAIRYEAR'], $sr->id]);
$r=$q->fetch(PDO::FETCH_OBJ);
foreach ($required_fields AS $req)
@ -139,8 +139,8 @@ function projectStatus($reg_id="")
if($reg_id) $rid=$reg_id;
else $rid=$_SESSION['registration_id'];
$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$rid, $config['FAIRYEAR']]);
//if we dont have a project entry yet, return empty
if(!$q->rowCount())
return "empty";
@ -169,14 +169,14 @@ function mentorStatus($reg_id="")
else $rid=$_SESSION['registration_id'];
//first check the registrations table to see if 'nummentors' is set, or if its null
$q=$pdo->prepare("SELECT nummentors FROM registrations WHERE id='$rid' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT nummentors FROM registrations WHERE id=? AND year=?");
$q->execute([$rid, $config['FAIRYEAR']]);
$r=$q->fetch(PDO::FETCH_OBJ);
if($r->nummentors==null)
return "incomplete";
$q=$pdo->prepare("SELECT * FROM mentors WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM mentors WHERE registrations_id=? AND year=?");
$q->execute([$rid, $config['FAIRYEAR']]);
//if we dont have the minimum, return incomplete
if($q->rowCount()<get_value_from_array($config, 'minmentorserproject'))
@ -206,16 +206,16 @@ function safetyStatus($reg_id="")
else $rid=$_SESSION['registration_id'];
//grab all of their answers
$q=$pdo->prepare("SELECT * FROM safety WHERE registrations_id='$rid'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM safety WHERE registrations_id=?");
$q->execute([$rid]);
while($r=$q->fetch(PDO::FETCH_OBJ))
{
$safetyanswers[$r->safetyquestions_id]=$r->answer;
}
//now grab all the questions
$q=$pdo->prepare("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord");
$q->execute();
$q=$pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
$q->execute([$config['FAIRYEAR']]);
while($r=$q->fetch(PDO::FETCH_OBJ))
{
if($r->required=="yes" && !$safetyanswers[$r->id])
@ -233,8 +233,8 @@ function spawardStatus($reg_id="")
if($reg_id) $rid=$reg_id;
else $rid=$_SESSION['registration_id'];
$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$rid'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
$q->execute([$rid]);
$project=$q->fetch(PDO::FETCH_OBJ);
/* We want this query to get any awards with a NULL award_awards_id */
@ -244,10 +244,10 @@ function spawardStatus($reg_id="")
project_specialawards_link,
projects
WHERE
project_specialawards_link.projects_id='".$project->id."'
AND projects.year='".$config['FAIRYEAR']."'
project_specialawards_link.projects_id=?
AND projects.year=?
");
$awardsq->execute();
$awardsq->execute([$project->id,$config['FAIRYEAR']]);
if($awardsq->rowCount())
return "complete";
@ -263,16 +263,16 @@ function tourStatus($reg_id="")
else $rid=$_SESSION['registration_id'];
/* Get the students for this project */
$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$rid,$config['FAIRYEAR']]);
$num_found = $q->rowCount();
$ret = "complete";
while($s=$q->fetch(PDO::FETCH_OBJ)) {
//grab all of their tour prefs
$sid = $s->id;
$qq=$pdo->prepare("SELECT * FROM tours_choice WHERE students_id='$sid' and year='{$config['FAIRYEAR']}' ORDER BY rank");
$qq->execute();
$qq=$pdo->prepare("SELECT * FROM tours_choice WHERE students_id=? and year=? ORDER BY rank");
$qq->execute([$sid, $config['FAIRYEAR']]);
$n_tours = $qq->rowCount();
if($n_tours > 0) {
/* See if there's a rank 0 tour (rank 0 == their tour assignment) */
@ -300,14 +300,14 @@ function namecheckStatus($reg_id="")
if($reg_id) {
$q=$pdo->prepare("SELECT * FROM students WHERE
registrations_id='$reg_id'
registrations_id=?
AND year='".$config['FAIRYEAR']."'");
$q->execute();
AND year=?");
$q->execute([$config['FAIRYEAR']]);
} else {
$q=$pdo->prepare("SELECT * FROM students WHERE
id='{$_SESSION['students_id']}'");
$q->execute();
id=?");
$q->execute([$reg_id, $_SESSION['students_id']]);
}
/* Get the students for this project */
@ -335,13 +335,13 @@ function generateProjectNumber($registration_id)
projectcategories,
projectdivisions
WHERE
registrations_id='$reg_id'
registrations_id=?
AND projects.projectdivisions_id=projectdivisions.id
AND projects.projectcategories_id=projectcategories.id
AND projectcategories.year='{$config['FAIRYEAR']}'
AND projectdivisions.year='{$config['FAIRYEAR']}'
AND projectcategories.year=?
AND projectdivisions.year=?
");
$q->execute();
$q->execute([$reg_id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$r=$q->fetch(PDO::FETCH_OBJ);
@ -376,10 +376,10 @@ function generateProjectNumber($registration_id)
$q = $pdo->prepare("SELECT projectnumber_seq,projectsort_seq,
projectdivisions_id,projectcategories_id
FROM projects
WHERE year='{$config['FAIRYEAR']}'
WHERE year=?
AND projectnumber_seq!='0'
AND projectnumber IS NOT NULL");
$q->execute();
$q->execute([$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
while($i = $q->fetch(PDO::FETCH_OBJ)) {
if( ($r->projectdivisions_id == $i->projectdivisions_id)
@ -455,12 +455,12 @@ function computeRegistrationFee($regid)
$regfee_items = array();
$q = $pdo->prepare("SELECT * FROM regfee_items
WHERE year='{$config['FAIRYEAR']}'");
$q->execute();
WHERE year=?");
$q->execute([$config['FAIRYEAR']]);
while($i = $q->fetch(PDO::FETCH_ASSOC)) $regfee_items[] = $i;
$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$regid' AND year='".$config['FAIRYEAR']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$regid, $config['FAIRYEAR']]);
$n_students = $q->rowCount();
$n_tshirts = 0;
$sel = array();
@ -471,8 +471,8 @@ function computeRegistrationFee($regid)
if($config['participant_regfee_items_enable'] != 'yes') continue;
$sel_q = $pdo->prepare("SELECT * FROM regfee_items_link
WHERE students_id={$s->id}");
$sel_q->execute();
WHERE students_id=?");
$sel_q->execute([$s->id]);
while($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) {
$sel[] = $info_q['regfee_items_id'];
}

28
register_participants.php
View File

@ -42,8 +42,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES ('$r->id','" . $_SESSION['email'] . "','" . $r->schools_id . "','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?");
$stmt->execute([$r->id]);
header('Location: register_participants_main.php');
exit;
@ -81,9 +81,9 @@ if (get_value_from_array($_POST, 'action') == 'new') {
$q = $pdo->prepare("SELECT registrations.num FROM
registrations
WHERE
registrations.email='" . $_SESSION['email'] . "'
AND registrations.year='" . $config['FAIRYEAR'] . "'");
$q->execute();
registrations.email=?
AND registrations.year=?");
$q->execute([$_SESSION['email'], $config['FAIRYEAR']]);
if ($q->rowCount())
$r = $q->fetch(PDO::FETCH_OBJ);
else {
@ -92,10 +92,10 @@ if (get_value_from_array($_POST, 'action') == 'new') {
registrations,
students
WHERE
students.email='" . $_SESSION['email'] . "'
students.email=?
AND students.registrations_id=registrations.id
AND registrations.year='" . $config['FAIRYEAR'] . "'");
$q->execute();
AND registrations.year=?");
$q->execute([$_SESSION['email'],$config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
}
@ -214,8 +214,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
} else if ($config['participant_registration_type'] == 'schoolpassword') {
$showschoolpasswordform = true;
if ($_POST['schoolpassword'] && $_POST['schoolid']) {
$q = $pdo->prepare("SELECT registration_password FROM schools WHERE id='" . $_POST['schoolid'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT registration_password FROM schools WHERE id=? AND year=?");
$q->execute([$_POST['schoolid'], $config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($_POST['schoolpassword'] == $r->registration_password) {
@ -237,8 +237,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
echo '<input type="hidden" name="action" value="login">';
echo i18n('Email Address:') . ' ' . $_SESSION['email'] . '<br />';
echo i18n('School: ');
$q = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
$q->execute();
$q = $pdo->prepare("SELECT id,school FROM schools WHERE year=? ORDER BY school");
$q->execute([$config['FAIRYEAR']]);
echo '<select name="schoolid">';
echo '<option value="">' . i18n('Choose your school') . "</option>\n";
while ($r = $q->fetch(PDO::FETCH_OBJ))
@ -283,8 +283,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
// random number between
// 100000 and 999999 (six digit integer)
$regnum = rand(100000, 999999);
$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=" . $config['FAIRYEAR']);
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
$q->execute([$regnum, $config['FAIRYEAR']]);
} while ($q->rowCount() > 0);
if (!$schoolidquery)

