From f0977fb55d37c60da147c05e435b356070454e5a Mon Sep 17 00:00:00 2001 From: Armanveer Gill Date: Sun, 8 Dec 2024 02:42:00 -0500 Subject: [PATCH] sql queries --- admin/export_checkin.php | 22 ++- admin/fair_stats.php | 48 +++-- admin/fair_stats_select.php | 10 +- admin/fix_judges_autocomplete.php | 20 +- admin/fundraising_campaigns.php | 66 ++++--- admin/fundraising_campaigns_prospecting.php | 50 +++-- admin/fundraising_common.inc.php | 7 +- admin/fundraising_goals_handler.inc.php | 43 +++-- admin/project_editor.php | 112 ++++++----- admin/registration_stats.php | 24 ++- admin/registration_webconsent.php | 9 +- admin/reports.inc.php | 73 ++++---- admin/reports.php | 35 ++-- admin/reports_acscript.php | 23 ++- admin/reports_appeal_letters.php | 11 +- admin/reports_ceremony.php | 15 +- admin/reports_editor.php | 17 +- admin/reports_gen.php | 29 +-- admin/reports_judges.inc.php | 34 ++-- admin/reports_judges.php | 29 +-- admin/reports_judges_allyears.php | 19 +- admin/reports_judges_teams_projects.php | 31 ++-- admin/reports_mailinglabels_generator.php | 11 +- admin/reports_program_awards.php | 23 ++- admin/reports_projects_details.php | 21 ++- admin/reports_projects_judges_teams.php | 24 ++- admin/reports_students.inc.php | 24 ++- admin/reports_volunteers.inc.php | 2 +- admin/rerollprizes.php | 173 +++++++++-------- admin/schools.php | 70 +++---- admin/schoolsimport.php | 42 +++-- admin/send_emailqueue.php | 46 +++-- admin/settranslation.php | 20 +- admin/sponsor_contacts.php | 24 ++- admin/student_editor.php | 194 ++++++++++++-------- admin/tours_assignments.php | 41 +++-- admin/tours_manager.php | 8 +- admin/tours_sa.php | 31 ++-- admin/tours_sa_config.php | 13 +- admin/translations.php | 18 +- admin/user_editor_window.php | 14 +- admin/user_list.php | 10 +- admin/winners.php | 87 +++++---- 43 files changed, 947 insertions(+), 676 deletions(-) diff --git a/admin/export_checkin.php b/admin/export_checkin.php index 456b1d2f..ac549a6d 100644 --- a/admin/export_checkin.php +++ b/admin/export_checkin.php @@ -27,8 +27,9 @@ user_auth_required('committee', 'admin'); require("../lpdf.php"); -$catq=mysql_query("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' AND id='".$_GET['cat']."'"); -if($catr=mysql_fetch_object($catq)) +$catq=$pdo->prepare("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' AND id='".$_GET['cat']."'"); +$catq->execute(); +if($catr=$catq->fetch(PDO::FETCH_OBJ)) { $pdf=new lpdf( i18n($config['fairname']), @@ -38,7 +39,7 @@ if($catr=mysql_fetch_object($catq)) $pdf->newPage(); $pdf->setFontSize(11); - $q=mysql_query("SELECT registrations.id AS reg_id, + $q=$pdo->prepare("SELECT registrations.id AS reg_id, registrations.num AS reg_num, registrations.status, projects.title, @@ -54,7 +55,8 @@ if($catr=mysql_fetch_object($catq)) ORDER BY projects.title "); - echo mysql_error(); + $q->execute(); + echo $pdo->errorInfo(); $table=array(); @@ -72,22 +74,24 @@ if($catr=mysql_fetch_object($catq)) $table['dataalign']=array("left","left","left","center"); } - while($r=mysql_fetch_object($q)) + while($r=$q->fetch(PDO::FETCH_OBJ)) { - $divq=mysql_query("SELECT division,division_shortform FROM projectdivisions WHERE year='".$config['FAIRYEAR']."' AND id='".$r->projectdivisions_id."'"); - $divr=mysql_fetch_object($divq); + $divq=$pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year='".$config['FAIRYEAR']."' AND id='".$r->projectdivisions_id."'"); + $divq->execute(); + $divr=$divq->fetch(PDO::FETCH_OBJ); - $sq=mysql_query("SELECT students.firstname, + $sq=$pdo->prepare("SELECT students.firstname, students.lastname FROM students WHERE students.registrations_id='$r->reg_id' "); + $sq->execute(); $students=""; $studnum=0; - while($studentinfo=mysql_fetch_object($sq)) + while($studentinfo=$sq->fetch(PDO::FETCH_OBJ)) { if($studnum>0) $students.=", "; $students.="$studentinfo->firstname $studentinfo->lastname"; diff --git a/admin/fair_stats.php b/admin/fair_stats.php index de5c0da4..6fee0fc2 100644 --- a/admin/fair_stats.php +++ b/admin/fair_stats.php @@ -31,8 +31,9 @@ /* Hack so we can jump right to YSC stats */ if($_GET['abbrv'] == 'YSC') { - $q = mysql_query("SELECT id FROM fairs WHERE abbrv='YSC'"); - $r = mysql_fetch_assoc($q); + $q = $pdo->prepare("SELECT id FROM fairs WHERE abbrv='YSC'"); + $q->execute(); + $r = $q->fetch(PDO::FETCH_ASSOC); $_GET['id'] = $r['id']; } @@ -92,8 +93,9 @@ else $fairs_id = -1; if($fairs_id != -1) { - $q = mysql_query("SELECT * FROM fairs WHERE id='$fairs_id'"); - $fair = mysql_fetch_assoc($q); + $q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'"); + $q->execute(); + $fair = $q->fetch(PDO::FETCH_ASSOC); } $action = $_POST['action']; @@ -215,24 +217,26 @@ /* And now, overwrite all the stuff we pulled down with stats we can compute */ //number of schools - $q=mysql_query("SELECT COUNT(id) AS num FROM schools WHERE year='$year'"); - $r=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year='$year'"); + $q->execute(); + $r=$q->fetch(PDO::FETCH_OBJ); $stats['schools_total']=$r->num; //number of schools participating - $q=mysql_query("SELECT DISTINCT(students.schools_id) AS sid, schools.* + $q=$pdo->prepare("SELECT DISTINCT(students.schools_id) AS sid, schools.* FROM students LEFT JOIN registrations ON students.registrations_id=registrations.id LEFT JOIN schools ON students.schools_id=schools.id WHERE students.year='$year' AND registrations.year='$year' AND (registrations.status='complete' OR registrations.status='paymentpending')"); - $stats['schools_active']=mysql_num_rows($q); + $q->execute(); + $stats['schools_active']=$q->rowCount(); $stats['schools_public'] = 0; $stats['schools_private'] = 0; $stats['schools_atrisk'] = 0; $districts = array(); - while($si=mysql_fetch_assoc($q)) { + while($si=$q->fetch(PDO::FETCH_ASSOC)) { if($si['designate'] == 'public') $stats['schools_public']++; if($si['designate'] == 'independent') @@ -245,15 +249,16 @@ $stats['schools_districts'] = count($districts); //numbers of students: - $q=mysql_query("SELECT students.*,schools.* + $q=$pdo->error("SELECT students.*,schools.* FROM students LEFT JOIN registrations ON students.registrations_id=registrations.id LEFT JOIN schools on students.schools_id=schools.id WHERE students.year='$year' AND registrations.year='$year' AND (registrations.status='complete' OR registrations.status='paymentpending')"); - echo mysql_error(); - $stats['students_total'] = mysql_num_rows($q); +$q->execute(); + echo $pdo->errorInfo(); + $stats['students_total'] = $q->rowCount(); $stats['students_public'] = 0; $stats['students_private'] = 0; $stats['students_atrisk'] = 0; @@ -265,7 +270,7 @@ $stats["projects_$g"] = 0; } $unknown = array(); - while($s=mysql_fetch_assoc($q)) { + while($s=$q->fetch(PDO::FETCH_ASSOC)) { if(!in_array($s['sex'], array('male','female'))) $unknown[$grademap[$s['grade']]]++; else @@ -287,7 +292,7 @@ } //projects - $q=mysql_query("SELECT MAX(students.grade) AS grade FROM students + $q=$pdo->prepare("SELECT MAX(students.grade) AS grade FROM students LEFT JOIN registrations ON students.registrations_id=registrations.id LEFT JOIN projects ON projects.registrations_id=registrations.id WHERE students.year='$year' @@ -295,28 +300,31 @@ AND projects.year='$year' AND (registrations.status='complete' OR registrations.status='paymentpending') GROUP BY projects.id"); - echo mysql_error(); - while($r=mysql_fetch_assoc($q)) { +$q->execute(); + echo $pdo->errorInfo(); + while($r=$q->fetch(PDO::FETCH_ASSOC)) { $stats["projects_{$grademap[$r['grade']]}"]++; } - $q=mysql_query("SELECT COUNT(id) AS num FROM users + $q=$pdo->prepare("SELECT COUNT(id) AS num FROM users LEFT JOIN users_committee ON users_committee.users_id=users.id WHERE types LIKE '%committee%' AND year='$year' AND users_committee.committee_active='yes' AND deleted='no'"); - $r = mysql_fetch_object($q); +$q->execute(); + $r = $q->fetch(PDO::FETCH_OBJ); $stats['committee_members'] = $r->num; - $q=mysql_query("SELECT COUNT(id) AS num FROM users LEFT JOIN users_judge ON users_judge.users_id=users.id + $q=$pdo->prepare("SELECT COUNT(id) AS num FROM users LEFT JOIN users_judge ON users_judge.users_id=users.id WHERE users.year='$year' AND users.types LIKE '%judge%' AND users.deleted='no' AND users_judge.judge_complete='yes' AND users_judge.judge_active='yes'"); - $r=mysql_fetch_object($q); +$q->execute(); + $r=$q->fetch(PDO::FETCH_OBJ); $stats['judges'] = $r->num; diff --git a/admin/fair_stats_select.php b/admin/fair_stats_select.php index 3d9050a2..2f6d61ba 100644 --- a/admin/fair_stats_select.php +++ b/admin/fair_stats_select.php @@ -52,8 +52,9 @@ } } $s = join(',', $_POST['stats']); - $q = mysql_query("UPDATE fairs SET gather_stats='$s' WHERE id='$id'"); - echo mysql_error(); + $q = $pdo->prepare("UPDATE fairs SET gather_stats='$s' WHERE id='$id'"); + $q->execute(); + echo $pdo->errorInfo(); echo "UPDATE fairs SET gather_stats='$s' WHERE id='$id'"; happy_("Saved"); exit; @@ -62,8 +63,9 @@ /* Load the user we're editting */ $u = user_load($_SESSION['embed_edit_id']); /* Load the fair attached to the user */ - $q = mysql_query("SELECT * FROM fairs WHERE id={$u['fairs_id']}"); - $f = mysql_fetch_assoc($q); + $q = $pdo->prepare("SELECT * FROM fairs WHERE id={$u['fairs_id']}"); + $q->execute(); + $f = $q->fetch(PDO::FETCH_ASSOC); ?> diff --git a/admin/fix_judges_autocomplete.php b/admin/fix_judges_autocomplete.php index dec1036e..291aa6e2 100644 --- a/admin/fix_judges_autocomplete.php +++ b/admin/fix_judges_autocomplete.php @@ -5,18 +5,22 @@ require_once("../user.inc.php"); user_auth_required('committee', 'admin'); -$q = mysql_query("SELECT * FROM judges WHERE passwordexpiry IS NULL"); -while($i = mysql_fetch_object($q)) { +$q = $pdo->prepare("SELECT * FROM judges WHERE passwordexpiry IS NULL"); +$q->execute(); +while($i = $q->fetch(PDO::FETCH_OBJ)) { echo "Autocompleting Judge {$i->email}
"; $id = $i->id; $p = generatePassword(12); - mysql_query("UPDATE judges SET password='$p',complete='yes'"); - echo mysql_error(); - mysql_query("DELETE FROM judges_years WHERE judges_id='$id'"); - echo mysql_error(); - mysql_query("INSERT INTO judges_years (`judges_id`,`year`) VALUES ('$id','{$config['FAIRYEAR']}')"); - echo mysql_error(); + $stmt = $pdo->prepare("UPDATE judges SET password='$p',complete='yes'"); + $stmt->execute(); + echo $pdo->errorInfo(); + $stmt = $pdo->prepare("DELETE FROM judges_years WHERE judges_id='$id'"); + $stmt->execute(); + echo $pdo->errorInfo(); + $stmt = $pdo->prepare("INSERT INTO judges_years (`judges_id`,`year`) VALUES ('$id','{$config['FAIRYEAR']}')"); + $stmt->execute(); + echo $pdo->errorInfo(); } ?> diff --git a/admin/fundraising_campaigns.php b/admin/fundraising_campaigns.php index 42fd00fb..bc3e9a01 100644 --- a/admin/fundraising_campaigns.php +++ b/admin/fundraising_campaigns.php @@ -34,8 +34,9 @@ switch($_GET['action']){ case "modify": echo "
\n"; - $q=mysql_query("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); - while($r=mysql_fetch_object($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name"); + $q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { echo "

