Removed Chat

admin/index.php

@@ -25,7 +25,7 @@
  require_once("../common.inc.php");
  require_once("../user.inc.php");
  require_once("../committee.inc.php");
- require_once("../chat.inc.php");
+
 
  user_auth_required('committee','admin');
 
@@ -33,7 +33,7 @@
  	array('Committee Main' => 'committee_main.php'),
 	"administration");
 
- draw_chatbox('general');
+
 
  echo "<table class=\"adminconfigtable\">";
  echo " <tr>";

admin/registration_list.php

@@ -36,12 +36,16 @@ $auth_type = user_auth_required(array('fair','committee'), 'admin');
  if($_GET['year']) $year=$_GET['year'];
  else $year=$config['FAIRYEAR'];
 
-$q=mysql_query("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
+ $q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-while($r=mysql_fetch_object($q))
+ $q->execute();
+
+while($r=$q->fetch(PDO::FETCH_OBJ))
 	$cats[$r->id]=$r->category;
 
-$q=mysql_query("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-while($r=mysql_fetch_object($q))
+$q->execute();
+
+while($q->fetch(PDO::FETCH_OBJ))
 	$divs[$r->id]=$r->division;
 
 $action=$_GET['action'];

admin/reports_judges.inc.php

@@ -39,11 +39,13 @@ $report_judges_cats = array();
 function report_judges_load_divs($year)
 {
 	global $report_judges_divs;
+	global $pdo;
 	/* Load divisions for this year, only once */
 	if(!array_key_exists($year, $report_judges_divs)) {
 		$report_judges_divs[$year] = array();
-		$q = mysql_query("SELECT * FROM projectdivisions WHERE year='$year'");
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'");
-		while(($d = mysql_fetch_assoc($q))) {
+		$q->execute();
+		while(($d =$q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_divs[$year][$d['id']] = $d;
 		}
 	}
@@ -51,9 +53,11 @@ function report_judges_load_divs($year)
 function report_judges_load_cats($year)
 {
 	global $report_judges_cats;
+	global $pdo;
 	if(!array_key_exists($year, $report_judges_cats)) {
-	        $q = mysql_query("SELECT * FROM projectcategories WHERE year='$year'");
+			$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'");
-		while(($c = mysql_fetch_assoc($q))) {
+			$q->execute();
+		while(($c = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_cats[$year][$c['id']] = $c;
 		}
 	}
@@ -908,6 +912,7 @@ function report_judges_update_cats($year)
 
 	report_judges_load_cats($year);
 
+	////FIXME No check for empty projectcategories, please check the NULL case of count($report_judges_cats[$year])
 	if(count($report_judges_cats[$year]) > 10) {
 		echo "Not enough judge age category fields, please file a bug report at sfiab.ca and report that you have ".count($report_judges_cats[$year])." age categories, but the system can handle a maximum of 10.";
 		exit;

admin/reports_students.inc.php

@@ -146,11 +146,11 @@ function report_student_regfee_item($report, $field, $text) {
 	}
 }
 
-
+ $q = $pdo->prepare("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'");
- $q = mysql_query("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'");
+ $q->execute();
  $regfeeitems=array();
  $first=true;
- while($i = mysql_fetch_assoc($q)) {
+ while($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	 $regfeeitems["regfee_item_".$i['id']] = array (
 		'name' => "Registration Fee Items -- {$i['name']}",
 		'header' => $i['name'],
@@ -1069,7 +1069,7 @@ $report_students_fields = array(
 		'name' => 'Fair -- Name',
 		'header' => 'Fair Name',
 		'width' => 3,
-		'table' => "'".mysql_escape_string($config['fairname'])."'"),
+		'table' => "'".$config['fairname']."'"),
 
 	'fair_logo' =>  array(
 		'name' => 'Fair -- Logo (for Labels only)',

chat.ajax.php

@@ -1,26 +0,0 @@
-<?php
-require_once('common.inc.php');
-//authent_required();
-if(array_key_exists('collapsed', $_POST)){
-	$_SESSION['chat_collapsed'] = $_POST['collapsed'];
-}
-if(!array_key_exists('subject', $_POST) || !array_key_exists('action', $_POST)){
-	exit;
-}
-$params = array();
-$params[] = 'since=' . (array_key_exists('since', $_POST) ? intval($_POST['since']) : 0);
-$params[] = 'subject=' . urlencode($_POST['subject']);
-if(array_key_exists('message', $_POST)){
-	$message = htmlspecialchars($_POST['message']);
-	$params[] = 'message=' . urlencode($message);
-}
-$params[] = 'user=' . urlencode($_SESSION['name']);
-$params[] = 'fairname=' . urlencode($config['fairname']);
-
-$ch = curl_init();
-curl_setopt ($ch, CURLOPT_URL, 'http://sfiab.ca/messageExchange.php');
-curl_setopt ($ch, CURLOPT_POST, 1);
-curl_setopt ($ch, CURLOPT_POSTFIELDS, implode('&', $params));
-curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
-$result = curl_exec ($ch);
-echo $result;