16
register_participants_emergencycontact.php
View File

@ -75,8 +75,8 @@ if ($_POST['action'] == 'save') {
} else {
// first, lets make sure this emergency contact really does belong to them
foreach ($_POST['ids'] AS $id) {
$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE id='$id' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE id=? AND registrations_id=? AND year=?");
$q->execute([$id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
if ($q->rowCount() == 1) {
$e = stripslashes($_POST['email'][$id]);
if ($_POST['relation'][$id] == 'Parent' && $e && user_valid_email($e)) {
@ -127,19 +127,19 @@ if ($newstatus != 'complete') {
echo happy(i18n('Emergency Contact Information Complete'));
}
$sq = $pdo->prepare("SELECT id,firstname,lastname FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$sq->execute();
$sq = $pdo->prepare("SELECT id,firstname,lastname FROM students WHERE registrations_id=? AND year=?");
$sq->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
$numstudents = $sq->rowCount();
echo "<form name=\"emergencycontactform\" method=\"post\" action=\"register_participants_emergencycontact.php\">\n";
echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "' AND students_id='$sr->id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id=? AND year=? AND students_id=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR'], $sr->id]);
if ($q->rowCount() == 0) {
$stmt = $pdo->prepare("INSERT INTO emergencycontact (registrations_id,students_id,year) VALUES ('" . $_SESSION['registration_id'] . "','" . $sr->id . "','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO emergencycontact (registrations_id,students_id,year) VALUES (?,?,?)");
$stmt->execute([$_SESSION['registration_id'], $sr->id, ]);
$id = $pdo->lastInsertId();
unset($r);
} else {

18
register_participants_isefforms.php
View File

@ -45,7 +45,7 @@
"AND students.registrations_id=registrations.id ".
"AND registrations.year=".$config['FAIRYEAR']." ".
"AND students.year=".$config['FAIRYEAR']);
$q->execute();
$q->execute([]);
show_pdo_errors_if_any($pdo);
if($q->rowCount()==0)
@ -73,8 +73,8 @@ show_pdo_errors_if_any($pdo);
//because it will be added below by the _FILES, and if its not added there then that means we just said yes and didnt upload anything
//so removing it makes it go all red again so you are aware
$stmt = $po->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID='$r->id' AND FormID='$k' AND `year`='$CURRENT_FAIRYEAR'");
$stmt->execute();
$stmt = $po->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID=? AND FormID=? AND `year`=?");
$stmt->execute([$r->id, $k, $CURRENT_FAIRYEAR]);
//just look at hte first letter, since its either "no:<id>" or "yes:<id>";
if($v[0]=="n")
{
@ -129,8 +129,8 @@ show_pdo_errors_if_any($pdo);
if($pgs) $p="'$pgs'";
else $p="null";
$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID='$r->id' AND FormID='$k' AND `year`='$CURRENT_FAIRYEAR'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID=? AND FormID=? AND `year`=?");
$stmt->execute([$r->id, $k, $CURRENT_FAIRYEAR]);
$stmt = $pdo->prepare("INSERT INTO TC_ProjectForms (`FormID`,`ProjectID`,`uploaded`,`filename`,`pages`,`dt`,`year`) VALUES (
$stmt->execute();
'$k',
@ -182,13 +182,13 @@ show_pdo_errors_if_any($pdo);
if($_GET['action']=="delete" && $_GET['delete'])
{
//first we need to make sure that this is their own!
$chq=$pdo->prepare("SELECT * FROM TC_ProjectForms WHERE id='".$_GET['delete']."' AND ProjectID='$r->id' AND `year`='$CURRENT_FAIRYEAR'");
$chq->execute();
$chq=$pdo->prepare("SELECT * FROM TC_ProjectForms WHERE id=? AND ProjectID=? AND `year`=?");
$chq->execute([$_GET['delete'], $r->id, $CURRENT_FAIRYEAR]);
if($chr=$chq->fetch(PDO::FETCH_OBJ))
{
@unlink($TCFORMSLOCATION."/".$CURRENT_FAIRYEAR."/$r->id/$chr->FormID.pdf");
$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE id='".$_GET['delete']."' AND ProjectID='$r->id' AND `year`='$CURRENT_FAIRYEAR'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE id=? AND ProjectID=? AND `year`=?");
$stmt->execute([$_GET['delete'], $r->id, $CURRENT_FAIRYEAR]);
$display_happy=i18n("Form successfully deleted");
}
else

12
register_participants_main.php
View File

@ -66,8 +66,8 @@ echo '<br />';
if (registrationFormsReceived()) {
// now select their project number
$q = $pdo->prepare("SELECT projectnumber FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT projectnumber FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
if ($r->status == 'complete') {
@ -242,8 +242,8 @@ if ($config['specialawardnomination'] != 'none') {
if ($special_awards_open == true) {
if ($config['specialawardnomination'] == 'date') {
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['specawardregopen'] . "' AND NOW()<'" . $config['dates']['specawardregclose'] . "') AS datecheck");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>? AND NOW()<?) AS datecheck");
$q->execute([$config['dates']['specawardregopen'], $config['dates']['specawardregclose']]);
$r = $q->fetch(PDO::FETCH_OBJ);
// this will return 1 if its between the dates, 0 otherwise.
if ($r->datecheck == 1) {
@ -259,8 +259,8 @@ if ($config['specialawardnomination'] != 'none') {
}
}
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='{$config['FAIRYEAR']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
$project = $q->fetch(PDO::FETCH_OBJ);
$nominatedawards = getSpecialAwardsNominatedForProject($project->id);
$num = count($nominatedawards);

20
register_participants_mentor.php
View File

@ -111,11 +111,11 @@ if (get_value_from_array($_GET, 'action') == 'removementor') {
echo error(i18n('Cannot make changes to forms once they have been received by the fair'));
} else {
// first make sure this is one belonging to this registration id
$q = $pdo->prepare("SELECT id FROM mentors WHERE id='" . $_GET['removementor'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM mentors WHERE id=?' AND registrations_id=?");
$q->execute([$_GET['removementor'], $_SESSION['registration_id']]);
if ($q->rowCount() == 1) {
$stmt = $pdo->prepare("DELETE FROM mentors WHERE id='" . $_GET['removementor'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM mentors WHERE id=? AND registrations_id=?");
$stmt->execute([$_GET['removementor'], $_SESSION['registration_id']]);
echo notice(i18n('Mentor successfully removed'));
} else {
echo error(i18n('Invalid mentor to remove'));
@ -125,18 +125,18 @@ if (get_value_from_array($_GET, 'action') == 'removementor') {
// now query and display
$q = $pdo->prepare("SELECT nummentors FROM registrations WHERE id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT nummentors FROM registrations WHERE id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$registrations_nummentors = $r->nummentors;
$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
$numfound = $q->rowCount();
if (isset($_GET['nummentors'])) {
$stmt = $pdo->prepare("UPDATE registrations SET nummentors='" . $_GET['nummentors'] . "' WHERE id='" . $_SESSION['registration_id'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET nummentors=? WHERE id=?");
$stmt->execute([$_GET['nummentors'], $_SESSION['registration_id']]);
$registrations_nummentors = $_GET['nummentors'];
$numtoshow = $_GET['nummentors'];
} else