".htmlspecialchars($r->name)."

\n"; echo "
id}\">\n"; echo "
id}\" method=\"post\" action=\"{$_SERVER['PHP_SELF']}\" onsubmit=\"return campaigninfo_save($r->id)\">\n"; @@ -91,15 +92,17 @@ switch($_GET['action']){ prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'"); +$q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { - while($r=mysql_fetch_object($q)) { - - $goalq=mysql_query("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'"); - $goalr=mysql_fetch_object($goalq); - $recq=mysql_query("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); - echo mysql_error(); - $recr=mysql_fetch_object($recq); + $goalq=$pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'"); + $goalq->execute(); + $goalr=$goalq->fetch(PDO::FETCH_OBJ); + $recq=$pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); + $recq->execute(); + echo $pdo->errorInfo(); + $recr=$recq->fetch(PDO::FETCH_OBJ); $received=$recr->received; if($r->target) $percent=round($received/$r->target*100,1); @@ -133,8 +136,9 @@ switch($_GET['action']){ exit; } $id=intval($_GET['id']); - $q=mysql_query("SELECT * FROM fundraising_campaigns WHERE id='$id'"); - $campaign=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$id'"); + $q->execute(); + $campaign=$q->fetch(PDO::FETCH_OBJ); echo "

$campaign->name

\n"; ?>
@@ -164,14 +168,15 @@ switch($_GET['action']){ case "manage_tab_overview": $campaign_id=intval($_GET['id']); - $q=mysql_query("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - - if($r=mysql_fetch_object($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); + $q->execute(); + if($r=$q->fetch(PDO::FETCH_OBJ)) { $goalr=getGoal($r->fundraising_goal); - $recq=mysql_query("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); - echo mysql_error(); - $recr=mysql_fetch_object($recq); + $recq=$pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'"); + $recq->execute(); + echo $pdo->errorInfo(); + $recr=recq->fetch(PDO::FETCH_OBJ); $received=$recr->received; if($r->target) $percent=round($received/$r->target*100,1); @@ -202,8 +207,9 @@ switch($_GET['action']){ case "manage_tab_donations": $campaign_id=intval($_GET['id']); - $q=mysql_query("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - if($campaign=mysql_fetch_object($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); + $q->execute(); + if($campaign=$q->fetch(PDO::FETCH_OBJ)) { echo ""; echo ""; echo ""; @@ -215,9 +221,9 @@ switch($_GET['action']){ echo ""; echo "\n"; - $q=mysql_query("SELECT * FROM fundraising_donations WHERE fundraising_campaigns_id='$campaign_id' + $q=$pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_campaigns_id='$campaign_id' AND status='received' ORDER BY datereceived DESC"); - while($r=mysql_fetch_object($q)) { + while($r=$q->fetch(PDO::FETCH_OBJ)) { $goal=getGoal($r->fundraising_goal); $sq=mysql_query("SELECT * FROM sponsors WHERE id='{$r->sponsors_id}'"); $sponsor=mysql_fetch_object($sq); @@ -251,7 +257,7 @@ switch($_GET['action']){ ); $campaign_id=intval($_GET['id']); $q=mysql_query("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - $campaign=mysql_fetch_object($q); + $campaign=$q->fetch(PDO::FETCH_OBJ); if($campaign->filterparameters) { echo "

".i18n("User List")."

\n"; $params=unserialize($campaign->filterparameters); @@ -299,7 +305,7 @@ switch($_GET['action']){ echo "\n"; echo "\n"; $q=mysql_query("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaign_id'"); - while($r=mysql_fetch_object($q)) { + while($r=$q->fetch(PDO::FETCH_OBJ)) { $u=user_load_by_uid($r->users_uid); //hopefully this never returns false, but who knows.. if($u) { @@ -350,7 +356,7 @@ switch($_GET['action']){
: fetch(PDO::FETCH_OBJ)) { echo "
\n"; } echo "(disabled until the logic requirements can be established)"; @@ -400,7 +406,7 @@ switch($_GET['action']){ $campaign_id=intval($_GET['id']); $q=mysql_query("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'"); - if($r=mysql_fetch_object($q)) { + if($r=$q->fetch(PDO::FETCH_OBJ)) { } $communications=array("initial"=>"Initial Communication", @@ -410,7 +416,7 @@ switch($_GET['action']){ echo "

".i18n($name)."