chat.inc.php

@@ -1,270 +0,0 @@
-<?
-/* 
-   This file is part of the 'Science Fair In A Box' project
-   SFIAB Website: http://www.sfiab.ca
-
-   Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
-   Copyright (C) 2005-2008 James Grant <james@lightbox.org>
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public
-   License as published by the Free Software Foundation, version 2.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-    General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program; see the file COPYING.  If not, write to
-   the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-   Boston, MA 02111-1307, USA.
-*/
-?>
-<?php
-function draw_chatbox($subject){
-	global $config;
-	$chatCollapsed = $_SESSION['chat_collapsed'] ? 1 : 0;
-?>
-	<style type="text/css">
-		#chatbox_wrapper{
-			border: 3px solid;
-			border-color: #EEEEFF #5C6F90 #5C6F90 #EEEEFF;
-			border-radius: 8px;
-			display:inline-block;
-			width: <?=($chatCollapsed ? '0px' : '30em')?>;
-			height: 38em;
-			float:right;
-			margin: 1em;
-			padding: 1.25em;
-			background-color: #E0E0FF;
-			position:relative;
-		}
-		#chatbox_dialogue{
-			width:100%;
-			height: 30em;
-			top: 0.5em;
-			overflow:auto;
-			border: 3px solid;
-			border-color: #5C6F90 #EEEEFF #EEEEFF #5C6F90;
-			background-color: #FFF;
-			border-radius: 3px;
-			<?php
-			if($chatCollapsed) echo "display: none;\n";
-			?>
-		}
-		#chatbox_separator{
-			border-top:1px solid white;
-			height: 1.5em;
-		}
-		#chatbox_input{
-			width: 100%;
-			background-color: #FFF;
-			height: 3em;
-			border: 3px solid;
-			border-radius: 3px;
-			border-color: #5C6F90 #EEEEFF #EEEEFF #5C6F90;
-			display: none;
-		}
-		#chatbox_submit{
-			margin: 0;
-			margin-top: 0.5em;
-			width: 100%;
-			border-radius: 3px;
-			background-color: #CECEDF;
-			border-color: #E8E8EE #5C6F90 #5C6F90 #E8E8EE;
-			font-size: 18px;
-			height: 1.5em;
-			line-height: 1em;
-			font-weight: normal;
-			display: none;
-		}
-		div.chatbox_messageHeader{
-			margin-top: 1em;
-			border-top: 1px solid #668;
-			border-bottom: 1px solid #224;
-			background-color: #557;
-			color: #FFF;
-		}
-		#chatbox_collapsebutton{
-			position: absolute;
-			left: 0;/*32em;*/
-			top: 0;/*16em;*/
-			width: 1.2em; 
-			height: 1.2em;
-			line-height: 1.2em;
-			text-align:center;
-			cursor:pointer;
-/*			border-radius: 0.5em;
-			background-color:  #CECEDF;
-			border: 2px solid;
-			border-color: #EEEEFF #5C6F90 #5C6F90 #EEEEFF;
-*/
-		}
-	</style>
-	<script type="text/javascript">
-		var lastMessageIndex = {};
-		var ajaxLock = false;
-		var refreshRate = 30000;
-		var viewCollapsed = <?=$chatCollapsed;?>;
-		$(document).ready(function(){
-			loadChat('<?=$subject;?>', function(){
-				setTimeout(function(){refreshChat('<?=$subject;?>');}, refreshRate);
-				if(!viewCollapsed){
-					$('#chatbox_input').css('display', 'block');
-					$('#chatbox_submit').css('display', 'block');
-				}
-				$('#chatbox_input').focus(function(event){
-					$('#chatbox_input').val('');
-					$('#chatbox_input').unbind(event)
-				});
-			});
-		});
-		function doSubmit(){
-			postMessage('<?=$subject;?>', $('#chatbox_input').val());
-			$('#chatbox_input').val('');
-		}
-		function loadChat(subject, callback){
-			ajaxLock = true;
-			if(callback == undefined) callback = function(){};
-			if(lastMessageIndex[subject] == undefined) lastMessageIndex[subject] = 0;
-			$.post(
-				'<?=$config['SFIABDIRECTORY']?>/chat.ajax.php',
-				{'action':'fetch', 'subject':subject, 'since':lastMessageIndex[subject]},
-				function(result){
-					ajaxLock = false;
-					handleReply(subject, result);
-					callback();
-				}
-			);
-		}
-
-		function refreshChat(subject){
-			if(ajaxLock == false){
-				ajaxLock = true;
-				$.post(
-					'<?=$config['SFIABDIRECTORY']?>/chat.ajax.php',
-					{'action':'fetch', 'subject':subject, 'since':lastMessageIndex[subject]},
-					function(result){
-						ajaxLock = false;
-						handleReply(subject, result);
-					}
-				);
-				setTimeout(function(){refreshChat(subject);}, refreshRate);
-			}else{
-				setTimeout(function(){refreshChat(subject);}, refreshRate);
-			}
-		}
-
-		function postMessage(subject, message){
-			if(ajaxLock == false){
-				ajaxLock = true;
-				message = $.trim(message);
-				if(message.length > 0){
-					$.post(
-						'<?=$config['SFIABDIRECTORY']?>/chat.ajax.php',
-						{'action':'fetch', 'subject':subject, 'message':message, 'since':lastMessageIndex[subject]},
-						function(result){
-							ajaxLock = false;
-							handleReply(subject, result);
-						}
-					);
-				}
-			}else{
-				setTimeout(function(){postMessage(subject, message);}, 200 + 400 * Math.random());
-			}
-		}
-
-		function textMessage(time, speaker, fairname, text){
-			var line = $('<div></div>');
-			var header = $('<div class="chatbox_messageHeader"></div>');
-			if(fairname != null) header.append(fairname + "<br/>");
-			header.append('<strong>' + speaker + '</strong>');
-			if(time) header.append('<span style="float:right">' + time + '</span>');
-			line.html(text);
-			$('#chatbox_dialogue').append(header);
-			$('#chatbox_dialogue').append(line);
-			$('#chatbox_dialogue').animate({ scrollTop: $('#chatbox_dialogue').attr("scrollHeight") - $('#chatbox_dialogue').height() }, 0);
-		}
-
-		function errorMessage(text){
-			var line = $('<div class="error"></div>');
-			line.html('<strong>' + text + '</strong>');
-			$('#chatbox_dialogue').append(line);
-			$('#chatbox_dialogue').animate({ scrollTop: $('#chatbox_dialogue').attr("scrollHeight") - $('#chatbox_dialogue').height() }, 0);
-		}
-
-		function systemMessage(text){
-			var line = $('<div></div>');
-			line.html('<strong>' + text + '</strong>');
-			$('#chatbox_dialogue').append(line);
-			$('#chatbox_dialogue').animate({ scrollTop: $('#chatbox_dialogue').attr("scrollHeight") - $('#chatbox_dialogue').height() }, 0);
-		}
-
-		function handleReply(subject, response){
-			var data;
-			eval('data = ' + response);
-			if(data.info.length > 0){
-				for(n in data.info){
-					systemMessage(data.info[n].text);
-				}
-			}
-			if(data.error.length > 0){
-				for(n in data.error){
-					errorMessage(data.error[n]);
-				}
-			}
-			if(data.message.length > 0){
-				for(n in data.message){
-					textMessage(
-						data.message[n].time,
-						data.message[n].speaker,
-						data.message[n].fairname,
-						data.message[n].text
-					);
-					lastMessageIndex[subject] = data.message[n].index;
-				}
-			}
-		}
-
-		function toggleView(){
-			var newWidth, callback;
-			if(viewCollapsed){
-				newWidth = '30em';
-				viewCollapsed = false;
-				$('#chatbox_input').css('display', 'block');
-				$('#chatbox_submit').css('display', 'block');
-				$('#chatbox_dialogue').css('display', 'block');
-				$('#chatbox_collapsebutton').html('&raquo;');
-				callback = function(){
-					$('#chatbox_dialogue').animate({ scrollTop: $('#chatbox_dialogue').attr("scrollHeight") - $('#chatbox_dialogue').height() }, 0);
-				}
-			}else{
-				newWidth = '0px';
-				viewCollapsed = true;
-				callback = function(){
-					$('#chatbox_input').css('display', 'none');
-					$('#chatbox_submit').css('display', 'none');
-					$('#chatbox_dialogue').css('display', 'none');
-					$('#chatbox_collapsebutton').html('&laquo;');
-				}
-			}
-			$.post('<?=$config['SFIABDIRECTORY']?>/chat.ajax.php',{'collapsed':viewCollapsed ? '1' : '0'});
-			$('#chatbox_wrapper').animate({'width':newWidth}, 500, callback);
-		}
-
-	</script>
-	<div id="chatbox_wrapper">
-		<div id="chatbox_dialogue"></div>
-		<div id="chatbox_separator"></div>
-		<textarea id="chatbox_input">Type your message here...</textarea>
-		<button id="chatbox_submit" type="submit" onclick="doSubmit(); return false;">send</button>
-		<div id="chatbox_collapsebutton" onclick="toggleView();"><?php
-			if($chatCollapsed) echo "&laquo;\n";
-			else echo "&raquo;";
-		?></div>
-	</div>
-	<pre>
-	</pre>
-<?php
-}

committees.php

@@ -27,10 +27,13 @@
  send_header("Committee List", null, "committee_management");
 
 	echo "<table>";
-	$q=mysql_query("SELECT * FROM committees ORDER BY ord,name");
+	$q = $pdo->prepare("SELECT * FROM committees ORDER BY ord,name");
-	while($r=mysql_fetch_object($q)) {
+	$q->execute();
-		/* Select all the users in the committee, using MAX(year) for the most recent year */
+
-		$q2=mysql_query("SELECT committees_link.*,users.uid,MAX(users.year),users.lastname
+	while($r=$q->fetch())
+	 {
+		/* Select all the u$q=("SELECT * FROM committees ORDER BY ord,name");sers in the committee, using MAX(year) for the most recent year */
+		$q2=("SELECT committees_link.*,users.uid,MAX(users.year),users.lastname
 							FROM committees_link LEFT JOIN users ON users.uid = committees_link.users_uid 
 							WHERE committees_id='{$r->id}' 
 							GROUP BY users.uid ORDER BY ord,users.lastname ");
@@ -43,8 +46,8 @@
 		echo "<td colspan=\"3\"><h3>".i18n($r->name)."</h3>";
 		echo "</td></tr>\n";
 
-		echo mysql_error();
+		echo pdo->errorInfo();
-		while($r2=mysql_fetch_object($q2)) {
+		while($r2 = $q2->fetch()){
 
 			$uid = $r2->users_uid;
 			$u = user_load_by_uid($uid);

common.inc.php

@@ -22,15 +22,14 @@
 */
 ?>
 <?
-//if we dont set the charset any page that doesnt call send_header() (where it used to be set) would defualt to the server's encoding,
+//////echo phpinfo();
-//which in many cases (like ysf-fsj.ca/sfiab) is UTF-8.  This was causing a lot of the newly AJAX'd editors to fail on french characters,
+header("Content-Type: text/html; charset=utf8"); 
-//becuase they were being encoded improperly.  Ideally, all the databases will be switched to UTF-8, but thats not a near-term possibility,
-//so this is kind of a band-aid solution until we can make everything UTF8.  Hope it doesnt break anything anywhere else!
-header("Content-Type: text/html; charset=iso-8859-1"); 
 
 //set error reporting to not show notices, for some reason some people's installation dont set this by default
 //so we will set it in the code instead just to make sure
-error_reporting( E_ALL ^ E_WARNING ^ E_NOTICE ^ E_DEPRECATED ); 
+#error_reporting(E_ALL);
+error_reporting( E_ALL ^ E_WARNING ); 
+#error_reporting( E_ALL ^ E_WARNING ^ E_NOTICE ^ E_DEPRECATED ); 
 
 define('REQUIREDFIELD','<span class="requiredfield">*</span>');
 