8
register_participants_namecheck.php
View File

@ -66,12 +66,12 @@ if ($_POST['action'] == 'save') {
$pu = ($_POST['punc'] == 'yes') ? true : false;
if ($sp && $ca && $pu) {
$q = $pdo->prepare("UPDATE students SET namecheck_complete='yes' WHERE registrations_id='{$_SESSION['registration_id']}'");
$q = $pdo->prepare("UPDATE students SET namecheck_complete='yes' WHERE registrations_id=?");
$q->execute();
$q->execute([$_SESSION['registration_id']]);
} else if ($s->namecheck_complete != 'no') {
$q = $pdo->prepare("UPDATE students SET namecheck_complete='no' WHERE registrations_id='{$_SESSION['registration_id']}'");
$q->execute();
$q = $pdo->prepare("UPDATE students SET namecheck_complete='no' WHERE registrations_id=?");
$q->execute([$_SESSION['registration_id']]);
}
}
}

32
register_participants_project.php
View File

@ -78,8 +78,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
echo error(i18n('Cannot make changes to forms after registration deadline'));
} else {
// first, lets make sure this project really does belong to them
$q = $pdo->prepare("SELECT * FROM projects WHERE id='" . $_POST['id'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE id=? AND registrations_id=? AND year=?");
$q->execute([$_POST['id'], $_SESSION['registration_id'], $config['FAIRYEAR']]);
if ($q->rowCount() == 1) {
$summarywords = preg_split('/[\s,]+/', $_POST['summary']);
$summarywordcount = count($summarywords);
@ -128,13 +128,13 @@ if (get_value_from_array($_POST, 'action') == 'save') {
}
// now lets find out their MAX grade, so we can pre-set the Age Category
$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id=?");
$q->execute([$_SESSION['registration_id']]);
$gradeinfo = $q->fetch(PDO::FETCH_OBJ);
// now lets grab all the age categories, so we can choose one based on the max grade
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
// save these in an array, just incase we need them later (FIXME: remove this array if we dont need it)
$agecategories[$r->id]['category'] = $r->category;
@ -146,24 +146,24 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
}
}
// now select their project info
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
// check if it exists, if we didnt find any record, lets insert one
if ($q->rowCount() == 0) {
$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $_SESSION['registration_id'] . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
// now query the one we just inserted
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
}
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
// make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly
if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) {
echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category'])));
$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id=? WHERE id=?");
$stmt->execute([$projectcategories_id, $projectinfo->id]);
}
// output the current status
@ -219,12 +219,12 @@ echo '<tr><td>' . i18n('Division') . ': </td><td>';
// ###### Feature Specific - filtering divisions by category
if ($config['filterdivisionbycategory'] == 'yes') {
$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year='" . $config['FAIRYEAR'] . "' AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' ORDER BY division");
$q->execute();
$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year=? AND projectcategoriesdivisions_link.year=? ORDER BY division");
$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
} else
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
$q->execute([$config['FAIRYEAR']]);
echo '<select name="projectdivisions_id">';
echo '<option value="">' . i18n('Select a division') . "</option>\n";
while ($r = $q->fetch(PDO::FETCH_OBJ)) {

8
register_participants_project_divisionselector.php
View File

@ -73,8 +73,8 @@ if ($_GET['division']) {
opener.document.forms.projectform.projectdivisions_id.selectedIndex=<?= $_GET['division'] ?>
</script>
<?
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id='" . $_GET['division'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id=?");
$q->execute([$_GET['division']]);
$r = $q->fetch(PDO::FETCH_OBJ);
echo '<h2>' . i18n($r->division) . "</h2>\n";
echo '<a href="' . $_SERVER['PHP_SELF'] . '">' . i18n('Restart division selector') . '</a>';
@ -86,8 +86,8 @@ if ($_GET['division']) {
$id = 1;
else
$id = $_GET['id'];
$q = $pdo->prepare("SELECT * FROM projectdivisionsselector WHERE id='$id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisionsselector WHERE id=?");
$q->execute([$id]);
$r = $q->fetch(PDO::FETCH_OBJ);
echo i18n($r->question);
echo '<br />';

14
register_participants_safety.php
View File

@ -68,13 +68,13 @@ if (get_value_from_array($_POST, 'action') == 'save') {
echo error(i18n('Cannot make changes to forms after registration deadline'));
} else {
// first we will delete all their old answer, its easier to delete and re-insert in this case then it would be to find the corresponding answers and update them
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=? AND year=?");
$stmt->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
if (is_array($_POST['safety'])) {
$safetyids = array_keys($_POST['safety']);
foreach ($safetyids AS $key => $val) {
$stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (' . $pdo->quote($_SESSION['registration_id']) . ', ' . $pdo->quote($val) . ', ' . $pdo->quote($config['FAIRYEAR']) . ', ' . $pdo->quote(stripslashes($_POST['safety'][$val]))) . ')';
$stmt->execute();
$stmt->execute([]);
show_pdo_errors_if_any($pdo);
}
}
@ -89,14 +89,14 @@ if ($newstatus != 'complete') {
echo happy(i18n('Safety Information Complete'));
}
$q = $pdo->prepare("SELECT * FROM safety WHERE registrations_id='" . $_SESSION['registration_id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM safety WHERE registrations_id=?");
$q->execute([$_SESSION['registration_id']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$safetyanswers[$r->safetyquestions_id] = $r->answer;
}
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY ord");
$q->execute();
$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount()) {
echo i18n('Please agree to / answer the following safety questions by checking the box next to the question, or choosing the appropriate answer');
echo '<br />';

8
register_participants_signature.php
View File

@ -114,8 +114,8 @@ if ($_GET['sample']) {
$q->execute();
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
while ($si = $q->fetch(PDO::FETCH_OBJ))
$studentinfoarray[] = $si;
}
@ -136,8 +136,8 @@ $pdf->addTextX("Exhibitor$plural: ", 0.75);
foreach ($studentinfoarray AS $studentinfo) {
if (!$_GET['sample']) {
$qq = $pdo->prepare("SELECT school FROM schools WHERE id={$studentinfo->schools_id}");
$qq->execute();
$qq = $pdo->prepare("SELECT school FROM schools WHERE id=?");
$qq->execute([$studentinfo->schools_id]);
$rr = $qq->fetch(PDO::FETCH_OBJ);
}

8
register_participants_signature_tcpdf.php
View File

@ -99,8 +99,8 @@ if ($_GET['sample']) {
$q->execute();
$projectinfo = $q->fetch(PDO::FETCH_OBJ);
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
while ($si = $q->fetch(PDO::FETCH_OBJ))
$studentinfoarray[] = $si;
}
@ -116,8 +116,8 @@ $pdf->WriteHTML('<h3>' . i18n('Registration Summary') . '</h3>
$students = '';
foreach ($studentinfoarray AS $studentinfo) {
if (!$_GET['sample']) {
$qq = $pdo->prepare("SELECT school FROM schools WHERE id={$studentinfo->schools_id}");
$qq->execute();
$qq = $pdo->prepare("SELECT school FROM schools WHERE id=?");
$qq->execute([$studentinfo->schools_id]);
$rr = $qq->fetch(PDO::FETCH_OBJ);
}
if ($students != '')