\n"; //check if they have one in the emails database $q=mysql_query("SELECT * FROM emails WHERE fundraising_campaigns_id='$campaign_id' AND val='$key'"); - if($email=mysql_fetch_object($q)) { + if($email=$q->fetch(PDO::FETCH_OBJ)) { echo "
"; echo "id,$campaign_id)\">"; echo "  "; @@ -460,11 +466,11 @@ switch($_GET['action']){ $uidlist=implode(",",$_POST['prospectremovefromlist']); $query="DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid' AND users_uid IN ($uidlist)"; mysql_query($query); - echo mysql_error(); + echo $pdo->errorInfo(); } //if theres nobody left in the list we need to reset the filter params as well $q=mysql_query("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'"); - $r=mysql_fetch_object($q); + $r=$q->fetch(PDO::FETCH_OBJ); if($r->num==0) { mysql_query("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'"); } @@ -485,7 +491,7 @@ switch($_GET['action']){ $emails_id=$_POST['id']; //check if its been sent, if so, it cannot be deleted, sorry! $q=mysql_query("SELECT * FROM emails WHERE id='$emails_id'"); - $e=mysql_fetch_object($q); + $e=$q->fetch(PDO::FETCH_OBJ); if($e->lastsent) { error_("Cannot remove an email that has already been sent"); } diff --git a/admin/fundraising_campaigns_prospecting.php b/admin/fundraising_campaigns_prospecting.php index fabf0270..c8695bd1 100644 --- a/admin/fundraising_campaigns_prospecting.php +++ b/admin/fundraising_campaigns_prospecting.php @@ -30,8 +30,10 @@ $otherlist=array(); if($_POST['donortype']=="organization") { - $q=mysql_query("SELECT id, organization AS name, address, address2, city, province_code, postalcode FROM sponsors ORDER BY name"); - echo mysql_error(); + $q=$pdo->prepare("SELECT id, organization AS name, address, address2, city, province_code, postalcode FROM sponsors ORDER BY name"); + + $q->execute(); + echo $pdo->errorInfo(); if(!$_POST['contacttype']) $contacttype=array("primary","secondary"); @@ -39,7 +41,7 @@ if($_POST['donortype']=="organization") { $contacttype=$_POST['contacttype']; $primary=""; - while($r=mysql_fetch_object($q)) { + while($r=$q->fetch(PDO::FETCH_OBJ)) { foreach($contacttype AS $ct) { switch($ct) { case "primary": @@ -49,7 +51,7 @@ if($_POST['donortype']=="organization") { $primary="no"; break; } - $cq = mysql_query("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id + $cq = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id WHERE sponsors_id='" . $r->id . "' AND `primary`='$primary' @@ -58,9 +60,10 @@ if($_POST['donortype']=="organization") { HAVING deleted='no' ORDER BY users_sponsor.primary DESC,lastname,firstname "); + $cq->execute(); - echo mysql_error(); - while($cr=mysql_fetch_object($cq)) { + echo $pdo->errorInfo(); + while($cr=m$cq->fetch(PDO::FETCH_OBJ)) { if(!$userslist[$cr->uid]) $userslist[$cr->uid]=user_load($cr->users_id); } @@ -76,9 +79,10 @@ else if($_POST['donortype']=="individual") { foreach($individual_type AS $t) { $query="SELECT *,MAX(year) FROM users WHERE types LIKE '%$t%' GROUP BY uid HAVING deleted='no' ORDER BY lastname,firstname"; - $q=mysql_query($query); - echo mysql_error(); - while($r=mysql_fetch_object($q)) { + $q=$pdo->prepare($query); + $q->execute(); + echo $pdo->errorInfo(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { if(!$userslist[$r->uid]) $userslist[$r->uid]=user_load_by_uid($r->uid); } @@ -140,8 +144,9 @@ $thisyearlist=$userslist; foreach($neverlist AS $uid=>$u) { if($u['sponsors_id']) { - $q=mysql_query("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'"); - if(mysql_num_rows($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'"); + $q->execute(); + if($q->rowCount()) { // echo "removing $uid because they have donated in the past
"; unset($neverlist[$uid]); } @@ -154,8 +159,9 @@ $thisyearlist=$userslist; foreach($pastlist AS $uid=>$u) { if($u['sponsors_id']) { - $q=mysql_query("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'"); - if(!mysql_num_rows($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'"); + $q->execute(); + if(!$q->rowCount()) { // echo "removing $uid because they have NOT donated in the past
"; unset($pastlist[$uid]); } @@ -171,8 +177,9 @@ $thisyearlist=$userslist; foreach($lastyearlist AS $uid=>$u) { if($u['sponsors_id']) { - $q=mysql_query("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='$lastyear'"); - if(!mysql_num_rows($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='$lastyear'"); + $q->execute(); + if(!$q->rowCount()) { // echo "removing $uid because they have NOT donated last year
"; unset($lastyearlist[$uid]); } @@ -186,8 +193,9 @@ $thisyearlist=$userslist; foreach($thisyearlist AS $uid=>$u) { if($u['sponsors_id']) { - $q=mysql_query("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='{$config['FISCALYEAR']}'"); - if(!mysql_num_rows($q)) { + $q=$pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='{$config['FISCALYEAR']}'"); + $q->execcute(); + if(!$q->rowCount()) { // echo "removing $uid because they have NOT donated this year
"; unset($thisyearlist[$uid]); } @@ -218,11 +226,13 @@ if($_GET['generatelist']) { $campaignid=$_POST['fundraising_campaigns_id']; $params=serialize($_POST); echo "params=$params"; - mysql_query("UPDATE fundraising_campaigns SET filterparameters='{$params}' WHERE id='$campaignid'"); + $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters='{$params}' WHERE id='$campaignid'"); + $stmt->execute(); $uids=array_keys($userslist); foreach($uids AS $u) { - mysql_query("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES ('$campaignid','$u')"); - } + $stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES ('$campaignid','$u')"); + $stmt->execute();} + echo "List created"; } else { diff --git a/admin/fundraising_common.inc.php b/admin/fundraising_common.inc.php index 62b25095..cddf0e31 100644 --- a/admin/fundraising_common.inc.php +++ b/admin/fundraising_common.inc.php @@ -4,8 +4,9 @@ $salutations=array("Mr.","Mrs.","Ms","Dr.","Professor"); function getGoal($goal) { global $config; - $q=mysql_query("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}' LIMIT 1"); - return mysql_fetch_object($q); -} + $q=$pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}' LIMIT 1"); + $q->execute(); + return $q->rowCount(); + ?> diff --git a/admin/fundraising_goals_handler.inc.php b/admin/fundraising_goals_handler.inc.php index 665ad477..115ca9b1 100644 --- a/admin/fundraising_goals_handler.inc.php +++ b/admin/fundraising_goals_handler.inc.php @@ -2,14 +2,17 @@ if($_POST['action']=="funddelete" && $_POST['delete']) { //first lookup all the sponsorships inside the fund $id=intval($_POST['delete']); - $q=mysql_query("SELECT * FROM fundraising_goals WHERE id='$id' AND year='".$config['FISCALYEAR']."'"); - $f=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND year='".$config['FISCALYEAR']."'"); + $q->execute(); + $f=$q->fetch(PDO::FETCH_OBJ); //hold yer horses, no deleting system funds! if($f) { if($f->system=="no") { - mysql_query("DELETE FROM fundraising_donations WHERE fundraising_goal='".mysql_real_escape_string($f->type)."' AND fiscalyear='".$config['FISCALYEAR']."'"); - mysql_query("DELETE FROM fundraising_goals WHERE id='$id'"); - if(mysql_affected_rows()) + $stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal='".$f->type."' AND fiscalyear='".$config['FISCALYEAR']."'"); + $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id'"); + $stmt->execute(); + if($pdo->rowCount()) happy_("Successfully removed fund %1",array($f->name)); } else { @@ -21,26 +24,31 @@ if($_POST['action']=="funddelete" && $_POST['delete']) { if($_POST['action']=="fundedit" || $_POST['action']=="fundadd") { $fundraising_id=intval($_POST['fundraising_id']); if($fundraising_id) { - $q=mysql_query("SELECT * FROM fundraising_goals WHERE id='$fundraising_id'"); - $f=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$fundraising_id'"); + $q->execute(); + $f=$q->fetch(PDO::FETCH_OBJ); $system=$f->system; } - $name=mysql_real_escape_string($_POST['name']); - $goal=mysql_real_escape_string($_POST['goal']); - $description=mysql_real_escape_string($_POST['description']); + $name=$_POST['name']; + $goal=$_POST['goal']; + $description=$_POST['description']; $budget=intval($_POST['budget']); } if($_POST['action']=="fundedit") { if( ($system=="yes" && $budget) || ($system=="no" && $budget && $goal && $name) ) { if($system=="yes") { - mysql_query("UPDATE fundraising SET budget='$budget', description='$description' WHERE id='$fundraising_id'"); + $stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description' WHERE id='$fundraising_id'"); + $stmt->execute(); } + else { - mysql_query("UPDATE fundraising SET budget='$budget', description='$description', goal='$goal', name='$name' WHERE id='$fundraising_id'"); + $stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description', goal='$goal', name='$name' WHERE id='$fundraising_id'"); + $stmt->execute(); } - if(mysql_error()) - error_("MySQL Error: %1",array(mysql_error())); + + if($pdo->errorInfo()) + error_("MySQL Error: %1",array($pdo->errorInfo())); else happy_("Saved fund changes"); } @@ -52,13 +60,14 @@ if($_POST['action']=="fundedit") { } if($_POST['action']=="fundadd") { if( $goal && $type && $name) { - mysql_query("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES ('$goal','$name','$description','no','$budget','{$config['FISCALYEAR']}')"); + $stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES ('$goal','$name','$description','no','$budget','{$config['FISCALYEAR']}')"); + $stmt->execute(); happy_("Added new fund"); } else error_("Required fields were missing, please try again"); - if(mysql_error()) - error_("MySQL Error: %1",array(mysql_error())); + if($pdo->errorInfo()) + error_("MySQL Error: %1",array($pdo->errorInfo())); exit; } diff --git a/admin/project_editor.php b/admin/project_editor.php index cabaa329..9cdde025 100644 --- a/admin/project_editor.php +++ b/admin/project_editor.php @@ -46,11 +46,14 @@ if($auth_type == 'fair') { } else { /* Make sure they have permission to laod this student, check the master copy of the fairs_id in the project */ - $q=mysql_query("SELECT * FROM projects WHERE + $q=$pdo>prepare("SELECT * FROM projects WHERE registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}' AND fairs_id=$fairs_id"); - if(mysql_num_rows($q) != 1) { + + + $q->execute(); + if($q->rowCount()!= 1) { echo "permission denied."; exit; } @@ -68,19 +71,22 @@ case 'project_regenerate_number': project_save(); /* Now generate */ - $q=mysql_query("SELECT id FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'"); - $i=mysql_fetch_assoc($q); + $q=$pdo->prepare("SELECT id FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'"); + $q->execute(); + $i=$q->fetch(PDO::FETCH_ASSOC);; $id = $i['id']; - mysql_query("UPDATE projects SET projectnumber=NULL,projectsort=NULL, + $pdo->prepare("UPDATE projects SET projectnumber=NULL,projectsort=NULL, projectnumber_seq='0',projectsort_seq='0' WHERE id='$id'"); - echo mysql_error(); + $pdo->execute(); + echo $pdo->errorInfo(); list($pn,$ps,$pns,$pss) = generateProjectNumber($registrations_id); // print("Generated Project Number [$pn]"); - mysql_query("UPDATE projects SET projectnumber='$pn',projectsort='$ps', + $pdo->prepare("UPDATE projects SET projectnumber='$pn',projectsort='$ps', projectnumber_seq='$pns',projectsort_seq='$pss' WHERE id='$id'"); + $pdo->execute(); happy_("Generated and Saved Project Number: $pn"); break; @@ -98,8 +104,9 @@ function project_save() global $registrations_id, $config; //first, lets make sure this project really does belong to them - $q=mysql_query("SELECT * FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'"); - $projectinfo=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'"); + $q->execute(); + $projectinfo = $q->fetch(PDO::FETCH_OBJ); if(!projectinfo) { echo error(i18n("Invalid project to update")); } @@ -114,15 +121,17 @@ function project_save() //check if it is flagged then update it if(empty($_POST['feedback'])) { - mysql_query("UPDATE projects SET ". + $stmt = $pdo->prepare("UPDATE projects SET ". "flagged='0'". "WHERE id='".intval($_POST['id'])."'"); + $stmt->execute(); } else { - mysql_query("UPDATE projects SET ". + $stmt = $pdo->prepare("UPDATE projects SET ". "flagged='1'". "WHERE id='".intval($_POST['id'])."'"); + $stmt->execute(); } - echo mysql_error(); + echo $pdo->errorInfo(); happy_("Flagging process successfully updated"); if($config['participant_project_title_charmax'] && strlen(stripslashes($_POST['title']))>$config['participant_project_title_charmax']) { //0 for no limit, eg 255 database field limit @@ -131,34 +140,36 @@ function project_save() } else $title=stripslashes($_POST['title']); - mysql_query("UPDATE projects SET ". - "title='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",$title))."', ". - "projectdivisions_id='".intval($_POST['projectdivisions_id'])."', ". - "projecttype='".mysql_escape_string(stripslashes($_POST['projecttype']))."', ". - "language='".mysql_escape_string(stripslashes($_POST['language']))."', ". - "req_table='".mysql_escape_string(stripslashes($_POST['req_table']))."', ". - "req_electricity='".mysql_escape_string(stripslashes($_POST['req_electricity']))."', ". - "req_special='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['req_special'])))."', ". - "human_participants='".mysql_escape_string(stripslashes($_POST['human_participants']))."', ". - "animal_participants='".mysql_escape_string(stripslashes($_POST['animal_participants']))."', ". - "summary='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['summary'])))."', ". + $stmt = $pdo->prepare("UPDATE projects SET ". + "title='".iconv("UTF-8","ISO-8859-1//TRANSLIT",$title)."', ". + "projectdivisions_id='".intval($_POST['projectdivisions_id']."', ". + "projecttype='".stripslashes($_POST['projecttype'])."', ". + "language='".stripslashes($_POST['language'])."', ". + "req_table='".stripslashes($_POST['req_table'])."', ". + "req_electricity='".stripslashes($_POST['req_electricity'])."', ". + "req_special='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['req_special']))."', ". + "human_participants='".stripslashes($_POST['human_participants'])."', ". + "animal_participants='".stripslashes($_POST['animal_participants'])."', ". + "summary='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['summary']))."', ". "summarycountok='$summarycountok',". - "feedback='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['feedback'])))."', ". - "projectsort='".mysql_escape_string(stripslashes($_POST['projectsort']))."'". - "WHERE id='".intval($_POST['id'])."'"); - echo mysql_error(); + "feedback='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['feedback']))."', ". + "projectsort='".stripslashes($_POST['projectsort'])."'". + "WHERE id='".intval($_POST['id']))."'"); + echo $pdo->errorInfo(); happy_("Project information successfully updated"); //check if they changed the project number if($_POST['projectnumber']!