@@ -85,16 +84,11 @@ else
 	exit;
 }
 
-/*
+$dsn = "mysql:host=db;dbname=sfiab;charset=utf8mb4";
-difference between MySQL <5.1 and 5.1:
-in <5.1 in must have internall truncated it at 16 before comparing with the hard-coded 16 character database limit
-in 5.1 it doesnt truncate and compares the full string with the hardcoded 16 character limit, so all our very long usernames
-are now failing
-James - Dec 30 2010
-*/
-$DBUSER=substr($DBUSER,0,16);
 
-if(!mysql_connect($DBHOST,$DBUSER,$DBPASS))
+$pdo = new PDO($dsn,$DBUSER,$DBPASS,$dsn_options);
+
+if(!$pdo)
 {
 	echo "<html><head><title>SFIAB ERROR</title></head><body>";
 	echo "<h1>Science Fair In A Box - ERROR</h1>";
@@ -102,23 +96,18 @@ if(!mysql_connect($DBHOST,$DBUSER,$DBPASS))
 	echo "</body></html>";
 	exit;
 }
-	
-if(!mysql_select_db($DBNAME))
-{
-	echo "<html><head><title>SFIAB ERROR</title></head><body>";
-	echo "<h1>Science Fair In A Box - ERROR</h1>";
-	echo "Cannot select database!";
-	echo "</body></html>";
-	exit;
-}
-//this will silently fail on mysql 4.x, but is needed on mysql5.x to ensure we're only using iso-8859-1 (/latin1) encodings
-@mysql_query("SET NAMES latin1");
 
 //find out the fair year and any other 'year=0' configuration parameters (things that dont change as the years go on)
-$q=@mysql_query("SELECT * FROM config WHERE year='0'");
+
 
 //we might get an error if installation step 2 is not done (ie, the config table doesnt even exist)
-if(mysql_error())
+
+//if we have 0 (<1) then install2 is not done, which would get caught above, 
+//if we have 1 (<2) then insatll3 is not done (no entries for FAIRYEAR and SFIABDIRECTORY)
+$q = $pdo->prepare("SELECT * FROM config WHERE year='0'");
+$q->execute();
+
+if($pdo->errorInfo()[0] != '00000')
 {
 	echo "<html><head><title>SFIAB ERROR</title></head><body>";
 	echo "<h1>Science Fair In A Box - ERROR</h1>";
@@ -127,9 +116,9 @@ if(mysql_error())
 	echo "</body></html>";
 	exit;
 }
-//if we have 0 (<1) then install2 is not done, which would get caught above, 
+
-//if we have 1 (<2) then insatll3 is not done (no entries for FAIRYEAR and SFIABDIRECTORY)
+
-if(mysql_num_rows($q)<2)
+if($q->rowCount()<2)
 {
 	echo "<html><head><title>SFIAB ERROR</title></head><body>";
 	echo "<h1>Science Fair In A Box - ERROR</h1>";
@@ -140,10 +129,11 @@ if(mysql_num_rows($q)<2)
 
 }
 else
-{
+{	
-	while($r=mysql_fetch_object($q))
+	while($r=$q->fetch())
 	{
-		$config[$r->var]=$r->val;
+		
+		$config[$r['var']]=$r['val'];
 	}
 }
 
@@ -151,6 +141,7 @@ $dbdbversion=$config['DBVERSION'];
 $dbcodeversion=@file($prependdir."db/db.code.version.txt");
 $dbcodeversion=trim($dbcodeversion[0]);
 
+
 if(!$dbdbversion)
 {
 	echo "<html><head><title>SFIAB ERROR</title></head><body>";
@@ -182,42 +173,20 @@ if($dbcodeversion!=$dbdbversion)
 	exit;
 }
 
-/* Check that magic_quotes is OFF */
-if(get_magic_quotes_gpc()) {
-?>
-	<html><head><title>SFIAB ERROR</title></head><body>
-	<h1>Science Fair In A Box - ERROR</h1>
-	<p>Your PHP configuration has magic_quotes ENABLED.  They should be
-	disabled, and are disabled in the .htaccess file, so your server is
-	ignoring the .htaccess file or overriding it.
-	<p>Magic quotes is DEPRECATED as of PHP 5.3.0, REMOVE as of 6.0, but ON
-	by default for any PHP &lt; 5.3.0.  
-	<p>It's a pain in the butt because PHP runs urldecode() on all inputs 
-	from GET and POST, but if it sees the string has quotes, then it escapes
-	existing quotes before passing it to us.  This is a problem for json_decode
-	where we do not want this behaviour, and thus need to pass through stripslashes()
-	first, but only if magicquotes is ON.  If it's off, stripslashes will
-	break json_decode.
-	<p>Add <pre>php_flag magic_quotes_gpc off</pre> to the .htacces, or add
-	<pre>php_flag magic_quotes_gpc=off</pre> to php.ini
-
-	<br></body></html>
-<?
-	exit;
-}
-
 //now pull the rest of the configuration
-$q=mysql_query("SELECT * FROM config WHERE year='".$config['FAIRYEAR']."'");
+$q = $pdo->prepare("SELECT * FROM config WHERE year='".$config['FAIRYEAR']."'");
-while($r=mysql_fetch_object($q))
+$q->execute();
+while($r=$q->fetch())
 {
-	$config[$r->var]=$r->val;
+	$config[$r['var']]=$r['val'];
 }
 
 //now pull the dates
-$q=mysql_query("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."'");
+$q = $pdo->prepare("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."'");
-while($r=mysql_fetch_object($q))
+$q->execute();
+while($r=$q->fetch())
 {
-	$config['dates'][$r->name]=$r->date;
+	$config['dates'][$r['name']]=$r['date'];
 }
 
 //and now pull the theme
@@ -226,6 +195,8 @@ require_once("theme/{$config['theme_icons']}/icons.php");
 
 require_once("committee.inc.php");
 
+session_start();
+
 if($config['SFIABDIRECTORY'] == '') {
 	session_name("SFIABSESSID");
 	session_set_cookie_params(0,'/');
@@ -233,7 +204,6 @@ if($config['SFIABDIRECTORY'] == '') {
 	session_name("SFIABSESSID".preg_replace("/[^A-Za-z]/","_",$config['SFIABDIRECTORY']));
 	session_set_cookie_params(0,$config['SFIABDIRECTORY']);
 }
-session_start();
 
 //detect the browser first, so we know what icons to use - we store this in the config array as well
 //even though its not configurable by the fair
@@ -245,17 +215,18 @@ else
 
 
 //now get the languages, and make sure we have at least one active language
-$q=mysql_query("SELECT * FROM languages WHERE active='Y' ORDER BY langname");
+
-if(mysql_num_rows($q)==0)
+$q=$pdo->prepare("SELECT * FROM languages WHERE active='Y' ORDER BY langname");
+$q->execute();
+if($q->rowCount()==0)
 {
 	echo "No active languages defined, defaulting to English";
 	$config['languages']['en']="English";
 }
 else
-{
+{	while($r=$q->fetch())
-	while($r=mysql_fetch_object($q))
 	{
-		$config['languages'][$r->lang]=$r->langname;
+		$config['languages'][$r['lang']]=$r['langname'];
 	}
 }
 //now if no language has been set yet, lets set it to the default language
@@ -279,7 +250,7 @@ if($_GET['switchlanguage'])
 	if($config['languages'][$_GET['switchlanguage']])
 	{
 		$_SESSION['lang']=$_GET['switchlanguage'];
-
+ 
 	}
 	else
 	{
@@ -288,7 +259,7 @@ if($_GET['switchlanguage'])
 }
 
 function i18n($str,$args=array(),$argsdesc=array(),$forcelang="")
-{
+{	global $pdo;
 	if(!$str)
 		return "";
 
@@ -311,12 +282,15 @@ function i18n($str,$args=array(),$argsdesc=array(),$forcelang="")
 		}
 		else
 		{
-			$q=mysql_query("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'");
+			
-			if($r=@mysql_fetch_object($q))
+			$q = $pdo->prepare("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'");
+			$q->execute();
+			if($r = $q->fetch())
+		
 			{
-				if($r->val)
+				if($r["val"])
 				{
-					$ret=$r->val;
+					$ret=$r["val"];
 
 					for($x=1;$x<=count($args);$x++)
 					{
@@ -348,12 +322,13 @@ function i18n($str,$args=array(),$argsdesc=array(),$forcelang="")
 						$n++;
 					}
 					$argsdescstring=substr($argsdescstring,0,-2);
-					$argsdescstring="'".mysql_escape_string($argsdescstring)."'";
+					$argsdescstring=pdo->quote($argsdescstring)."'";
 				}
 				else
 					$argsdescstring="null";
 