12
register_participants_spawards.php
View File

@ -55,8 +55,8 @@ if ($q->rowCount() == 0) {
}
$authinfo = $q->fetch(PDO::FETCH_OBJ);
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
$q->execute([$_SESSION['registration_id']]);
$project = $q->fetch(PDO::FETCH_OBJ);
// send the header
@ -91,8 +91,8 @@ echo '<br />';
if ($config['specialawardnomination'] == 'date') {
echo notice(i18n('Special award self-nomination is only available from %1 to %2. Please make sure you complete your nominations between these dates.', array($config['dates']['specawardregopen'], $config['dates']['specawardregclose'])));
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['specawardregopen'] . "' AND NOW()<'" . $config['dates']['specawardregclose'] . "') AS datecheck");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>? AND NOW()<?) AS datecheck");
$q->execute([$config['dates']['specawardregopen'],$config['dates']['specawardregclose']]);
$r = $q->fetch(PDO::FETCH_OBJ);
// this will return 1 if its between the dates, 0 otherwise.
if ($r->datecheck == 1)
@ -123,8 +123,8 @@ if ($_POST['action'] == 'save') {
if ($num > $config['maxspecialawardsperproject']) {
echo error(i18n('You can only apply to %1 special awards. You have selected %2', array($config['maxspecialawardsperproject'], $num)));
} else {
$stmt = $pdo->prepare("DELETE FROM project_specialawards_link WHERE projects_id='$project->id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM project_specialawards_link WHERE projects_id=? AND year=?");
$stmt->execute([$project->id, $config['FAIRYEAR']]);
foreach ($splist AS $spaward) {
$s = ($spaward == -1) ? 'NULL' : "'$spaward'";
$stmt = $pdo->prepare('INSERT INTO project_specialawards_link (award_awards_id,projects_id,year) VALUES ('

54
register_participants_students.php
View File

@ -63,8 +63,8 @@ echo '<br />';
$regfee_items = array();
$items_q = $pdo->prepare("SELECT * FROM regfee_items
\t\t\t\tWHERE year='{$config['FAIRYEAR']}'");
$items_q->execute();
\t\t\t\tWHERE year=?");
$items_q->execute([$config['FAIRYEAR']]);
while ($items_i = $items_q->fetch(PDO::FETCH_ASSOC)) {
$regfee_items[] = $items_i;
}
@ -82,8 +82,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
if ($students_id == 0) {
// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can school the school on their own.
if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='" . $_SESSION['registration_id'] . "' AND YEAR='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id=? AND YEAR=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
$r = $q->fetch(PDO::FETCH_OBJ);
$schools_id = $r->schools_id;
@ -153,14 +153,14 @@ if (get_value_from_array($_POST, 'action') == 'save') {
}
/* Update the regfee items link */
if ($config['participant_regfee_items_enable'] == 'yes') {
$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id='$students_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id=?");
$stmt->execute([$students_id]);
if (is_array($_POST['regfee_item'][$x])) {
foreach ($_POST['regfee_item'][$x] as $id => $enabled) {
$stmt = $pdo->prepare("INSERT INTO regfee_items_link(`students_id`,`regfee_items_id`)
VALUES ('$students_id','$id') ");
$stmt->execute();
VALUES (?,?) ");
$stmt->execute([$students_id,$id]);
}
}
}
@ -175,21 +175,21 @@ if (get_value_from_array($_GET, 'action') == 'removestudent') {
} else {
$students_id = intval($_GET['removestudent']);
// first make sure this is one belonging to this registration id
$q = $pdo->prepare("SELECT id FROM students WHERE id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM students WHERE id=? AND registrations_id=/");
$q->execute([$students_id, $_SESSION['registration_id']]);
if ($q->rowCount() == 1) {
$stmt = $pdo->prepare("DELETE FROM students WHERE id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
$stmt->execute([$students_id, $_SESSION['registration_id']]);
// now see if they have an emergency contact that also needs to be removed
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$q->execute([$students_id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
// no need to error message if this doesnt exist
if ($q->rowCount() == 1)
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE students_id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id='$students_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
$stmt->execute([$students_id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id=?");
$stmt->execute([$students_id]);
echo notice(i18n('Student successfully removed'));
} else {
echo error(i18n('Invalid student to remove'));
@ -207,14 +207,14 @@ if ($newstatus != 'complete') {
// now query and display
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
if ($q->rowCount() == 0) {
// uhh oh, we didnt find any, this isnt possible! lets insert one using the logged in persons email address
// although... this can never really happen, since the above queries only allow the page to view if the student
// is found in the students table... soo... well, lets leave it here as a fallback anyways, just incase
$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES ('" . $_SESSION['registration_id'] . "','" . $_SESSION['email'] . "','" . $config['FAIRYEAR'] . "')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES (?,?,?)");
$stmt->execute([$_SESSION['registration_id'], $_SESSION['email'],$config['FAIRYEAR']]);
// if we just inserted it, then we will obviously find 1
$numfound = 1;
} else {
@ -438,7 +438,7 @@ for ($x = 1; $x <= $numtoshow; $x++) {
echo ' <td>' . i18n('School') . '</td><td colspan="3">';
if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
$schoolq->execute();
$schoolq->execute([]);
echo "<select name=\"schools_id[$x]\">\n";
echo '<option value="">' . i18n('Choose School') . "</option>\n";
while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
@ -450,8 +450,8 @@ for ($x = 1; $x <= $numtoshow; $x++) {
}
echo '</select>' . REQUIREDFIELD;
} else {
$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'");
$schoolq->execute();
$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?");
$schoolq->execute([$config['FAIRYEAR'], $studentinfo->schools_id]);
$r = $schoolq->fetch(PDO::FETCH_OBJ);
echo $r->school;
}
@ -466,8 +466,8 @@ for ($x = 1; $x <= $numtoshow; $x++) {
if ($config['participant_regfee_items_enable'] == 'yes') {
$sel_q = $pdo->prepare("SELECT * FROM regfee_items_link
WHERE students_id=$id");
$sel_q->execute();
WHERE students_id=?");
$sel_q->execute([$id]);
$sel = array();
while ($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) {
$sel[$info_q['regfee_items_id']] = $info_q['id'];

18
register_participants_tours.php
View File

@ -71,10 +71,10 @@ if ($_POST['action'] == 'save') {
} else {
// first we will delete all their old answer, its easier to delete and re-insert in this case then it would be to find the corresponding answers and update them
$stmt = $pdo->prepare("DELETE FROM tours_choice
WHERE registrations_id='{$_SESSION['registration_id']}'
AND year='{$config['FAIRYEAR']}'
WHERE registrations_id=?
AND year=?
AND rank!='0'");
$stmt->execute();
$stmt->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]);
if (is_array($_POST['toursel'])) {
foreach ($_POST['toursel'] AS $students_id => $ts) {
$selarray = array();
@ -131,8 +131,8 @@ if ($newstatus != 'complete') {
}
$assigned_tour = array();
$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
if ($r->rank == 0)
$assigned_tour[$r->students_id] = $r->tour_id;
@ -140,8 +140,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
}
$tours = array();
$q = $pdo->prepare("SELECT * FROM tours WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM tours WHERE year=? ORDER BY id");
$q->execute([$config['FAIRYEAR']]);
if ($q->rowCount() == 0) {
echo notice(i18n('There is not tour information'));
send_footer();
@ -163,8 +163,8 @@ $max = $config['tours_choices_max'];
echo "<form method=\"post\" action=\"register_participants_tours.php\">\n";
echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]);
$num_found = $q->rowCount();
$print_submit = false;