=$projectinfo->projectnumber) { //check if hte new one is available - $q=mysql_query("SELECT * FROM projects WHERE year='".$config['FAIRYEAR']."' AND projectnumber='".$_POST['projectnumber']."'"); - if(mysql_num_rows($q)) { + $q=$pdo->prepare("SELECT * FROM projects WHERE year='".$config['FAIRYEAR']."' AND projectnumber='".$_POST['projectnumber']."'"); + $q->execute(); + if($q->rowCount()) { error_("Could not change project number. %1 is already in use",array($_POST['projectnumber'])); } else { - mysql_query("UPDATE projects SET + $stmt = $pdo->prepare("UPDATE projects SET projectnumber='".$_POST['projectnumber']."' WHERE id='".$_POST['id']."'"); + $stmt->execute(); happy_("Project number successfully changed to %1",array($_POST['projectnumber'])); } } @@ -169,12 +180,14 @@ function project_load() { global $registrations_id, $config; //now lets find out their MAX grade, so we can pre-set the Age Category - $q=mysql_query("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='".$registrations_id."'"); - $gradeinfo=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='".$registrations_id."'"); + $q->execute(); + $gradeinfo=$q->fetch(PDO::FETCH_OBJ); //now lets grab all the age categories, so we can choose one based on the max grade - $q=mysql_query("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' ORDER BY id"); - while($r=mysql_fetch_object($q)) { + $q=$pdo->prepare("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' ORDER BY id"); + $q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { //save these in an array, just incase we need them later (FIXME: remove this array if we dont need it) $agecategories[$r->id]['category']=$r->category; $agecategories[$r->id]['mingrade']=$r->mingrade; @@ -185,20 +198,24 @@ function project_load() } //now select their project info - $q=mysql_query("SELECT * FROM projects WHERE registrations_id='".$registrations_id."' AND year='".$config['FAIRYEAR']."'"); + $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='".$registrations_id."' AND year='".$config['FAIRYEAR']."'"); //check if it exists, if we didnt find any record, lets insert one - $projectinfo=mysql_fetch_object($q); + $q->execute(); + $projectinfo=$q->fetch(PDO::FETCH_OBJ); if(!$projectinfo) { - mysql_query("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('".$registrations_id."','$projectcategories_id','".$config['FAIRYEAR']."')"); + $stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('".$registrations_id."','$projectcategories_id','".$config['FAIRYEAR']."')"); //and then pull it back out - $q=mysql_query("SELECT * FROM projects WHERE registrations_id='".$registrations_id."' AND year='".$config['FAIRYEAR']."'"); - $projectinfo=mysql_fetch_object($q); + $stmt->execute(); + $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='".$registrations_id."' AND year='".$config['FAIRYEAR']."'"); + $q->execute(); + $projectinfo=$q->fetch(PDO::FETCH_OBJ); } //make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly if($projectcategories_id && $projectinfo->projectcategories_id!=$projectcategories_id) { echo notice(i18n("Age category changed, updating to %1",array($agecategories[$projectcategories_id]['category']))); - mysql_query("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'"); + $stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'"); + $stmt->execute(); } //output the current status @@ -252,12 +269,13 @@ function countwords() prepare("SELECT * FROM projecttypes ORDER BY type"); + $q->execute(); echo "
".i18n("Project Type").": "; echo ""; echo "\n"; - while($r=mysql_fetch_object($q)) { + while($r=$q->fetch(PDO::FETCH_OBJ)) { if($r->id == $projectinfo->projectdivisions_id) $sel="selected=\"selected\""; else $sel=""; echo "\n"; } diff --git a/admin/registration_stats.php b/admin/registration_stats.php index 2f20fa73..0805558d 100644 --- a/admin/registration_stats.php +++ b/admin/registration_stats.php @@ -61,12 +61,15 @@ echo ""; echo ""; -$q=mysql_query("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); -while($r=mysql_fetch_object($q)) +$q=$pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id"); + + +while($r=$q->fetch(PDO::FETCH_OBJ) $cats[$r->id]=$r->category; -$q=mysql_query("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); -while($r=mysql_fetch_object($q)) +$q=$pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id"); +$q->execute(); +while($r=$q->fetch(PDO::FETCH_OBJ)) $divs[$r->id]=$r->division; if($showstatus) { @@ -90,7 +93,7 @@ else $wherestatus=""; default: $ORDERBY="registrations.status DESC, projects.title"; break; } - $q=mysql_query("SELECT registrations.id AS reg_id, + $q=$pdo->prepare("SELECT registrations.id AS reg_id, registrations.num AS reg_num, registrations.status, registrations.email, @@ -109,7 +112,8 @@ else $wherestatus=""; ORDER BY $ORDERBY "); - echo mysql_error(); + $q->execute(); + echo $pdo->errorInfo(); $stats_totalprojects=0; $stats_totalstudents=0; @@ -123,7 +127,7 @@ else $wherestatus=""; $schools_names=array(); $languages=array(); - while($r=mysql_fetch_object($q)) + while($r=$q->fetch(PDO::FETCH_OBJ)) { $stats_totalprojects++; $stats_divisions[$r->projectdivisions_id]++; @@ -142,7 +146,7 @@ else $wherestatus=""; $status_text=i18n($status_text); - $sq=mysql_query("SELECT students.firstname, + $sq=$pdo->prepare("SELECT students.firstname, students.lastname, students.id, schools.school, @@ -155,12 +159,12 @@ else $wherestatus=""; AND students.schools_id=schools.id "); - echo mysql_error(); + echo $pdo->errorInfo(); $studnum=1; $schools=""; $students=""; - while($studentinfo=mysql_fetch_object($sq)) + while($studentinfo=$sq->fetch(PDO::FETCH_OBJ)) { $stats_totalstudents++; $stats_students_catdiv[$r->projectcategories_id][$r->projectdivisions_id]++; diff --git a/admin/registration_webconsent.php b/admin/registration_webconsent.php index 075c7c8c..2de79a9c 100644 --- a/admin/registration_webconsent.php +++ b/admin/registration_webconsent.php @@ -45,7 +45,7 @@ $webfirst=$_POST['webfirst'][$id]=="yes"?"yes":"no"; $weblast=$_POST['weblast'][$id]=="yes"?"yes":"no"; $webphoto=$_POST['webphoto'][$id]=="yes"?"yes":"no"; - mysql_query("UPDATE students SET + $stmt = $pdo->prepare("UPDATE students SET webfirst='$webfirst', weblast='$weblast', webphoto='$webphoto' @@ -71,7 +71,7 @@ prepare("SELECT students.firstname, students.lastname, students.id, projects.projectnumber, @@ -91,7 +91,8 @@ AND students.year='".$config['FAIRYEAR']."' ORDER BY projectnumber "); - echo mysql_error(); + $sq->execute(); + echo $pdo->errorInfo(); echo "
"; echo ""; @@ -102,7 +103,7 @@ echo " "; echo " "; echo ""; - while($r=mysql_fetch_object($sq)) + while($r=$sq->fetch(PDO::FETCH_OBJ)) { echo ""; echo ""; diff --git a/admin/reports.inc.php b/admin/reports.inc.php index 4e0665ef..d9825f33 100644 --- a/admin/reports.inc.php +++ b/admin/reports.inc.php @@ -345,9 +345,10 @@ foreach($report_stock as $n=>$v) { $allow_fields = array_keys($$fieldvar); /* First delete all existing fields */ - mysql_query("DELETE FROM reports_items + $stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`='{$report['id']}' AND `type`='$type'"); + $stmt->execute(); /* Now add new ones */ if(count($report[$type]) == 0) return; @@ -357,12 +358,12 @@ foreach($report_stock as $n=>$v) { foreach($report[$type] as $k=>$v) { if($type == 'option') { /* field, value, x, y, w, h, lines, face, align, valign, fn, fs, fsize, overflow */ - $vals = "'".mysql_real_escape_string($k)."','".mysql_real_escape_string($v)."','0','0','0','0','0','','','','','','0','truncate'"; + $vals = "'".$k."','".$v."','0','0','0','0','0','','','','','','0','truncate'"; } else { if($v['lines'] == 0) $v['lines'] =1; $fs = is_array($v['fontstyle']) ? implode(',',$v['fontstyle']) : ''; $opts = "{$v['align']} {$v['valign']}"; - $vals = "'{$v['field']}','".mysql_real_escape_string($v['value'])."', + $vals = "'{$v['field']}','".$v['value']."', '{$v['x']}','{$v['y']}','{$v['w']}', '{$v['h']}','{$v['lines']}','{$v['face']}', '$opts','{$v['valign']}', @@ -374,13 +375,14 @@ foreach($report_stock as $n=>$v) { $x++; } - mysql_query("INSERT INTO reports_items(`reports_id`,`type`,`ord`, + $stmt = $pdo->prepare("INSERT INTO reports_items(`reports_id`,`type`,`ord`, `field`,`value`,`x`, `y`, `w`, `h`, `lines`, `face`, `align`,`valign`, `fontname`,`fontstyle`,`fontsize`,`on_overflow`) VALUES $q;"); - echo mysql_error(); + $stmt->execute(); + echo $pdo->erroInfo(); } @@ -394,8 +396,9 @@ foreach($report_stock as $n=>$v) { $report = array(); - $q = mysql_query("SELECT * FROM reports WHERE id='$report_id'"); - $r = mysql_fetch_assoc($q); + $q = $pdo->prepare("SELECT * FROM reports WHERE id='$report_id'"); + $q->execute(); + $r = $q->fetch(PDO::FETCH_ASSOC); $report['name'] = $r['name']; $report['id'] = $r['id']; $report['system_report_id'] = $r['system_report_id']; @@ -417,14 +420,15 @@ foreach($report_stock as $n=>$v) { else $allow_fields=array(); - $q = mysql_query("SELECT * FROM reports_items + $q = $pdo->prepare("SELECT * FROM reports_items WHERE reports_id='{$report['id']}' ORDER BY `ord`"); - print(mysql_error()); + $q->execute(); + print($pdo->erroInfo()); - if(mysql_num_rows($q) == 0) return $report; + if($q->rowCount() == 0) return $report; - while($a = mysql_fetch_assoc($q)) { + while($a = $q->fetch(PDO::FETCH_ASSOC)) { $f = $a['field']; $t = $a['type']; switch($t) { @@ -472,13 +476,15 @@ foreach($report_stock as $n=>$v) { { if($report['id'] == 0) { /* New report */ - mysql_query("INSERT INTO reports (`id`) VALUES ('')"); - $report['id'] = mysql_insert_id(); + $stmt = $pdo->prepare("INSERT INTO reports (`id`) VALUES ('')"); + $stmt->execute(); + $report['id'] = $pdo->lastInsertId(); } else { /* if the report['id'] is not zero, see if this is a * systeim report before doing anything. */ - $q = mysql_query("SELECT system_report_id FROM reports WHERE id='{$report['id']}'"); - $i = mysql_fetch_assoc($q); + $q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='{$report['id']}'"); + $q->execute(); + $i = $q->fetch(PDO::FETCH_ASSOC); if(intval($i['system_report_id']) != 0) { /* This is a system report, the editor (should) * properly setup the editor pages so that the user @@ -497,12 +503,13 @@ foreach($report_stock as $n=>$v) { print(""); */ - mysql_query("UPDATE reports SET - `name`='".mysql_escape_string($report['name'])."', - `desc`='".mysql_escape_string($report['desc'])."', - `creator`='".mysql_escape_string($report['creator'])."', - `type`='".mysql_escape_string($report['type'])."' + $stmt = $pdo->prepare("UPDATE reports SET + `name`='".$report['name']."', + `desc`='".$report['desc']."', + `creator`='".$report['creator']."', + `type`='".$report['type']."' WHERE `id`={$report['id']}"); + $stmt->execute(); report_save_field($report, 'col', $report['loc']); report_save_field($report, 'group', array()); @@ -516,9 +523,9 @@ foreach($report_stock as $n=>$v) { function report_load_all() { $ret = array(); - $q = mysql_query("SELECT * FROM reports ORDER BY `name`"); + $q = $pdo->prepare("SELECT * FROM reports ORDER BY `name`"); - while($r = mysql_fetch_assoc($q)) { + while($r = $q->fetch(PDO::FETCH_ASSOC)) { $report = array(); $report['name'] = $r['name']; $report['id'] = $r['id']; @@ -535,8 +542,9 @@ foreach($report_stock as $n=>$v) { $r = intval($report_id); /* if the report['id'] is not zero, see if this is a * systeim report before doing anything. */ - $q = mysql_query("SELECT system_report_id FROM reports WHERE id='$r'"); - $i = mysql_fetch_assoc($q); + $q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='$r'"); + $q->execute(); + $i = $q->fetch(PDO::FETCH_ASSOC); if(intval($i['system_report_id']) != 0) { /* This is a system report, the editor (should) * properly setup the editor pages so that the user @@ -546,9 +554,11 @@ foreach($report_stock as $n=>$v) { echo "ERROR: attempt to delete a system report (reports.id=$r)"; exit; } - mysql_query("DELETE FROM reports WHERE `id`=$r"); - mysql_query("DELETE FROM reports_items WHERE `reports_id`=$r"); - } + $stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=$r"); + $stmt->execute(); + $stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=$r"); + $stmt->execute();} + function report_gen($report) { @@ -792,7 +802,8 @@ foreach($report['col'] as $v) $q = call_user_func_array($func, array($report, $components)); $q = "SELECT $sel $q $filter_query $group_query ORDER BY $order"; - $r = mysql_query($q); + $r = $pdo->prepare($q); + $r->execute(); // print_r($report); // print_r($report['filter']); @@ -807,18 +818,18 @@ foreach($report['col'] as $v) a bug report so we can get this fixed.
"; echo "
";
 		echo "Query: [$q]
";
-		echo "Error: [".mysql_error()."]
";
+		echo "Error: [".$pdo->erroInfo()."]
";
 		echo "
"; exit; } - echo mysql_error(); + echo $pdo->erroInfo(); $ncols = count($report['col']); $n_groups = count($report['group']); $last_group_data = array(); // echo "
";print_r($rep);
-	while($i = mysql_fetch_assoc($r)) {
+	while($i = $r->fetch(PDO::FETCH_ASSOC)) {
 		