-				mysql_query("INSERT INTO translations (lang,strmd5,str,argsdesc) VALUES ('".$_SESSION['lang']."','".md5($str)."','".mysql_escape_string($str)."',$argsdescstring)");
+				$stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,argsdesc) VALUES (?,?,?,?)");
+				$stmt->execute([$_SESSION['lang'], md5($str), $pdo->quote($str), $argsdescstring]);
 				for($x=1;$x<=count($args);$x++)
 				{
 					$str=str_replace("%$x",$args[$x-1],$str);
@@ -420,12 +395,13 @@ function send_header($title="", $nav=null, $icon=null, $titletranslated=false)
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
-<head><title><? if($title && !$titletranslated) echo i18n($title); else if($title) echo $title; else echo i18n($config['fairname']); ?></title>
+<head><title><? //if($title && !$titletranslated) echo i18n($title); else if($title) echo $title; else echo i18n($config['fairname']); ?></title>
 <link rel="stylesheet" href="<?=$config['SFIABDIRECTORY']?>/theme/<?=$config['theme']?>/jquery-ui-1.7.2.custom.css" type="text/css" media="all" />
 <link rel="stylesheet" href="<?=$config['SFIABDIRECTORY']?>/theme/<?=$config['theme']?>/sfiab.css" type="text/css" media="all" />
 <link rel="stylesheet" href="<?=$config['SFIABDIRECTORY']?>/tableeditor.css" type="text/css" media="all" />
 </head>
 <body>
+<!-- <? if($title && !$titletranslated) echo i18n($title); else if($title) echo $title; else echo i18n($config['fairname']); ?> -->
 <script type="text/javascript" src="<?=$config['SFIABDIRECTORY']?>/js/jquery/1.3.2/jquery.min.js"></script>
 <script type="text/javascript" src="<?=$config['SFIABDIRECTORY']?>/js/jqueryui/1.7.2/jquery-ui.min.js"></script>
 <script type="text/javascript" src="<?=$config['SFIABDIRECTORY']?>/js/sfiab.js"></script>
@@ -489,8 +465,8 @@ echo "</div>";
 	//only display it if a date is set to begin with.
 	if($config['dates']['postparticipants'] && $config['dates']['postparticipants']!="0000-00-00 00:00:00")
 	{
-		$q=mysql_query("SELECT (NOW()>'".$config['dates']['regclose']."') AS test");
+		$q=("SELECT (NOW()>'".$config['dates']['regclose']."') AS test");
-		$r=mysql_fetch_object($q);
+		$r=$q->fetch();
 		if($r->test==1)
 		{
 			$registrationconfirmationlink="<li><a href=\"".$config['SFIABDIRECTORY']."/confirmed_participants.php\">".i18n("Confirmed Participants")."</a></li>";
@@ -866,10 +842,10 @@ function emit_time_selector($name,$selected="")
 function emit_province_selector($name,$selected="",$extra="")
 {
 	global $config;
-	$q=mysql_query("SELECT * FROM provinces WHERE countries_code='".mysql_escape_string($config['country'])."' ORDER BY province");
+	$q=("SELECT * FROM provinces WHERE countries_code='".mysql_escape_string($config['country'])."' ORDER BY province");
 	if(mysql_num_rows($q)==1)
 	{
-		$r=mysql_fetch_object($q);
+		$r = $q->fetch();
 		echo "<input type=\"hidden\" name=\"$name\" value=\"$r-code\">";
 		echo i18n($r->province);
 	}
@@ -877,7 +853,7 @@ function emit_province_selector($name,$selected="",$extra="")
 	{
 		echo "<select name=\"$name\" $extra>\n";
 		echo "<option value=\"\">".i18n("Select a {$config['provincestate']}")."</option>\n";
-		while($r=mysql_fetch_object($q))
+		while($r = $q->fetch())
 		{
 			if($r->code == $selected) $sel="selected=\"selected\""; else $sel="";
 
@@ -980,8 +956,8 @@ function email_send($val,$to,$sub_subject=array(),$sub_body=array())
 		return false;
 	}
 
-	$q=mysql_query("SELECT * FROM emails WHERE val='$val'");
+	$q=("SELECT * FROM emails WHERE val='$val'");
-	if($r=mysql_fetch_object($q)) {
+	if($r = $q->fetch()) {
 		//we dont want to translate these, the messages themselves shoudl contain whatever languages they need
 		$subject=$r->subject;
 		$body=$r->body;
@@ -1066,8 +1042,8 @@ function getEmailRecipientsForRegistration($reg_id)
 {
 	global $config;
 	//okay first grab the registration record, to see if we should email the kids, the teacher, and/or the parents
-	$q=mysql_query("SELECT * FROM registrations WHERE id='$reg_id' AND year='{$config['FAIRYEAR']}'");
+	$q=("SELECT * FROM registrations WHERE id='$reg_id' AND year='{$config['FAIRYEAR']}'");
-	$registration=mysql_fetch_object($q);
+	$registration=$q->fetch();
 
 	if($registration->emailcontact && isEmailAddress($registration->emailcontact)) {
 			$ret[]=array("to"=>$registration->emailcontact,
@@ -1077,9 +1053,9 @@ function getEmailRecipientsForRegistration($reg_id)
 				);
 	}
 
-	$sq=mysql_query("SELECT * FROM students WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
+	$sq=("SELECT * FROM students WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
 	$ret=array();
-	while($sr=mysql_fetch_object($sq)) {
+	while($sr=$sq->fetch()) {
 		if($sr->email && isEmailAddress($sr->email)) {
 			$to=$sr->email;
 
@@ -1096,14 +1072,17 @@ function getEmailRecipientsForRegistration($reg_id)
 function output_page_text($textname)
 {
 	global $config;
-	$q=mysql_query("SELECT * FROM pagetext WHERE textname='$textname' AND year='".$config['FAIRYEAR']."' AND lang='".$_SESSION['lang']."'");
+	global $pdo;
-	if(mysql_num_rows($q))
+	
-		$r=mysql_fetch_object($q);
+	$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='$textname' AND year='".$config['FAIRYEAR']."' AND lang='".$_SESSION['lang']."'");
+	$q->execute();
+	if($q->rowCount())
+		$r = $q->fetch();
 	else
 	{
 		//not defined, lets grab the default text
-		$q=mysql_query("SELECT * FROM pagetext WHERE textname='$textname' AND year='-1' AND lang='".$config['default_language']."'");
+		$q=("SELECT * FROM pagetext WHERE textname='$textname' AND year='-1' AND lang='".$config['default_language']."'");
-		$r=mysql_fetch_object($q);
+		$r = $q->fetch();
 	}
 
 	//if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br
@@ -1116,10 +1095,13 @@ function output_page_text($textname)
 function output_page_cms($filename)
 {
 	global $config;
-	$q=mysql_query("SELECT * FROM cms WHERE filename='".mysql_escape_string($filename)."' AND lang='".$_SESSION['lang']."' ORDER BY dt DESC LIMIT 1");
+	global $pdo;
-	if(mysql_num_rows($q))
+	
+	$q = $pdo->prepare("SELECT * FROM cms WHERE filename='".$filename."' AND lang='".$_SESSION['lang']."' ORDER BY dt DESC LIMIT 1");
+	$q->execute();
+	if($q->rowCount())
 	{
-		$r=mysql_fetch_object($q);
+		$r = $q->fetch();
 		send_header($r->title,null,null,true);
 
 		if(file_exists("data/logo-200.gif") && $r->showlogo==1)
@@ -1149,7 +1131,7 @@ function generatePassword($pwlen=8)
 
 	$key="";
 	for($x=0;$x<$pwlen;$x++)
-		$key.=$available{rand(0,$len)};
+		$key.=$available[rand(0,$len)];
 	return $key;
 }
 
@@ -1170,33 +1152,41 @@ function admin_warnings()
 function committee_warnings()
 {
 	global $config;
+	global $pdo;
 	//it is vital that each year the system be rolled over before we start it again
 	//we should do this, say, 4 months after the FAIRDATE, so its soon enough that they should see
 	//the message as soon as they login to start preparing for hte new year, but not too late to do it
 	//properly :)
 