108
remote.php
View File

@ -39,9 +39,9 @@ function handle_getstats(&$u, $fair, &$data, &$response)
$response['statconfig'] = explode(',', $fair['gather_stats']);
/* Send back the stats we currently have */
$q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}'
AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id=?
AND year=?");
$q->execute([$u['fairs_id'],$year]);
$response['stats'] = $q->fetch(PDO::FETCH_ASSOC);
unset($response['stats']['id']);
$response['error'] = 0;
@ -59,12 +59,12 @@ function handle_stats(&$u, $fair, &$data, &$response)
// $str = join(',',$stats);
$keys = '`fairs_id`,`' . join('`,`', array_keys($stats)) . '`';
$vals = "'{$u['fairs_id']}','" . join("','", array_values($stats)) . "'";
$stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}'
AND year='{$stats['year']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id=?
AND year=?");
$stmt->execute([$u['fairs_id'],$stats['year']]);
show_pdo_errors_if_any($pdo);
$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,?) VALUES ('',?)");
$stmt->execute([$keys,$vals]);
show_pdo_errors_if_any($pdo);
$response['message'] = 'Stats saved';
@ -80,8 +80,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
$ids = array();
/* Load a list of awards linked to the fair id */
$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE fairs_id='{$fair['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE fairs_id=?");
$q->execute([$fair['id']]);
while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
$aaid = $r['award_awards_id'];
if ($r['download_award'] == 'yes')
@ -91,8 +91,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
/* Load the awards this fair is allowed to download */
$where = "(id='" . join("' OR id='", $ids) . "')";
$q = $pdo->prepare("SELECT * FROM award_awards WHERE $where AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE ? AND year=?");
$q->execute([$where, $year]);
while ($a = $q->fetch(PDO::FETCH_ASSOC)) {
$award = array();
@ -107,8 +107,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
$award['schedule_judges'] = $a['schedule_judges'];
if ($a['sponsors_id']) {
$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$a['sponsors_id']}'");
$sq->execute();
$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$sq->execute([$a['sponsors_id']]);
if ($sq->rowCount()) {
$s = $sq->fetch(PDO::FETCH_ASSOC);
$award['sponsor'] = $s['organization'];
@ -116,8 +116,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
}
$award['prizes'] = array();
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$a['id']}'");
$pq->execute();
$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$pq->execute([$a['id']]);
while ($p = $pq->fetch(PDO::FETCH_ASSOC)) {
/* Map array keys -> local database field */
$map = array('cash' => 'cash', 'scholarship' => 'scholarship',
@ -176,8 +176,8 @@ function award_upload_update_school(&$mysql_query, &$school, $school_id = -1)
$set .= ',';
$set .= "`$m`='" . $school[$t] . "'";
}
$stmt = $pdo->prepare("UPDATE schools SET $set WHERE id='$sid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE schools SET ? WHERE id=?");
$stmt->execute([$set,$sid]);
return $sid;
}
@ -192,33 +192,33 @@ function award_upload_school(&$student, &$school, $year, &$response)
$student_city = $student['city'];
/* Find school by matching name, city, phone, year */
$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND phone='$school_phone' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND phone=? AND year=?");
$q->execute([$school_name,$school_city,$school_phone,$year]);
if ($q->rowCount() == 1)
return award_upload_update_school($q, $school);
/* Find school by matching name, city, address, year */
$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND address='$school_addr' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND address=? AND year=?");
$q->execute([$school_name,$school_city,$school_addr,$year]);
if ($q->rowCount() == 1)
return award_upload_update_school($q, $school);
/* Find school by matching name, city, year */
$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND year=?");
$q->execute([$school_name,$school_city,$year]);
if ($q->rowCount() == 1)
return award_upload_update_school($q, $school);
/* Find school by matching name, student city, year */
$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$student_city' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND year=?");
$q->execute([$school_name,$student_city,$year]);
if ($q->rowCount() == 1)
return award_upload_update_school($q, $school);
$response['notice'][] = " - Creating new school: $school_name";
/* No? ok, make a new school */
$stmt = $pdo->prepare("INSERT INTO schools(`school`,`year`) VALUES ('" . $school['schoolname'] . "','$year')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO schools(`school`,`year`) VALUES (?,?)");
$stmt->execute([$school['schoolname'], $year]);
$school_id = $pdo->lastInsertId();
return award_upload_update_school($q, $school, $school_id);
}
@ -251,8 +251,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
/* See if this project already exists */
$pn = $project['projectnumber'];
$q = $pdo->prepare("SELECT * FROM projects WHERE projectnumber='$pn' AND fairs_id='{$fair['id']}' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projects WHERE projectnumber=? AND fairs_id=? AND year=?");
$q->execute([$pn,$fair['id'],$year]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount() == 1) {
$our_project = $q->fetch(PDO::FETCH_ASSOC);
@ -268,8 +268,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
// random number between
// 100000 and 999999 (six digit integer)
$regnum = rand(100000, 999999);
$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=$year");
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
$q->execute([$regnum,$year]);
show_pdo_errors_if_any($pdo);
} while ($q->rowCount() > 0);
@ -290,8 +290,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
$reg_email_needs_update = true;
$new_reg = true;
}
$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE id=?");
$q->execute([$registrations_id]);
$registration = $q->fetch(PDO::FETCH_ASSOC);
/* Update the project in case anythign changed */
@ -307,8 +307,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
VALUES('{$prize['id']}','$pid','$year','{$fair['id']}')");
$stmt->execute();
/* Delete the students attached to this project */
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?");
$stmt->execute([$registrations_id]);
/* Add new */
foreach ($project['students'] as &$student) {
@ -327,9 +327,9 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
/* Update the registration email */
if ($reg_email_needs_update) {
$stmt = $pdo->prepare("UPDATE registrations SET email='" . $student['email'] . "'
WHERE id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET email=?
WHERE id=?");
$stmt->execute([$student['email'],$registrations_id]);
$reg_email_needs_update = false;
}
@ -350,8 +350,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
* or antyhing, we probably want to include it in reports, so set
* it to complete
*/
$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE id=?");
$stmt->execute([$registrations_id]);
}
}
@ -374,8 +374,8 @@ function handle_awards_upload(&$u, &$fair, &$data, &$response)
/* Find the award */
$eid = $external_identifier;
$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier='$eid' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier=? AND year=?");
$q->execute([$eid,$year]);
if ($q->rowCount() != 1) {
$response['message'] = "Unknown award identifier '$eid' for year $year";
$response['error'] = 1;
@ -391,16 +391,16 @@ function handle_awards_upload(&$u, &$fair, &$data, &$response)
* check the year as long as we query by aaid
*/
$prizes = array();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$aaid'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
$q->execute([$aaid]);
while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
$response['notice'][] = " - Prize: {$prize['prize']}";
/* Clean out existing winners for this prize */
$stmt = $pdo->prepare("DELETE FROM winners WHERE
award_prize_id='{$prize['id']}'
AND fairs_id='{$fair['id']}'");
$stmt->execute();
award_prize_id=?
AND fairs_id=?");
$stmt->execute([$prize['id'],$fair['id']]);
/* Assign projects to this prize */
$ul_p = &$award_data['prizes'][$prize['prize']];
@ -421,8 +421,8 @@ function handle_get_categories(&$u, &$fair, &$data, &$response)
global $pdo;
$year = intval($data['get_categories']['year']);
$cat = array();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$cat[$r->id] = array('id' => $r->id,
'category' => $r->category,
@ -438,8 +438,8 @@ function handle_get_divisions(&$u, &$fair, &$data, &$response)
global $pdo;
$year = intval($data['get_divisions']['year']);
$div = array();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
$q->execute();
$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
$q->execute([$year]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$div[$r->id] = array('id' => $r->id,
'division' => $r->division);
@ -455,8 +455,8 @@ function handle_award_additional_materials(&$u, &$fair, &$data, &$response)
$external_identifier = $data['award_additional_materials']['identifier'];
$eid = $external_identifier;
$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier='$eid' AND year='$year'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier=? AND year=?");
$q->execute([$eid,$year]);
if ($q->rowCount() != 1) {
$response['message'] = "Unknown award identifier '$eid'";
$response['error'] = 1;