 		if($n_groups > 0) {
 			$group_change = false;
diff --git a/admin/reports.php b/admin/reports.php
index 617e3e2e..9cab0b5e 100644
--- a/admin/reports.php
+++ b/admin/reports.php
@@ -35,8 +35,9 @@ $option_keys = array('type','stock');
 switch($_GET['action']) {
 case 'remove_report':
  	$id = intval($_GET['id']);
-	mysql_query("DELETE FROM reports_committee WHERE
+	$stmt = $pdo->prepare("DELETE FROM reports_committee WHERE
 			users_id='{$_SESSION['users_uid']}' AND id='$id'");
+	$stmt->execute();
 	happy_('Report successfully removed');
 	exit;
 case 'reload':
@@ -60,16 +61,17 @@ case 'load_report':
 		$ret['name'] = $report['name'];
 		$ret['category'] = '';
 	} else {
-		$q = mysql_query("SELECT * FROM reports_committee WHERE id='$id'");
-		$ret = mysql_fetch_assoc($q);
+		$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id='$id'");
+		$ret = $q->fetch(PDO::FETCH_ASSOC);
 		$ret['type'] = $ret['format'];
 	}
 
 	/* Load available categories */
-	$q = mysql_query("SELECT DISTINCT category FROM reports_committee
+	$q = $pdo->prepare("SELECT DISTINCT category FROM reports_committee
  			WHERE users_id='{$_SESSION['users_uid']}'
 			ORDER BY category");
-	while($i = mysql_fetch_object($q))
+	$q->execute();
+	while($i = $q->fetch(PDO::FETCH_OBJ))
 		$ret['cat'][] = $i->category;
 	echo json_encode($ret);
 	exit;
@@ -81,19 +83,20 @@ case 'save':
  	$reports_id = intval($_POST['reports_id']);
 	if($id == -1) {
 		/* New entry */
-		mysql_query("INSERT INTO `reports_committee` (`users_id`,`reports_id`) 
+		$stmt = $pdo->prepare("INSERT INTO `reports_committee` (`users_id`,`reports_id`) 
 			VALUES('{$_SESSION['users_uid']}','$reports_id');");
-		echo mysql_error();
-		$id = mysql_insert_id();
+		$stmt->execute();
+		echo $pdo->errorInfo();
+		$id = $pdo->lastInsertId();
 	}
 