-	$q=mysql_query("SELECT DATE_ADD('".$config['dates']['fairdate']."', INTERVAL 4 MONTH) < NOW() AS rollovercheck");
+
-	$r=mysql_fetch_object($q);
+
+	$q = $pdo->prepare("SELECT DATE_ADD('".$config['dates']['fairdate']."', INTERVAL 4 MONTH) < NOW() AS rollovercheck");
+	$q->execute();
+
+	$r = $q->fetch();
 	if($r->rollovercheck) {
 		echo error(i18n("It has been more than 4 months since your fair.  In order to prepare the system for the next year's fair, you should go to the SFIAB Configuration page, and click on 'Rollover Fair Year'.  Do not start updating the system with new information until the year has been properly rolled over."));
 	}
 
 	$warn = false;
-	$q = mysql_query("SELECT * FROM award_prizes WHERE `external_identifier` IS NOT NULL 
+	
+	$q = $pdo->prepare("SELECT * FROM award_prizes WHERE `external_identifier` IS NOT NULL 
 				AND external_identifier=prize");
-	if(mysql_num_rows($q) > 0) {
+	$q->execute();
+	if($q->rowCount() > 0) {
 		/* The bug was that the external_identifier was set to the prize name.. so only display the warning
 		 * if we find that case for a non-sfiab external fair */
-		while(($p = mysql_fetch_assoc($q) )) {
+		while(($p = $q->fetch(PDO::FETCH_ASSOC) )) {
-			$qq = mysql_query("SELECT * FROM award_awards 
+			$qq = ("SELECT * FROM award_awards 
 						LEFT JOIN fairs ON fairs.id=award_awards.award_source_fairs_id
 						WHERE award_awards.id='{$p['award_awards_id']}'
 						AND year='{$config['FAIRYEAR']}'
 						AND award_awards.award_source_fairs_id IS NOT NULL
 						AND fairs.type='ysc' ");
-						echo mysql_error();
+						echo pdo->errorInfo();
 			if(mysql_num_rows($qq) > 0) {
-				$warn = true;
+				$warn;
+				
 				break;
 			}
 		}
@@ -1406,7 +1396,7 @@ function getTextFromHtml($html) {
 
 function getUserForSponsor($sponsor_id) {
 	// loop through each contact and draw a form with their data in it.
-	$q = mysql_query("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
+	$q = ("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
 	WHERE 
 	sponsors_id='" . $sponsor_id . "' 
     AND types LIKE '%sponsor%'
@@ -1415,7 +1405,7 @@ function getUserForSponsor($sponsor_id) {
 	ORDER BY users_sponsor.primary DESC,lastname,firstname
 	LIMIT 1
     ");
-	$r=mysql_fetch_object($q);
+	$r = $q->fetch();
 	return user_load_by_uid($r->uid);
 }
 
@@ -1424,8 +1414,8 @@ function projectdivisions_load($year = false)
 	global $config;
 	if($year == false) $year = $config['FAIRYEAR'];
 	$divs = array();
-	$q = mysql_query("SELECT * FROM projectdivisions WHERE year='$year'");
+	$q = ("SELECT * FROM projectdivisions WHERE year='$year'");
-	while(($d = mysql_fetch_assoc($q))) $divs[$d['id']] = $d;
+	while(($d = $q->fetch(PDO::FETCH_ASSOC))) $divs[$d['id']] = $d;
 	return $divs;
 }
 function projectcategories_load($year = false)
@@ -1433,8 +1423,8 @@ function projectcategories_load($year = false)
 	global $config;
 	if($year == false) $year = $config['FAIRYEAR'];
 	$cats = array();
-	$q = mysql_query("SELECT * FROM projectcategories WHERE year='$year'");
+	$q = ("SELECT * FROM projectcategories WHERE year='$year'");
-	while(($c = mysql_fetch_assoc($q))) $cats[$c['id']] = $d;
+	while(($c = $q->fetch(PDO::FETCH_ASSOC))) $cats[$c['id']] = $d;
 	return $cats;
 }
 

config/backuprestore.php

@@ -155,7 +155,7 @@ else if($_POST['action']=="restoreproceed") {
 	);
 
 	//make sure the filename's good before we used it
-	if(ereg("^[a-z0-9]{32}$",$_POST['realfilename']) && file_exists("../data/backuprestore/".$_POST['realfilename'])) {
+	if(mb_ereg("^[a-z0-9]{32}$",$_POST['realfilename']) && file_exists("../data/backuprestore/".$_POST['realfilename'])) {
 		$filename=$_POST['realfilename'];
 		echo i18n("Proceeding with database restore from %1",array($_POST['filename']))."...";
 		$lines=file("../data/backuprestore/$filename");
@@ -163,13 +163,13 @@ else if($_POST['action']=="restoreproceed") {
 		echo "<pre>";
 		foreach($lines AS $line) {
 			$line=trim($line);
-			if(ereg("^#TABLE: (.*)",$line,$args)) {
+			if(mb_ereg("^#TABLE: (.*)",$line,$args)) {
 				//empty out the table
 				$sql="TRUNCATE TABLE `".$args[1]."`";
 		//			echo $sql."\n";
 				mysql_query($sql);
 			}
-			else if(ereg("^#",$line)) {
+			else if(mb_ereg("^#",$line)) {
 				//just skip it
 			}
 			else
@@ -312,7 +312,7 @@ else
 	$dh=opendir("../data/backuprestore");
 	$removed=false;
 	while($fn=readdir($dh)) {
-		if(ereg("[a-z0-9]{32}",$fn)) {
+		if(mb_ereg("[a-z0-9]{32}",$fn)) {
 			unlink("../data/backuprestore/$fn");
 			$removed=true;
 		}

config/categories.php

@@ -143,9 +143,9 @@
 	echo "</tr>";
  }
  else
- {
+ {	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' ORDER BY mingrade");
-	 $q=mysql_query("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' ORDER BY mingrade");
+	$q->execute();
-	 while($r=mysql_fetch_object($q))
+	 while($r=$q->fetch(PDO::FETCH_OBJ))
 	 {
 		echo "<tr>";
 		echo " <td align=\"center\">$r->id</td>";

config/dates.php

@@ -31,8 +31,10 @@
             ,"important_dates"
 			);
 
-$q=mysql_query("SELECT * FROM dates WHERE year='-1'");
+$q = $pdo->prepare("SELECT * FROM dates WHERE year='-1'");
-while($r=mysql_fetch_object($q)) {
+$q->execute();
+
+while($r=$q->fetch(PDO::FETCH_OBJ)) {
 	$defaultdates[$r->name]=$r;
 }
 
@@ -78,8 +80,10 @@ $dates  = array('fairdate' => array() ,
 		'specawardregclose' => array());
 
 /* Now copy the SQL data into the above array */
- $q=mysql_query("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."' ORDER BY date");
+
- while($r=mysql_fetch_object($q)) {
+ $q = $pdo->prepare("SELECT * FROM dates WHERE year='".$config['FAIRYEAR']."' ORDER BY date");
+ $q->execute();
+ while($r=$q->fetch(PDO::FETCH_OBJ)) {
  	$dates[$r->name]['description'] = $r->description;
 	$dates[$r->name]['id'] = $r->id;
 	$dates[$r->name]['date'] = $r->date;

config/divisions.php

@@ -184,9 +184,9 @@ if($_GET['action']=="edit" || $_GET['action']=="new") {
 	echo "</tr>";
  }
  else
- {
+ {	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='".$config['FAIRYEAR']."' ORDER BY id");
-	 $q=mysql_query("SELECT * FROM projectdivisions WHERE year='".$config['FAIRYEAR']."' ORDER BY id");
+	 $q->execute();
-	 while($r=mysql_fetch_object($q))
+	 while($r=$q->fetch(PDO::FETCH_OBJ))
 	 {
 		echo "<tr>";
 		echo " <td>$r->id</td>";

config/divisions_cwsf.php

@@ -31,6 +31,7 @@
             ,"cwsf_project_divisions"
 			);
 
+////// FIX ME!!!!!
  if(count($_POST['cwsfdivision']))
  {
  	foreach($_POST['cwsfdivision'] AS $k=>$v)

config/pagetexts.php

@@ -37,16 +37,18 @@
             ,"page_texts"
 			);
 