20
schoolaccess.php
View File

@ -8,13 +8,13 @@ $happymsg = null;
$errormsg = null;
if (get_value_from_array($_POST, 'schoolid') && get_value_from_array($_POST, 'accesscode')) {
$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_POST['schoolid'] . "' AND accesscode='" . $_POST['accesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
$q->execute([$_POST['schoolid'], $_POST['accesscode'], $config['FAIRYEAR']]);
if ($q->rowCount() == 1) {
$_SESSION['schoolid'] = $_POST['schoolid'];
$_SESSION['schoolaccesscode'] = $_POST['accesscode'];
$stmt = $pdo->prepare("UPDATE schools SET lastlogin=NOW() WHERE id='" . $_POST['schoolid'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE schools SET lastlogin=NOW() WHERE id=?");
$stmt->execute([$_POST['schoolid']]);
} else
$errormsg = 'Invalid School ID or Access Code';
}
@ -27,8 +27,8 @@ if (get_value_from_array($_GET, 'action') == 'logout') {
send_header('School Access');
if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']) {
$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$school = $q->fetch(PDO::FETCH_OBJ);
if ($school) {
@ -86,8 +86,8 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
echo happy(i18n('School information successfully updated'));
// and reselect it
$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$school = $q->fetch(PDO::FETCH_OBJ);
}
@ -220,8 +220,8 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
<select name="schoolid">
<option value=""><?= i18n('Choose your school') ?></option>
<?
$q = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
$q->execute();
$q = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER BY school");
$q->execute([$config['FAIRYEAR']]);
$prev = 'somethingthatdoesnotexist';
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
if ($r->school == $prev)

48
schoolinvite.php
View File

@ -8,8 +8,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
echo '<a href="schoolaccess.php">&lt;&lt; ' . i18n('Return to school access main page') . '</a><br />';
echo '<br />';
$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$school = $q->fetch(PDO::FETCH_OBJ);
if ($school) {
@ -17,8 +17,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
if ($_POST['action'] == 'invite') {
if ($_POST['firstname'] && $_POST['lastname'] && $_POST['email'] && $_POST['grade']) {
// make sure they arent already invited!
$q = $pdo->prepare("SELECT firstname, lastname FROM students WHERE year='" . $config['FAIRYEAR'] . "' AND email='" . $_POST['email'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT firstname, lastname FROM students WHERE year=? AND email=?");
$q->execute([$config['FAIRYEAR'], $_POST['email']]);
if ($q->rowCount()) {
echo error(i18n('That students email address has already been invited'));
} else {
@ -28,8 +28,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
// random number between
// 100000 and 999999 (six digit integer)
$regnum = rand(100000, 999999);
$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=" . $config['FAIRYEAR']);
$q->execute();
$q = $pdo->prepare("SELECT * FROM registrations WHERE num? AND year=?");
$q->execute([$regnum, $config['FAIRYEAR']]);
} while ($q->rowCount() > 0);
// actually insert it
@ -65,25 +65,25 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
if ($_GET['action'] == 'uninvite') {
// first, make sure that this is really their student, and it sfor this year.
$q = $pdo->prepare("SELECT * FROM students WHERE id='" . $_GET['uninvite'] . "' AND year='" . $config['FAIRYEAR'] . "' AND schools_id='" . $_SESSION['schoolid'] . "'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM students WHERE id=? AND year=? AND schools_id=?");
$q->execute([$_GET['uninvite'], $config['FAIRYEAR'], $_SESSION['schoolid']]);
if ($q->rowCount()) {
$r = $q->fetch(PDO::FETCH_OBJ);
$registrations_id = $r->registrations_id;
if ($registrations_id) // just to be safe!
{
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM registrations WHERE id='$registrations_id'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?");
$stmt->execute([$registrations_id]);
$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=?");
$stmt->execute([$registrations_id]);
$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=?");
$stmt->execute([$registrations_id]);
$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=?");
$stmt->execute([$registrations_id]);
$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=?");
$stmt->execute([$registrations_id]);
$stmt = $pdo->prepare("DELETE FROM registrations WHERE id=?");
$stmt->execute([$registrations_id]);
echo happy(i18n('Student successfully uninvited'));
}
@ -91,8 +91,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
echo error(i18n('Invalid student to uninvite'));
}
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()<'" . $config['dates']['regclose'] . "') AS datecheck");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>? AND NOW()<?) AS datecheck");
$q->execute([$config['dates']['regopen'],$config['dates']['regclose']]);
$datecheck = $q->fetch(PDO::FETCH_OBJ);
$q = $pdo->prepare("SELECT \t
@ -135,8 +135,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
}
} else if ($school->projectlimitper == 'agecategory') {
echo '<br />';
$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
$catq->execute();
$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
$catq->execute([$config['FAIRYEAR']]);
while ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
$q2 = $pdo->prepare("SELECT COUNT(students.id) AS num
FROM

16
sponsor_main.php
View File

@ -33,8 +33,8 @@
send_header("Sponsor Main", array());
$u=user_load($_SESSION['users_id']);
//print_r($u);
$q=$pdo->prepare("SELECT * FROM sponsors WHERE id='".$u['sponsors_id']."'");
$q->execute();
$q=$pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$q->execute([$u['sponsors_id']]);
$sponsor=$q->fetch(PDO::FETCH_OBJ);
//only display the named greeting if we have their name
@ -61,11 +61,11 @@
FROM fundraising_donations
JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
JOIN fundraising_goals ON fundraising_donations.fundraising_goal=fundraising_goal.goal
AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
AND fundraising_goals.fiscalyear='{$config['FISCALYEAR']}'
AND sponsors.id='".$u['sponsors_id']."'
AND fundraising_donations.fiscalyear=?
AND fundraising_goals.fiscalyear=?
AND sponsors.id=?
ORDER BY status DESC, probability DESC, organization");
$sq->execute();
$sq->execute([$config['FISCALYEAR'],$config['FISCALYEAR'],$u['sponsors_id']]);
show_pdo_errors_if_any($pdo);
echo "<table class=\"tableview\">";
@ -98,8 +98,8 @@
echo "<br />\n";
echo "<h2>Donor Levels</h2>\n";
$q=$pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE year='".$config['FISCALYEAR']."' ORDER BY max DESC");
$q->execute();
$q=$pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE year=? ORDER BY max DESC");
$q->execute([$config['FISCALYEAR']]);
echo "<table class=\"tableview\">";
echo "<th></th><th>".i18n("Level")."</th>";
echo "<th>".i18n("Description / Benefits")."</th>\n";

10
tableeditor.class.php
View File

@ -369,7 +369,7 @@ class TableEditor
// figure out what kind of input this should be
$q = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'");
$q->execute();
$q->execute([]);
$r = $q->fetch(PDO::FETCH_OBJ);
if (preg_match('([a-z]*)\(([0-9,]*)\)', $r->Type, $regs)) {
@ -785,8 +785,8 @@ class TableEditor
case 'enum':
break;
case 'select_or_text':
$optq = $pdo->prepare("SELECT DISTINCT($f) AS $f FROM `{$this->table}` ORDER BY $f");
$optq->execute();
$optq = $pdo->prepare("SELECT DISTINCT(?) AS ? FROM ? ORDER BY ?");
$optq->execute([$f,$f,$this->table, $f]);
if ($this->fieldInputOptions[$f])
echo '<select ' . $this->fieldInputOptions[$f] . ' id="' . $f . '_select" name="' . $f . '_select">';
else
@ -1103,8 +1103,8 @@ class TableEditor
echo '<tr>';
foreach ($this->listfields AS $f => $n) {
// figure out what kind of input this should be
$typeq = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'");
$typeq->execute();
$typeq = $pdo->prepare("SHOW COLUMNS FROM ? LIKE ?");
$typeq->execute([$this->table,$f]);
$typer = $typeq->fetCh(PDO::FETCH_OBJ);
if ($typer->Type == 'time')
echo '<td valign="top">' . $this->format_time($r->$f) . '</td>';