 	/* Update entry */
 	$category = $_POST['category'];
 	$category_exist = $_POST['category_exist'];
-	$comment = mysql_real_escape_string(stripslashes($_POST['comment']));
+	$comment = stripslashes($_POST['comment']);
 
 	if($category_exist != '') $category = $category_exist;
-	$category = mysql_real_escape_string(stripslashes(trim($category)));
+	$category = stripslashes(trim($category));
 
 	if($category == '') $category = 'default';
 
@@ -115,12 +118,13 @@ case 'save':
 		$stock = '';
 	}
 
-	mysql_query("UPDATE `reports_committee` SET
+	$stmt = $pdo->prepare("UPDATE `reports_committee` SET
 			`category`='$category',
 			`comment`='$comment',
 			`format`='$type',
 			`stock`='$stock'
 			WHERE id='$id'");
+	$stmt->execute();
 	happy_("Saved");
 	exit;
  }
@@ -237,20 +241,21 @@ $(document).ready(function() {
 prepare("SELECT reports_committee.*,reports.name
  			FROM reports_committee 
 				LEFT JOIN reports ON reports.id=reports_committee.reports_id
  			WHERE users_id='{$_SESSION['users_uid']}'
 			ORDER BY category,id");
- echo mysql_error();
- if(mysql_num_rows($q) == 0) {
+$q->execute();
+ echo $pdo->errorInfo();
+ if($q->rowCount()== 0) {
  	echo i18n('You have no reports saved');
  } else {
 
 	$last_category = '';
 	$x=0;
 	echo "
".i18n("Last")."".i18n("Photo")."
$r->projectnumberid\" type=\"hidden\" name=\"changed[$r->id]\" value=\"0\">
"; - while($i = mysql_fetch_object($q)) { + while($i = $q->fetch(PDO::FETCH_OBJ)) { $x++; if($last_category != $i->category) { /* New category */ diff --git a/admin/reports_acscript.php b/admin/reports_acscript.php index 0bc9c157..656bc915 100644 --- a/admin/reports_acscript.php +++ b/admin/reports_acscript.php @@ -9,7 +9,7 @@ else $foryear=$config['FAIRYEAR']; if($_GET['awardtype']=="All") $awardtype=""; - else if($_GET['awardtype']) $awardtype=" AND award_types.type='".mysql_escape_string($_GET['awardtype'])."'"; + else if($_GET['awardtype']) $awardtype=" AND award_types.type='".$_GET['awardtype']."'"; else $awardtype=""; if($_GET['show_unawarded_awards']=="on") $show_unawarded_awards="yes"; @@ -56,7 +56,7 @@ if(!$scriptformat) $scriptformat="default"; else if($type=="csv") { $rep=new lcsv(i18n("Awards Ceremony Script")); } - $q=mysql_query("SELECT + $q=$pdo->prepare("SELECT award_awards.id, award_awards.name, award_awards.presenter, @@ -77,18 +77,19 @@ if(!$scriptformat) $scriptformat="default"; AND award_awards.excludefromac='0' $awardtype ORDER BY awards_order"); + $q->execute(); - echo mysql_error(); + echo $pdo->errorInfo(); // echo "
";
-	if(!mysql_num_rows($q)) {
+	if(!$q->rowCount()) {
 		$rep->output();
 		exit;
 	}
 	$awards = array();
 
-	while($r=mysql_fetch_object($q)) {
+	while($r=$q->fetch(PDO::FETCH_OBJ)) {
 
-		$pq=mysql_query("SELECT 
+		$pq=$pdo->prepare("SELECT 
 						award_prizes.prize,
 						award_prizes.number,
 						award_prizes.id,
@@ -111,11 +112,12 @@ if(!$scriptformat) $scriptformat="default";
 					ORDER BY 
 						`order`,
 						projects.projectnumber");
-					echo mysql_error();
+		$pq->execute();
+					echo $pdo->errorInfo();
 
 		$r->winners = array();
 		$r->awarded_count = 0;
-		while($w = mysql_fetch_object($pq)) {
+		while($w = $pq->fetch(PDO::FETCH_OBJ)) {
 			if($w->projects_id)
 			{
 				$r->awarded_count++;
@@ -229,7 +231,7 @@ if(!$scriptformat) $scriptformat="default";
 						if($scriptformat=="default") 
 							$rep->addText( "    ($pr->projectnumber) $pr->title");
 
-						$sq=mysql_query("SELECT students.firstname,
+						$sq=$pdo->prepare("SELECT students.firstname,
 									students.lastname,
 									students.pronunciation,
 									students.schools_id,
@@ -241,12 +243,13 @@ if(!$scriptformat) $scriptformat="default";
 									students.registrations_id='$pr->reg_id'
 									AND students.schools_id=schools.id
 								");
+						$sq->execute();
 	
 						$students="       Students: ";
 						$studnum=0;
 						$pronounce = "";
 						$rawpronounce = "";
-						while($studentinfo=mysql_fetch_object($sq)) {
+						while($studentinfo=$sq->fetch(PDO::FETCH_OBJ)) {
 							if($studnum>0) $students.=", ";
 							$students.="$studentinfo->firstname $studentinfo->lastname";
 
diff --git a/admin/reports_appeal_letters.php b/admin/reports_appeal_letters.php
index 5c181a97..0d79d48b 100644
--- a/admin/reports_appeal_letters.php
+++ b/admin/reports_appeal_letters.php
@@ -30,7 +30,7 @@ require_once('../tcpdf/tcpdf_sfiab_config.php');
 require_once('../tcpdf/tcpdf.php');
 
 $fcid = intval($_GET['fundraising_campaigns_id']);
-$key = mysql_real_escape_string($_GET['key']);
+$key = $_GET['key'];
 
 /* Start an output PDF */
 $pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
@@ -69,16 +69,17 @@ $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
 