- $q=mysql_query("SELECT * FROM pagetext WHERE year='-1' ORDER BY textname");
+$q = $pdo->prepare("SELECT * FROM pagetext WHERE year='-1' ORDER BY textname");
- while($r=mysql_fetch_object($q))
+ $q->execute();
+ while($r=$q->fetch(PDO::FETCH_OBJ))
  {
 	 foreach($config['languages'] AS $lang=>$langname) {
-        mysql_query("INSERT INTO pagetext (textname,textdescription,text,year,lang) VALUES (
+		$q = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,year,lang) VALUES (
-            '".mysql_escape_string($r->textname)."',
+            '".$r->textname."',
-            '".mysql_escape_string($r->textdescription)."',
+            '".$r->textdescription."',
-            '".mysql_escape_string($r->text)."',
+            '".$r->text."',
             '".$config['FAIRYEAR']."',
-            '".mysql_escape_string($lang)."')");
+            '".$lang."')");
+        $q->execute();
     }
  }
 

config/safetyquestions.php

@@ -142,9 +142,10 @@
  echo "<a href=\"safetyquestions.php?action=new\">".i18n("Add new safety question")."</a>";
 
  echo "<table class=\"summarytable\">";
- $q=mysql_query("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord");
+ $q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord");
+ $q->execute();
  echo "<tr><th>".i18n("Ord")."</th><th>".i18n("Question")."</th><th>".i18n("Type")."</th><th>".i18n("Required")."</th><th>".i18n("Actions")."</th></tr>";
- while($r=mysql_fetch_object($q))
+ while($r=$q->fetch(PDO::FETCH_OBJ))
  {
  	echo "<tr>";
 	echo "<td>$r->ord</td>";

config/signaturepage.php

@@ -49,9 +49,9 @@
  }
 
 echo "<a href=\"../register_participants_signature.php?sample=true\">Preview your signature form as a PDF (as a student would see it)</a><br />";
-
+$q = $pdo->prepare("SELECT * FROM signaturepage WHERE name='exhibitordeclaration'");
-$q=mysql_query("SELECT * FROM signaturepage WHERE name='exhibitordeclaration'");
+$q->execute();
-$r=mysql_fetch_object($q);
+$r=$q->fetch(PDO::FETCH_OBJ);
 echo "<form method=\"post\" action=\"signaturepage.php\">";
 echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
 if($r->use) $ch="checked=\"checked\""; else $ch="";
@@ -61,8 +61,9 @@ echo "<textarea name=\"exhibitordeclaration\" rows=\"8\" cols=\"80\">".$r->text.
 echo "<br />";
 echo "<br />";
 
-$q=mysql_query("SELECT * FROM signaturepage WHERE name='parentdeclaration'");
+$q = $pdo->prepare("SELECT * FROM signaturepage WHERE name='parentdeclaration'");
-$r=mysql_fetch_object($q);
+$q->execute();
+$r=$q->fetch(PDO::FETCH_OBJ);
 if($r->use) $ch="checked=\"checked\""; else $ch="";
 echo "<input $ch type=\"checkbox\" name=\"useparentdeclaration\" value=\"1\">".i18n("Use the parent/guardian declaration and obtain parent/guardian signatures");
 echo "<br />";
@@ -70,8 +71,10 @@ echo "<textarea name=\"parentdeclaration\" rows=\"8\" cols=\"80\">".$r->text."</
 echo "<br />";
 echo "<br />";
 
-$q=mysql_query("SELECT * FROM signaturepage WHERE name='teacherdeclaration'");
+$q = $pdo->prepare("SELECT * FROM signaturepage WHERE name='teacherdeclaration'");
-$r=mysql_fetch_object($q);
+$q->execute();
+$r=$q->fetch(PDO::FETCH_OBJ);
+
 if($r->use) $ch="checked=\"checked\""; else $ch="";
 echo "<input $ch type=\"checkbox\" name=\"useteacherdeclaration\" value=\"1\">".i18n("Use the teacher declaration and obtain teacher's signature");
 echo "<br />";
@@ -79,15 +82,20 @@ echo "<textarea name=\"teacherdeclaration\" rows=\"8\" cols=\"80\">".$r->text."<
 echo "<br />";
 echo "<br />";
 
-$q=mysql_query("SELECT * FROM signaturepage WHERE name='regfee'");
+
-$r=mysql_fetch_object($q);
+$q = $pdo->prepare("SELECT * FROM signaturepage WHERE name='regfee'");
+$q->execute();
+$r=$q->fetch(PDO::FETCH_OBJ);
+
 if($r->use) $ch="checked=\"checked\""; else $ch="";
 echo "<input $ch type=\"checkbox\" name=\"useregfee\" value=\"1\">".i18n("Include registration fee information on the $non_capital_participationform");
 echo "<br />";
 echo "<br />";
 
-$q=mysql_query("SELECT * FROM signaturepage WHERE name='postamble'");
+$q = $pdo->prepare("SELECT * FROM signaturepage WHERE name='postamble'");
-$r=mysql_fetch_object($q);
+$q->execute();
+$r=$q->fetch(PDO::FETCH_OBJ);
+
 if($r->use) $ch="checked=\"checked\""; else $ch="";
 echo "<input $ch type=\"checkbox\" name=\"usepostamble\" value=\"1\">".i18n("Place Additional Information after all the required signatures");
 echo "<br />";

config/subdivisions.php

@@ -148,8 +148,7 @@
 	echo "</tr>";
  }
  else
- {
+ {	$q = $pdo->prepare("SELECT projectsubdivisions.id, 
-	 $q=mysql_query("SELECT projectsubdivisions.id, 
 	 			projectsubdivisions.projectdivisions_id,
 				projectsubdivisions.subdivision,
 				projectdivisions.division
@@ -162,8 +161,9 @@
 					AND projectsubdivisions.projectdivisions_id=projectdivisions.id
 				ORDER BY 
 					division,subdivision");
-echo mysql_error();
+	 $q->execute();
-	 while($r=mysql_fetch_object($q))
+echo $pdo->errorInfo();
+	 while($r=$q->fetch(PDO::FETCH_OBJ))
 	 {
 		echo "<tr>";
 		echo " <td>$r->division</td>";

config/variables.php

@@ -27,16 +27,18 @@
  require_once("../config_editor.inc.php");
  user_auth_required('committee', 'config');
 
- $q=mysql_query("SELECT * FROM config WHERE year='-1'");
+ 
- while($r=mysql_fetch_object($q)) {
+ $q = $pdo->prepare("SELECT * FROM config WHERE year='-1'");
-	mysql_query("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
+ $q->execute();
-		'".mysql_escape_string($r->var)."',
+ while($r=$q->fetch(PDO::FETCH_OBJ)) {
-		'".mysql_escape_string($r->val)."',
+	$q = $pdo->prepare("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
-		'".mysql_escape_string($r->category)."',
+		'".$r->var."',
-		'".mysql_escape_string($r->type)."',
+		'".$r->val."',
-		'".mysql_escape_string($r->type_values)."',
+		'".$r->category."',
-		'".mysql_escape_string($r->ord)."',
+		'".$r->type."',
-		'".mysql_escape_string($r->description)."',
+		'".$r->type_values."',
+		'".$r->ord."',
+		'".$r->description."',
 		'".$config['FAIRYEAR']."')");
  }
 
@@ -67,14 +69,14 @@
             ,"configuration_variables"
 			);
 
-
+$q = $pdo->prepare("SELECT DISTINCT(category) AS cat FROM config ORDER BY cat");
- $q=mysql_query("SELECT DISTINCT(category) AS cat FROM config ORDER BY cat");
+$q->execute();
  echo "\n<table valign=\"top\" cellspacing=0 cellpadding=5 border=0>";
 
  echo "<tr><td width=\"120\" style=\"border-right: 1px solid black;\">";
  echo "<table cellspacing=0 cellpadding=3 border=0>";
  $trclass = 'odd';
- while($r=mysql_fetch_object($q)) {
+ while($r=$q->fetch(PDO::FETCH_ASSOC)) {
  	$trclass = ($trclass == 'odd') ? 'even' : 'odd';
  	echo "<tr class=\"$trclass\">";
  	echo "<td align=\"right\">"; 

config_editor.inc.php

@@ -24,13 +24,13 @@
 <?
 
 function config_editor_load($category, $year)
-{
+{	global $pdo;
 	$query = "SELECT * FROM config WHERE year='$year' AND category='$category' ORDER BY ord";
-	$q = mysql_query($query);
+	$q = $pdo->prepare($query);
-	print(mysql_error());
+	print($pdo->errorInfo());
 