14
tours.class.php
View File

@ -85,8 +85,8 @@ class tours
$q = $pdo->prepare("SELECT\ttours.*
FROM \ttours
WHERE \ttours.id='$id'");
$q->execute();
WHERE \ttours.id=?");
$q->execute([$id]);
show_pdo_errors_if_any($pdo);
/*
@ -114,7 +114,7 @@ class tours
if ($this->id == false) {
$query = "INSERT INTO tours (id) VALUES ('')";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([]);
$this->id = $pdo->lastInsertId();
}
@ -143,10 +143,10 @@ class tours
$id = $this->id;
$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE tour_id='$id' AND year=" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM tours WHERE id='$id' AND year='" . $config['FAIRYEAR'] . "'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE tour_id=? AND year=?");
$stmt->execute([$id, $config['FAIRYEAR']]);
$stmt = $pdo->prepare("DELETE FROM tours WHERE id=? AND year=?");
$stmt->execute([$id, $config['FAIRYEAR']]);
echo happy(i18n("Successfully removed tour from this year's fair"));
}

88
user.inc.php
View File

@ -111,8 +111,8 @@ function user_load_judge(&$u)
}
$specialawards = array();
if ($u['special_award_only'] == 'yes') {
$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id='{$u['id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id=?");
$q->execute([$u['id']]);
while ($r = $q->fetch(PDO::FETCH_OBJ)) {
$specialawards[] = $r->award_awards_id;
}
@ -149,8 +149,8 @@ function user_load_sponsor(&$u)
$u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no';
$u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no';
if ($u['sponsors_id']) {
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
$q->execute([$u['sponsors_id']]);
$u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC);
}
return true;
@ -317,8 +317,8 @@ function user_load_by_email($email)
global $pdo;
/* Find the most recent uid for the email, regardless of deleted status */
$e = $email;
$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
$q->execute();
$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
$q->execute([$e, $e]);
if ($q->rowCount() == 1) {
$i = $q->fetch(PDO::FETCH_ASSOC);
return user_load_by_uid($i['uid']);
@ -365,9 +365,9 @@ function user_set_password($id, $password = NULL)
$set .= "password='" . password_hash($p, PASSWORD_BCRYPT) . "', passwordset=$save_set ";
////FIXME This one may be tricky
$query = "UPDATE users SET $set WHERE id=$id";
$query = "UPDATE users SET ? WHERE id=?";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([$set,$id]);
show_pdo_errors_if_any($pdo);
return $password;
@ -402,9 +402,9 @@ function user_save_type_list($u, $db, $fields)
$set .= "`$f`='$data'";
}
if ($set != '') {
$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
$query = "UPDATE ? SET ? WHERE users_id=?";
$stmt = $pdo->prepare($query);
$stmt->execute();
$stmt->execute([$db,$set,$u['id']]);
if ($pdo->errorInfo()) {
show_pdo_errors_if_any($pdo);
}
@ -539,8 +539,8 @@ function user_save(&$u)
function user_delete_committee($u)
{
global $pdo;
$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
$stmt->execute([$u['uid']]);
}
function user_delete_volunteer($u) {}
@ -550,17 +550,17 @@ function user_delete_judge($u)
global $config;
global $pdo;
$ids = array();
$q = $pdo->prepare("SELECT id FROM users WHERE uid = '{$u['uid']}'");
$q->execute();
$q = $pdo->prepare("SELECT id FROM users WHERE uid =?");
$q->execute([$u['uid']]);
while ($row = $q->fetch(PDO::FETCH_ASSOC))
$ids[] = $row['id'];
if (count($ids) > 0) {
$idlist = implode(',', $ids);
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id IN ($idlist)");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id IN (?)");
$stmt->execute([$idlist]);
$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id IN($idlist)");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id IN(?)");
$stmt->execute([$idlist]);
}
}
@ -608,8 +608,8 @@ function user_delete($u, $type = false)
$types .= $t;
}
$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE uid='{$u['uid']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE uid=?");
$stmt->execute([$u['uid']]);
} else {
$finish_delete = true;
}
@ -623,8 +623,8 @@ function user_delete($u, $type = false)
$finish_delete = true;
}
if ($finish_delete == true) {
$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE uid='{$u['uid']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE uid=?");
$stmt->execute([$u['uid']]);
}
}
@ -660,8 +660,8 @@ function user_purge($u, $type = false)
$types .= ',';
$types .= $t;
}
$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
$stmt->execute([$types, $u['id']]);
} else {
$finish_purge = true;
}
@ -672,21 +672,21 @@ function user_purge($u, $type = false)
*/
call_user_func("user_delete_$type", $u);
// call_user_func("user_purge_$type", $u);
$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id=?");
$stmt->execute([$u['id']]);
} else {
/* Delete the whole user */
foreach ($u['types'] as $t) {
call_user_func("user_delete_$t", $u);
// call_user_func("user_purge_$t", $u);
$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id=?");
$stmt->execute([$u['id']]);
}
$finish_purge = true;
}
if ($finish_purge == true) {
$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
$stmt->execute();
$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
$stmt->execute([$u['id']]);
}
}
@ -695,8 +695,8 @@ function user_dupe_row($table, $key, $val, $newval)
{
global $config, $pdo;
$nullfields = array('id','sex','deleteddatetime'); /* Fields that can be null */
$q = $pdo->prepare("SELECT * FROM $table WHERE $key='$val'");
$q->execute();
$q = $pdo->prepare("SELECT * FROM ? WHERE ?");
$q->execute([$table, $key='$val']);
if ($q->rowCount() != 1) {
echo "ERROR duplicating row in $table: $key=$val NOT FOUND.\n";
exit;
@ -740,9 +740,9 @@ function user_dupe($u, $new_year)
*/
/* Find the last entry */
$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
ORDER BY year DESC LIMIT 1");
$q->execute();
$q->execute([$u['uid']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->deleted == 'yes') {
@ -757,8 +757,8 @@ function user_dupe($u, $new_year)
$id = user_dupe_row('users', 'id', $u['id'], NULL);
$q = $pdo->prepare("UPDATE users SET year = $new_year WHERE id = $id");
$q->execute();
$q = $pdo->prepare("UPDATE users SET year =? WHERE id =?");
$q->execute([$new_year, $id]);
/* Load the new user */
$u2 = user_load($id);
@ -808,26 +808,26 @@ function user_create($type, $username, $u = NULL)
global $pdo;
if (!is_array($u)) {
$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`,`deleted`)
VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}','no')");
$stmt->execute();
VALUES (?,?,'0000-00-00', NOW(),?,'no')");
$stmt->execute([$type,$username,$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
$uid = $pdo->lastInsertId();
if (user_valid_email($username)) {
$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?");
$stmt->execute([$username,$uid]);
}
$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
$stmt->execute([$uid,$uid]);
show_pdo_errors_if_any($pdo);
/*
* Since the user already has a type, user_save won't create this
* entry for us, so do it here
*/
$stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')");
$stmt->execute();
$stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)");
$stmt->execute([$type, $uid]);
show_pdo_errors_if_any($pdo);
/* Load the complete user */
$u = user_load($uid);