 /* Load the users */
 $users = array();
-$q = mysql_query("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
-while($l = mysql_fetch_assoc($q)) {
+$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
+while($l = $q->fetch(PDO::FETCH_ASSOC))) {
 	$uid = $l['users_uid'];
 	$users[$uid] = user_load_by_uid($uid);
 }
 
 /* Grab all the emails */
-$q = mysql_query("SELECT * FROM emails WHERE fundraising_campaigns_id='$fcid' AND val='$key'");
+$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$fcid' AND val='$key'");
+$q->execute();
 
-while($e = mysql_fetch_assoc($q)) {
+while($e = $q->fetch(PDO::FETCH_ASSOC))) {
 
 	foreach($users as $uid=>&$u) {
 	 	$subject = communication_replace_vars($e['subject'], $u);
diff --git a/admin/reports_ceremony.php b/admin/reports_ceremony.php
index 573f4557..b0c6da6f 100644
--- a/admin/reports_ceremony.php
+++ b/admin/reports_ceremony.php
@@ -38,10 +38,11 @@
  echo "
"; @@ -60,9 +61,10 @@ echo ""; //list award subsets to output echo ""; @@ -92,8 +94,9 @@ echo ""; echo "prepare("SELECT * FROM reports_committee WHERE users_id='{$_SESSION['users_uid']}' AND reports_id='{$report['id']}'"); - if(mysql_num_rows($q) > 0) { - $i = mysql_fetch_assoc($q); + $q->execute(); + if($q->rowCount() > 0) { + $i = $q->fetch(PDO::FETCH_ASSOC); ?> @@ -125,10 +127,11 @@ case 'dialog_gen': echo "\n"; } /* Find all the years */ - $q = mysql_query("SELECT DISTINCT year FROM config WHERE year>1000 ORDER BY year DESC"); + $q = $pdo->prepare("SELECT DISTINCT year FROM config WHERE year>1000 ORDER BY year DESC"); + $q->execute(); echo ""; echo "'; /* See if the report is in this committee member's list */ - $q = mysql_query("SELECT * FROM reports_committee + $q = $pdo->prepare("SELECT * FROM reports_committee WHERE users_id='{$_SESSION['users_uid']}' AND reports_id='{$report['id']}'"); + $q->execute(); echo ""; - if(mysql_num_rows($q) > 0) { + if($q->rowCount() > 0) { /* Yes, it is */ - $i = mysql_fetch_object($q); + $i = $q->fetch(PDO::FETCH_OBJ); echo ""; echo ""; echo ""; @@ -249,10 +253,11 @@ case 'dialog_gen': echo ""; } /* Find all the years */ - $q = mysql_query("SELECT DISTINCT year FROM config WHERE year>1000 ORDER BY year DESC"); + $q = $pdo->prepare("SELECT DISTINCT year FROM config WHERE year>1000 ORDER BY year DESC"); + $q->execute(); echo ""; echo "
".i18n("Year").":"; //get the year information, use fairname since it should be there for all years[right?] - $results = mysql_query("SELECT year FROM config WHERE var='fairname' AND year > 0 ORDER BY year DESC"); + $results = $pdo->prepare("SELECT year FROM config WHERE var='fairname' AND year > 0 ORDER BY year DESC"); + $results->execute(); echo "
".i18n("Award Type").":
".i18n("Include the following age categories").":"; - $q=mysql_query("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id"); - while($r=mysql_fetch_object($q)) { + $q=$pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id"); + $q->execute(); + while($r=$q->fetch(PDO::FETCH_OBJ)) { echo "id}]\" type=\"checkbox\" checked=\"checked\" />"; echo "".i18n($r->category)."
"; } diff --git a/admin/reports_editor.php b/admin/reports_editor.php index 349a7d71..b4830c8c 100644 --- a/admin/reports_editor.php +++ b/admin/reports_editor.php @@ -323,13 +323,14 @@ function createDataTCPDF(x,y,w,h,align,valign,fontname,fontstyle,fontsize,value) if($repaction == 'export') { echo "
";
-	$q = mysql_query("SELECT system_report_id FROM reports WHERE 1 ORDER BY system_report_id DESC");
-	$r = mysql_fetch_assoc($q);
+	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE 1 ORDER BY system_report_id DESC");
+	$q->execute();
+	$r = $q->fetch(PDO::FETCH_ASSOC);
 	$sid = $r['system_report_id'] + 1;
-	$n = mysql_escape_string($report['name']);
-	$c = mysql_escape_string($report['creator']);
-	$d = mysql_escape_string($report['desc']);
-	$t = mysql_escape_string($report['type']);
+	$n = $report['name'];
+	$c = $report['creator'];
+	$d = $report['desc'];
+	$t = $report['type'];
 
  	echo "INSERT INTO `reports` (`id`, `system_report_id`, `name`, `desc`, `creator`, `type`) VALUES\n";
 	echo "\t('', '$sid', '$n', '$d', '$c', '$t');\n";
@@ -339,7 +340,7 @@ function createDataTCPDF(x,y,w,h,align,valign,fontname,fontstyle,fontsize,value)
 	/* Do the options */
 	$x = 0;
 	foreach($report['option'] as $k=>$v) {
-		echo "\n\t('', LAST_INSERT_ID(), 'option', $x, '$k', '".mysql_real_escape_string($v)."', 0, 0, 0, 0, 0, '', ''),";
+		echo "\n\t('', LAST_INSERT_ID(), 'option', $x, '$k', '".$v."', 0, 0, 0, 0, 0, '', ''),";
 		$x++;
 	}
 	/* Do the fields */
@@ -356,7 +357,7 @@ function createDataTCPDF(x,y,w,h,align,valign,fontname,fontstyle,fontsize,value)
 			if($vlines == 0) $vlines = 1;
 			$face = $v['face'];
 			$align = $v['align']. ' ' . $v['valign'];
-			$value=mysql_escape_string(stripslashes($v['value']));
+			$value= stripslashes($v['value']);
 			if(!$first) echo ',';
 			$first = false;
 			echo "\n\t('', LAST_INSERT_ID(), '$f', $x, '$k', '$value', $vx, $vy, $vw, $vh, $vlines, '$face', '$align')";
diff --git a/admin/reports_gen.php b/admin/reports_gen.php
index 48857cb7..e02ab843 100644
--- a/admin/reports_gen.php
+++ b/admin/reports_gen.php
@@ -39,8 +39,9 @@
  /* If it's a system report, turn that into the actual report id */
  if(array_key_exists('sid', $_GET)) {
  	$sid = intval($_GET['sid']);
- 	$q = mysql_query("SELECT id FROM reports WHERE system_report_id='$sid'");
-	$r = mysql_fetch_assoc($q);
+ 	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id='$sid'");
+	$q->execute();
+	$r = $q->fetch(PDO::FETCH_OBJ);
 	$id = $r['id'];
  }
  
@@ -88,11 +89,12 @@ case 'dialog_gen':

".i18n('Year').":

".i18n('My Reports Info')."

".i18n('Category').":{$i->category}
".i18n('Comment').":
".i18n('Year').":"; echo ""; - while($r=mysql_fetch_object($q)) + while($r=$q->fetch(PDO::fETCH_OBJ)) { if($r->id == $sponsors_id) { @@ -73,7 +74,7 @@ if($p == 'no') { /* Make sure this sponsor ($sponsors_id) has a primary */ - $q = mysql_query("SELECT users_id + $q = $pdo->prepare("SELECT users_id FROM users_sponsor, users WHERE users_sponsor.users_id=users.id @@ -81,14 +82,16 @@ AND `primary`='yes' AND year='".$config['FAIRYEAR']."' AND users_id!='$id'"); - if(mysql_num_rows($q) == 0) { + $q->execute(); + if($q->rowCount() == 0) { /* This must be the primary */ $p = 'yes'; } } else { /* Unset all other primaries */ - mysql_query("UPDATE users_sponsor SET `primary`='no' + $stmt = $pdo->prepare("UPDATE users_sponsor SET `primary`='no' WHERE sponsors_id='$sponsors_id'"); + $stmt->execute(); } $u['primary']=$p; @@ -125,7 +128,7 @@ echo "

".i18n("Edit %1 Contact",array($sponsors_organization))."