 	$var = array();
-	while($r=mysql_fetch_object($q)) {
+	while($r=$q->fetch()) {
 		$var[$r->var]['val'] = $r->val;
 		$var[$r->var]['desc'] = $r->description;
 		$var[$r->var]['category'] = $r->category;
@@ -84,8 +84,8 @@ function config_update_variables($fairyear=NULL, $lastfairyear=NULL)
 		LEFT JOIN `config` AS C2 ON(config.var=C2.var 
 					AND C2.year='$fairyear') 
 		WHERE config.year=-1 AND C2.year IS NULL";
-	$r = mysql_query($q);
+	$r = ($q);
-	while($i = mysql_fetch_assoc($r)) {
+	while($i = $r->fetch(PDO::FETCH_ASSOC)) {
 		$var = $i['var'];
 		/* See if this var exists for last year or
 		 * the -1 year, prefer last year's value */
@@ -94,22 +94,22 @@ function config_update_variables($fairyear=NULL, $lastfairyear=NULL)
 				AND (config.year='$lastfairyear' 
 					OR config.year='-1')
 			ORDER BY config.year DESC";
-		$r2 = mysql_query($q);
+		$r2 = ($q);
 		if(mysql_num_rows($r2) < 1) {
 			/* Uhoh, this shouldn't happen */
 			echo "ERROR, Variable '$var' doesn't exist";
 			exit;
 		}
-		$v = mysql_fetch_object($r2);
+		$v = $r2->fetch();
 
-		mysql_query("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
+		("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
-	                '".mysql_escape_string($v->var)."',
+	                '".pdo->quote($v->var)."',
-			'".mysql_escape_string($v->val)."',
+			'".pdo->quote($v->val)."',
-			'".mysql_escape_string($v->category)."',
+			'".pdo->quote($v->category)."',
-			'".mysql_escape_string($v->type)."',
+			'".pdo->quote($v->type)."',
-			'".mysql_escape_string($v->type_values)."',
+			'".pdo->quote($v->type_values)."',
-			'".mysql_escape_string($v->ord)."',
+			'".pdo->quote($v->ord)."',
-			'".mysql_escape_string($v->description)."',
+			'".pdo->quote($v->description)."',
 			'$fairyear')");
 	}
 }
@@ -151,12 +151,9 @@ function config_editor_handle_actions($category, $year, $array_name)
 			}
 
 			/* Prep for MySQL update */
-			$val = mysql_escape_string($val);
+			$stmt = $pdo->prepare("UPDATE config SET val = ? WHERE var = ? AND year = ?");
-			$v = mysql_escape_string(stripslashes($k));
+			$stmt->execute([$val, $k, $year]);
-			mysql_query("UPDATE config SET val=\"$val\" 
+			print pdo->errorInfo();
-					WHERE var=\"$v\" 
-					AND `year`='$year'");
-			print mysql_error();
 //			echo "Saving {$v} = $val<br>";
 			$config_editor_updated = true;
 			$updated = true;

confirmed_participants.php

@@ -28,16 +28,20 @@
  send_header("Confirmed Participants");
 
 	//first, lets make sure someone isnt tryint to see something that they arent allowed to!
-	$q=mysql_query("SELECT (NOW()>'".$config['dates']['postparticipants']."') AS test");
+	
-	$r=mysql_fetch_object($q);
+	$q=$pdo->prepare("SELECT (NOW()>'".$config['dates']['postparticipants']."') AS test");
+	$q->execute();
+	$r=$q->fetch();
 	if($r->test!=1)
 	{
 		list($d,$t)=explode(" ",$config['dates']['postparticipants']);
 		echo i18n("Confirmed participants (that $signatureformpermissionform have been received for) will be posted here on %1 at %2.  Please do not contact the fair to inquire about receipt of your $signatureformpermissionform until after this date (and only if you are not listed here after this date).",array($d,$t));
 	}
-	else
+	else https://marketplace.visualstudio.com/items?itemName=oscarotero.vento-syntax
 	{
-		$q=mysql_query("SELECT  registrations.id AS reg_id,
+
+		
+		$q=$pdo->prepare("SELECT  registrations.id AS reg_id,
 					registrations.status,
 					registrations.email,
 					projects.title,
@@ -63,7 +67,8 @@
 					projectdivisions.id,
 					projects.projectnumber
 				");
-			echo mysql_error();
+			$q->execute();
+			echo $pdo->errorInfo();
 		
 		$lastcat="something_that_does_not_exist";
 		$lastdiv="something_that_does_not_exist";
@@ -76,7 +81,7 @@
 			echo "<br />";
 		}
 		echo "<table style=\"font-size: 0.9em;\">";
-		while($r=mysql_fetch_object($q))
+		while($r=$q->fetch())
 		{
 			if($r->category != $lastcat)
 			{
@@ -117,7 +122,7 @@
 			echo "<td>$r->projectnumber</td>";
 			echo "<td>$r->title</td>";
 
-			$sq=mysql_query("SELECT students.firstname,
+			$sq=("SELECT students.firstname,
 						students.lastname,
 						students.id,
 						students.webfirst,
@@ -130,14 +135,14 @@
 						AND
 						students.schools_id=schools.id
 					");
-					echo mysql_error();
+					echo pdo->errorInfo();
 
 			$studnum=1;
 			$schools="";
 			$students="";
 			$sameschools=true;
 			$lastschool="";
-			while($studentinfo=mysql_fetch_object($sq))
+			while($studentinfo=$sq->fetch())
 			{
 				if($studentinfo->webfirst=="yes")
 					$students.="$studentinfo->firstname ";

contact.php

@@ -34,8 +34,10 @@
  	if($_POST['to'] && $_POST['subject'] && $_POST['message'] && $_POST['from'] && $_POST['fromemail']) {
 		if(isEmailAddress($_POST['fromemail'])) {
 			list($id,$md5email)=explode(":",$_POST['to']);
-			$q=mysql_query("SELECT * FROM users WHERE uid='".mysql_real_escape_string($id)."' ORDER BY year DESC LIMIT 1");
+			
-			$r=mysql_fetch_object($q);
+			$q=pdo->prepare("SELECT * FROM users WHERE uid=.?. ORDER BY year DESC LIMIT 1");
+			$q->bindParam(1, $id);
+			$q->execute();
 			//if a valid selection is made from the list, then this will always match.
 			if($md5email == md5($r->email)) {
 				$from=cleanify($_POST['from'])." <".cleanify($_POST['fromemail']).">";
@@ -80,12 +82,12 @@ function tochange() {
 	echo "<tr><td>".i18n("To").":</td>";
 	echo "<td><select name=\"to\" onchange=\"tochange()\">";
 	echo "<option value=\"\">".i18n("Choose a person to contact")."</option>\n";
-	$q=mysql_query("SELECT * FROM committees ORDER BY ord,name");
+	$q=pdo->query("SELECT * FROM committees ORDER BY ord,name");
-	while($r=mysql_fetch_object($q)) {
+	while($r->fetch()) {
 
 		/* Select everyone in this committee, attach the user data using MAX(year) so we only get the most recent
 		 * user data */
-		$q2=mysql_query("SELECT committees_link.*,
+		$q2=pdo->query("SELECT committees_link.*,
 								users.uid,
 								MAX(users.year) AS my,
 								users.firstname,
@@ -99,15 +101,18 @@ function tochange() {
 							ORDER BY ord,users.lastname ");
 
 		//if there's nobody in this committee, then just skip it and go on to the next one.
+
+		// FIX ME !!!!!
 		if(mysql_num_rows($q2)==0)
 			continue;
 
 		echo "<option value=\"\">{$r->name}</option>\n";
 