8
user_invite.php
View File

@ -47,8 +47,8 @@ if (intval(get_value_from_array($_GET, 'ajax')) == 1) {
exit;
}
$q = $pdo->prepare("SELECT id FROM users WHERE email='$email' ORDER BY year DESC");
$q->execute();
$q = $pdo->prepare("SELECT id FROM users WHERE email=? ORDER BY year DESC");
$q->execute([$email]);
if ($q->rowCount() == 0) {
/* User doesn't exist */
echo "notexist\n";
@ -182,8 +182,8 @@ if (get_value_from_array($_POST, 'action', '') && get_value_from_array($_POST, '
if (!in_array($action, $allowed_actions))
exit;
$q = $pdo->prepare("SELECT id FROM users WHERE email='$email' ORDER BY year DESC");
$q->execute();
$q = $pdo->prepare("SELECT id FROM users WHERE email=? ORDER BY year DESC");
$q->execute([$email]);
if ($q->rowCount() > 0) {
$u = $q->fetch(PDO::FETCH_ASSOC);
$u = user_load($u['id']);

4
user_new.php
View File

@ -136,8 +136,8 @@ switch ($action) {
$types = explode(',', $r->types);
if ($r->year == $config['FAIRYEAR'] && $r->deleted == 'yes') {
$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'");
$stmt->execute();
$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?");
$stmt->execute([$r->id]);
message_push(happy(i18n('Your account has been undeleted')));
message_push(notice(i18n("Use the 'recover password' option on the %1 {$user_what[$type]} login page %2 if you have forgotten your password",
array("<a href=\"user_login.php?type=$type\">", '</a>'))));

4
user_personal.php
View File

@ -147,8 +147,8 @@ switch (get_value_from_array($_GET, 'action')) {
/* Check for an email collision */
$em = stripslashes($_POST['email']);
$q = $pdo->prepare("SELECT *,max(year) FROM users WHERE email='$em' HAVING uid!='{$u['uid']}' AND deleted='no' ");
$q->execute();
$q = $pdo->prepare("SELECT *,max(year) FROM users WHERE email=? HAVING uid!=? AND deleted='no' ");
$q->execute([$em,$u['uid']]);
if ($q->rowCount() > 0) {
error_('That email address is in use by another user');
echo 'email error';

6
volunteer.inc.php
View File

@ -29,10 +29,10 @@ function volunteer_status_position($u)
{
global $config, $pdo;
/* See if they have selected something */
$q = "SELECT * FROM volunteer_positions_signup WHERE users_id='{$u['id']}'
AND year='{$config['FAIRYEAR']}'";
$q = "SELECT * FROM volunteer_positions_signup WHERE users_id=?
AND year=?";
$r = $pdo->prepare($q);
$r->execute();
$r->execute([$u['id'],$config['FAIRYEAR']]);
if ($r->rowCount() >= 1) {
return 'complete';
}

24
volunteer_position.php
View File

@ -42,9 +42,9 @@ if ($_POST['action'] == 'save') {
if (is_array($_POST['posn'])) {
/* Load available IDs */
$posns = array();
$q = "SELECT * FROM volunteer_positions WHERE year='{$config['FAIRYEAR']}'";
$q = "SELECT * FROM volunteer_positions WHERE year=?";
$r = $pdo->prepare($q);
$r->execute();
$r->execute([$config['FAIRYEAR']]);
while ($p = $r->fetch(PDO::FETCH_OBJ)) {
$posns[] = $p->id;
}
@ -63,17 +63,17 @@ if ($_POST['action'] == 'save') {
/* Delete existing selections */
$stmt = $pdo->prepare("DELETE FROM volunteer_positions_signup
WHERE
users_id='{$u['id']}'
AND year='{$config['FAIRYEAR']}' ");
$stmt->execute();
users_id=?
AND year=?");
$stmt->execute([$u['id'],$config['FAIRYEAR']]);
show_pdo_errors_if_any($pdo);
/* Add new selections if there are any */
if ($vals != '') {
$q = "INSERT INTO volunteer_positions_signup (users_id, volunteer_positions_id,year)
VALUES $vals";
VALUES ?";
$r = $po->prepare($q);
$r->execute();
$r->execute([$vals]);
show_pdo_errors_if_any($pdo);
}
@ -110,10 +110,10 @@ echo "<table>\n";
/* Read current selections */
$q = "SELECT * FROM volunteer_positions_signup WHERE
\t\tusers_id = '{$u['id']}'
\t\tAND year='{$config['FAIRYEAR']}'";
\t\tusers_id =?
\t\tAND year=?";
$r = $pdo->prepare($q);
$r->execute();
$r->execute([$u['id'],$config['FAIRYEAR']]);
$checked_positions = array();
while ($p = $r->fetch(PDO::FETCH_OBJ)) {
$checked_positions[] = $p->volunteer_positions_id;
@ -121,9 +121,9 @@ while ($p = $r->fetch(PDO::FETCH_OBJ)) {
/* Load available volunteer positions */
$q = "SELECT *,UNIX_TIMESTAMP(start) as ustart, UNIX_TIMESTAMP(end) as uend
\t\t\tFROM volunteer_positions WHERE year='{$config['FAIRYEAR']}'";
\t\t\tFROM volunteer_positions WHERE year=?";
$r = $pdo->prepare($q);
$r->execute();
$r->execute([$config['FAIRYEAR']]);
while ($p = $r->fetch(PDO::FETCH_OBJ)) {
echo '<tr><td>';

26
winners.php
View File

@ -53,8 +53,8 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
// first, lets make sure someone isnt tryint to see something that they arent allowed to!
// but only if the year they want is the FAIRYEAR. If they want a past year, thats cool
if ($_GET['year'] >= $config['FAIRYEAR']) {
$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['postwinners'] . "') AS test");
$q->execute();
$q = $pdo->prepare("SELECT (NOW()>?) AS test");
$q->execute([$config['dates']['postwinners']]);
$r = $q->fetch(PDO::FETCH_OBJ);
if ($r->test != 1) {
echo error(i18n('Crystal ball says future is very hard to see!'));
@ -72,14 +72,14 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
award_awards,
award_types
WHERE
award_awards.year='$year'
award_awards.year=?
AND\taward_awards.award_types_id=award_types.id
AND\taward_types.type='$type'
AND\taward_types.year='$year'
AND\taward_types.type=?
AND\taward_types.year=?
ORDER BY
awards_order");
$q->execute();
$q->execute([$year,$type,$year]);
show_pdo_errors_if_any($pdo);
if ($q->rowCount()) {
@ -101,11 +101,11 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
LEFT JOIN projects ON projects.id=winners.projects_id
WHERE
award_awards_id='$r->id'
AND award_prizes.year='$year'
award_awards_id=?
AND award_prizes.year=?
ORDER BY
`order`");
$pq->execute();
$pq->execute([$r->id,$year]);
show_pdo_errors_if_any($pdo);
$awarded_count = 0;
if ($show_unawarded_awards == 'no') {
@ -161,10 +161,10 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
students,
schools
WHERE
students.registrations_id='$pr->reg_id'
students.registrations_id=?
AND students.schools_id=schools.id
");
$sq->execute();
$sq->execute([$pr->reg_id]);
$studnum = 0;
$students = '';
@ -262,11 +262,11 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
award_awards.award_types_id=award_types.id
AND winners.awards_prizes_id=award_prizes.id
AND award_prizes.award_awards_id=award_awards.id
AND winners.year='$r->year'
AND winners.year=?
ORDER BY
award_types.order
");
$tq->execute();
$tq->execute([$r->year]);
$errorInfo = $pdo->errorInfo();
if ($errorInfo[0] != '00000') {
// If there's an error (the SQLSTATE isn't '00000', which means no error)