\n"; $buttontext="Save Contact"; // $q=mysql_query("SELECT * FROM sponsor_contacts WHERE id='".$_GET['edit']."'"); -// $r=mysql_fetch_object($q); +// $r=$q->fetch(PDO::fETCH_OBJ); $u=user_load(intval($_GET['edit'])); } else if($_GET['action']=="add") @@ -171,14 +174,15 @@ echo "".i18n("Add New Contact to %1",array($sponsors_organization))."\n"; echo "
"; - $q=mysql_query("SELECT * FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id + $q=$pdo->prepare("SELECT * FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id WHERE year='".$config['FAIRYEAR']."' AND sponsors_id='$sponsors_id' AND deleted='no' ORDER BY lastname,firstname"); - echo mysql_Error(); + $q->execute(); + echo $pdo->errorInfo(); - if(mysql_num_rows($q)) + if($q->rowCount()) { echo ""; echo ""; @@ -191,7 +195,7 @@ echo "\n"; - while($r=mysql_fetch_object($q)) + while($r=$q->fetch(PDO::fETCH_OBJ)) { echo "\n"; echo "
"; diff --git a/admin/student_editor.php b/admin/student_editor.php index 47a711e5..e8a90bc0 100644 --- a/admin/student_editor.php +++ b/admin/student_editor.php @@ -38,11 +38,12 @@ if($auth_type == 'fair') { } else { /* Make sure they have permission to laod this student, check the master copy of the fairs_id in the project */ - $q=mysql_query("SELECT * FROM projects WHERE + $q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}' AND fairs_id=$fairs_id"); - if(mysql_num_rows($q) != 1) { + $q->execute(); + if($q->rowCount() != 1) { echo "permission denied."; exit; } @@ -70,20 +71,53 @@ case 'students_save': case 'student_remove': $remove_id = intval($_GET['students_id']); - $q=mysql_query("SELECT id FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'"); - if(mysql_num_rows($q)!=1) { + $q=$pdo->prepare("SELECT id FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'"); + $q->execute(); + if($q->rowCount()!=1) { + error_("Invalid student to remove"); + exit; + } + if($q->rowCount()!=1) { error_("Invalid student to remove"); exit; } - mysql_query("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'"); + $stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'"); + $stmt->execute(); //now see if they have an emergency contact that also needs to be removed - $q=mysql_query("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $q=$pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $q->execute(); //no need to error message if this doesnt exist - if(mysql_num_rows($q)==1) - mysql_query("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + if($q->rowCount()==1) + $stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $stmt->execute(); + if($q->rowCount()!=1) { + error_("Invalid student to remove"); + exit; + } + $stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'"); + $stmt->execute(); + + //now see if they have an emergency contact that also needs to be removed + $q=$pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $q->execute(); + //no need to error message if this doesnt exist + if($q->rowCount()==1) + $stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $stmt->execute(); + + $stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'"); + $stmt->execute(); + + //now see if they have an emergency contact that also needs to be removed + $q=$pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $q->execute(); + //no need to error message if this doesnt exist + if($q->rowCount()==1) + $stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); + $stmt->execute(); happy_("Student successfully removed"); exit; @@ -105,34 +139,35 @@ function students_save() if($_POST['id'][$x]==0) { //if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record. for anything else they can school the school on their own. if($config['participant_registration_type']=="schoolpassword" || $config['participant_registration_type']=="invite") { - $q=mysql_query("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'"); - $r=mysql_fetch_object($q); + $q=$pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'"); + $q->execute(); + $r=$q->fetch(PDO::FETCH_OBJ); $schools_id=$r->schools_id; $schoolvalue="'$schools_id', "; } else { - $schoolvalue="'".mysql_escape_string(stripslashes($_POST['schools_id'][$x]))."', "; + $schoolvalue="'".stripslashes($_POST['schools_id'][$x])."', "; } //INSERT new record $dob=$_POST['year'][$x]."-".$_POST['month'][$x]."-".$_POST['day'][$x]; - mysql_query("INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (". + $stmt -> prepare("INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (". "'".$registrations_id."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['firstname'][$x])))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['lastname'][$x])))."', ". - "'".mysql_escape_string(stripslashes($_POST['sex'][$x]))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['email'][$x])))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['address'][$x])))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['city'][$x])))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['province'][$x])))."', ". - "'".mysql_escape_string(stripslashes($_POST['postalcode'][$x]))."', ". - "'".mysql_escape_string(stripslashes($_POST['phone'][$x]))."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['firstname'][$x]))."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['lastname'][$x]))."', ". + "'".stripslashes($_POST['sex'][$x])."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['email'][$x]))."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['address'][$x]))."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['city'][$x]))."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['province'][$x]))."', ". + "'".stripslashes($_POST['postalcode'][$x])."', ". + "'".stripslashes($_POST['phone'][$x])."', ". "'$dob', ". - "'".mysql_escape_string(stripslashes($_POST['grade'][$x]))."', ". + "'".stripslashes($_POST['grade'][$x])."', ". $schoolvalue. - "'".mysql_escape_string(stripslashes($_POST['tshirt'][$x]))."', ". - "'".mysql_escape_string(stripslashes($_POST['medicalalert'][$x]))."', ". - "'".mysql_escape_string(stripslashes($_POST['foodreq'][$x]))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teachername'][$x])))."', ". - "'".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teacheremail'][$x])))."', ". + "'".stripslashes($_POST['tshirt'][$x])."', ". + "'".stripslashes($_POST['medicalalert'][$x])."', ". + "'".stripslashes($_POST['foodreq'][$x])."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teachername'][$x]))."', ". + "'".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teacheremail'][$x]))."', ". "'".$config['FAIRYEAR']."')"); happy_("%1 %2 successfully added",array($_POST['firstname'][$x],$_POST['lastname'][$x])); @@ -143,32 +178,33 @@ function students_save() if(( $config['participant_registration_type']=="schoolpassword" || $config['participant_registration_type']=="invite") && !$_POST['schools_id'][$x]) { $schoolquery=""; } else if($_POST['schools_id'][$x]) { - $schoolquery="schools_id='".mysql_escape_string(stripslashes($_POST['schools_id'][$x]))."', "; + $schoolquery="schools_id='".stripslashes($_POST['schools_id'][$x])."', "; } else $schoolquery=""; //UPDATE existing record $dob=$_POST['year'][$x]."-".$_POST['month'][$x]."-".$_POST['day'][$x]; - mysql_query("UPDATE students SET ". - "firstname='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['firstname'][$x])))."', ". - "lastname='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['lastname'][$x])))."', ". - "sex='".mysql_escape_string(stripslashes($_POST['sex'][$x]))."', ". - "email='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['email'][$x])))."', ". - "address='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['address'][$x])))."', ". - "city='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['city'][$x])))."', ". - "province='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['province'][$x])))."', ". - "postalcode='".mysql_escape_string(stripslashes($_POST['postalcode'][$x]))."', ". - "phone='".mysql_escape_string(stripslashes($_POST['phone'][$x]))."', ". + $stmt = $pdo->prepare("UPDATE students SET ". + "firstname='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['firstname'][$x]))."', ". + "lastname='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['lastname'][$x]))."', ". + "sex='".stripslashes($_POST['sex'][$x])."', ". + "email='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['email'][$x]))."', ". + "address='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['address'][$x]))."', ". + "city='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['city'][$x]))."', ". + "province='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['province'][$x]))."', ". + "postalcode='".stripslashes($_POST['postalcode'][$x])."', ". + "phone='".stripslashes($_POST['phone'][$x])."', ". "dateofbirth='$dob', ". - "grade='".mysql_escape_string(stripslashes($_POST['grade'][$x]))."', ". + "grade='".stripslashes($_POST['grade'][$x])."', ". $schoolquery. - "medicalalert='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['medicalalert'][$x])))."', ". - "foodreq='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['foodreq'][$x])))."', ". - "teachername='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teachername'][$x])))."', ". - "teacheremail='".mysql_escape_string(iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teacheremail'][$x])))."', ". - "tshirt='".mysql_escape_string(stripslashes($_POST['tshirt'][$x]))."' ". + "medicalalert='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['medicalalert'][$x]))."', ". + "foodreq='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['foodreq'][$x]))."', ". + "teachername='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teachername'][$x]))."', ". + "teacheremail='".iconv("UTF-8","ISO-8859-1//TRANSLIT",stripslashes($_POST['teacheremail'][$x]))."', ". + "tshirt='".stripslashes($_POST['tshirt'][$x])."' ". "WHERE id='".$_POST['id'][$x]."'"); + $stmt->execute(); happy_("%1 %2 successfully updated",array(iconv("UTF-8","ISO-8859-1//TRANSLIT",$_POST['firstname'][$x]),iconv("UTF-8","ISO-8859-1//TRANSLIT",$_POST['lastname'][$x]))); } $x++; @@ -181,12 +217,13 @@ function students_load() global $registrations_id, $config; //now query and display - $q=mysql_query("SELECT * FROM students WHERE + $q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'"); - echo mysql_error(); + $q->execute(); + echo $pdo->errorInfo(); - $numfound=mysql_num_rows($q); + $numfound=$q->rowCount(); $numtoshow = intval($_GET['numstudents']); if($numtoshow == 0) $numtoshow=$numfound; @@ -208,7 +245,7 @@ function students_load() echo ""; for($x=1;$x<=$numtoshow;$x++) { - $studentinfo=mysql_fetch_object($q); + $studentinfo=$q->fetch(PDO::FETCH_OBJ); echo "

".i18n("Student %1 Details",array($x))."

"; //if we have a valid student, set their ID, so we can UPDATE when we submit //if there is no record for this student, then set the ID to 0, so we will INSERT when we submit @@ -346,10 +383,11 @@ function students_load() echo " 		".i18n("School").""; if( $config['participant_registration_type']=="open" || $config['participant_registration_type']=="singlepassword" || $config['participant_registration_type']=="openorinvite" || ($studentinfo && !$studentinfo->schools_id) ) { - $schoolq=mysql_query("SELECT id,school,city FROM schools WHERE year='".$config['FAIRYEAR']."' ORDER by city,school"); + $schoolq=$pdo->prepare("SELECT id,school,city FROM schools WHERE year='".$config['FAIRYEAR']."' ORDER by city,school"); + $schoolq->execute(); echo "