-		echo mysql_error();
+		echo pdo->errorInfo();
-		while($r2=mysql_fetch_object($q2)) {
+		while($r2=$q2->fetch()) {
-			$q3=mysql_query("SELECT firstname,lastname,email,deleted FROM users WHERE uid='$r2->uid' AND year='$r2->my'");
+			$q3=pdo->query("SELECT firstname,lastname,email,deleted FROM users WHERE uid='$r2->uid' AND year='$r2->my'");
-			$r3=mysql_fetch_object($q3);
+	
+			$r3 = $q3->fetch();
 			if($r3->deleted != 'no') continue;
 
 			if($r3->email) {

data/backuprestore/.htaccess

@@ -0,0 +1,2 @@
+Order Deny,Allow
+Deny From All

data/config.inc.php

@@ -0,0 +1,29 @@
+<?
+/* 
+   This file is part of the 'Science Fair In A Box' project
+   SFIAB Website: http://www.sfiab.ca
+
+   Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
+   Copyright (C) 2005 James Grant <james@lightbox.org>
+
+   This program is free software; you can redistribute it and/or
+   modify it under the terms of the GNU General Public
+   License as published by the Free Software Foundation, version 2.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+    General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; see the file COPYING.  If not, write to
+   the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+   Boston, MA 02111-1307, USA.
+*/
+?>
+<?
+$DBHOST=		"db";
+$DBNAME=		"sfiab";
+$DBUSER=		"sfiab";
+$DBPASS=		"ScienceFair123!";
+?>

fair_additional_materials.inc.php

@@ -41,7 +41,7 @@ function fair_additional_materials($fair, $award, $year)
 				LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 			WHERE winners.year='$year' 
 				AND winners.fairs_id='{$fair['id']}'");
-	while($r = mysql_fetch_assoc($q)) {
+	while($r = $q->fetch()) {
 		$pid = $r['projects_id'];
 		$rep->newPage("","",1);
 		$rep->setFontSize(12);

fair_info.php

@@ -49,33 +49,37 @@ switch($_GET['action']) {
 case 'save':
 	$fairs_id = intval($u['fairs_id']);
 	if($fairs_id == 0) {
-		$q = mysql_query("INSERT INTO fairs(`id`,`name`) VALUES('','new entry')");
+		$stmt = $pdo->prepare("INSERT INTO fairs ('id', 'name') VALUES('', 'new entry')");
-		$id = mysql_insert_id();
+		$stmt->execute([$id, $name]);
+		$id = $pdo->lastInsertId();
+		
 	} else {
 		$id = intval($fairs_id);
 	}
+	
+	$name = pdo->quote(stripslashes($_POST['name']));
+	$abbrv = pdo->quote(striplashes($_POST['abbrv']));
+	$url = pdo->quote($_POST['url']);
+	$website = pdo->quote($_POST['website']);
 
-	$name = mysql_real_escape_string(stripslashes($_POST['name']));
-	$abbrv = mysql_real_escape_string(stripslashes($_POST['abbrv']));
-	$url = mysql_real_escape_string($_POST['url']);
-	$website = mysql_real_escape_string($_POST['website']);
 	$type = array_key_exists($_POST['type'], $fair_type) ? $_POST['type'] : '';
-	$username = mysql_real_escape_string(stripslashes($_POST['username']));
+	$username = pdo->prepare(striplashes($_POST['username']));
-	$password = mysql_real_escape_string(stripslashes($_POST['password']));
+	$password = pdo->prepare(striplashes($_POST['password']));
+
 	$enable_stats = ($_POST['enable_stats'] == 'yes') ? 'yes' : 'no';
 	$enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no';
 	$enable_winners = ($_POST['enable_winners'] == 'yes') ? 'yes' : 'no';
 
-	$q = mysql_query("UPDATE fairs SET `name`='$name',
+	$q = $pdo->prepare("UPDATE contacts SET name = $name, abbrv = '$abbrv', url = '$url', website='$website',
-				`abbrv`='$abbrv', `url`='$url',
+				type='$type' , username='$username',
-				`website`='$website',
+				password='$password',
-				`type`='$type' , `username`='$username',
+				enable_stats='$enable_stats',
-				`password`='$password',
+				enable_awards='$enable_awards',
-				`enable_stats`='$enable_stats',
+				enable_winners='$enable_winners' WHERE id = $id");
-				`enable_awards`='$enable_awards',
+	$q->execute([$name, $age, $email, $id]);
-				`enable_winners`='$enable_winners'
+
-				WHERE id=$id");
+	echo pdo->errorInfo();
-	echo mysql_error();
+	
 	$u['fairs_id'] = $id;
 	user_save($u);
 	happy_("Fair Informaiton successfully updated");
@@ -128,9 +132,12 @@ function fairinfo_save()
 
 <?
  /* Load the fair info */
- $q = mysql_query("SELECT * FROM fairs WHERE id={$u['fairs_id']}");
+ $q = $pdo->query;
+ $q = $pdo->query("SELECT * FROM fairs WHERE id={$u['fairs_id']}");
+
+ ######## FIX ME!!!!!
  if(mysql_num_rows($q)) {
-	 $f = mysql_fetch_assoc($q);
+	 $f = $q->fetch;
  } else {
 	 $f = array();
  }

fair_stats.php

@@ -55,10 +55,14 @@ case 'save':
 	//  $str = join(',',$stats);
 	$keys = '`fairs_id`,`year`,`'.join('`,`', array_keys($stats)).'`';
 	$vals = "'{$u['fairs_id']}','$year','".join("','", array_values($stats))."'";
-	mysql_query("DELETE FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}' AND year='$year'");
+	$stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id = :fairs_id AND year = :year");
-	echo mysql_error();
+	$stmt->execute([
+    ':fairs_id' => $u['fairs_id'],
+    ':year' => $year
+]);
+	echo pdo->errorInfo();
 	mysql_query("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)");
-	echo mysql_error();
+	echo pdo->errorInfo();
 
 	happy_("Fair Information Saved.");
 	exit;
@@ -108,9 +112,13 @@ $year = intval($_POST['year']);
 if($year < 1900) $year = $config['FAIRYEAR'];
 
  /* Get the stats we want from this fair */
-$q = mysql_query("SELECT * FROM fairs WHERE id='{$u['fairs_id']}'");
+ $q = $pdo->prepare("SELECT * FROM fairs WHERE id = :fairs_id");
-echo mysql_error();
+
-$fair = mysql_fetch_assoc($q);
+ $q->execute([
+	 ':fairs_id' => $u['fairs_id']
+ ]);
+echo pdo->errorInfo();
+$fair = $q->fetch(PDO::FETCH_ASSOC);
 
 $s = explode(',', $fair['gather_stats']);
 foreach($s as $k) {
@@ -137,9 +145,14 @@ echo "</form>";
 echo "<br />";
 
 /* Load stats */
-$q = mysql_query("SELECT * FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}'
+$q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id = :fairs_id AND year = :year");
-	                   AND year='$year'");
+
-$stats = mysql_fetch_assoc($q);
+$q->execute([
+    ':fairs_id' => $u['fairs_id'],
+    ':year' => $year
+]);
+
+$stats = $q->fetch(PDO::FETCH_ASSOC);
 
 /* Print stats */
 

important_dates.php

@@ -26,9 +26,12 @@
  send_header("Important Dates",null,"important_dates");
 
  echo "<table>";
+ $q = $pdo->prepare("SELECT *, UNIX_TIMESTAMP(date) AS udate FROM dates WHERE year = :year ORDER BY date");
 
- $q=mysql_query("SELECT *,UNIX_TIMESTAMP(date) AS udate FROM dates WHERE year='{$config['FAIRYEAR']}' ORDER BY date");
+ $q->execute([
- while($r=mysql_fetch_object($q))
+     ':year' => $config['FAIRYEAR']
+ ]);
+ while($r = $q->fetch(PDO::FETCH_OBJ))
  {
  	$trclass = ($trclass == 'odd') ? 'even' : 'odd';
 	if($r->date != '0000-00-00 00:00:00') {

install.php

@@ -71,12 +71,14 @@ echo "Warning: pdflib is not installed on this server! Most pdf reports will fai
 $showform=true;
 
 if($_POST['dbhost'] && $_POST['dbname'] && $_POST['dbuser'] && $_POST['dbpass'])
+
 {
-	if(@mysql_connect($_POST['dbhost'],$_POST['dbuser'],$_POST['dbpass']))
+
-	{
+	try {
-		if(mysql_select_db($_POST['dbname']))
+		$pdo = new PDO('mysql:host=' . $_POST['dbhost'] . ';dbname=' . $_POST['dbname'], $_POST['dbuser'], $_POST['dbpass']);
-		{
+		$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
-			$showform=false;
+
+		$showform=false;
 			echo "<div class=\"happy\">Database connection successful!</div>";
 			echo "<br />";
 			echo "Storing database connection information... ";
@@ -99,20 +101,31 @@ if($_POST['dbhost'] && $_POST['dbname'] && $_POST['dbuser'] && $_POST['dbpass'])
 				echo "<div class=\"error\">Cannot write to data/config.inc.php.  Make sure the web server has write access to the data/ subdirectory</div>";
 
 			}
+	} catch (PDOException $e) {
+		// Handle error
+		echo 'Connection failed: ' . $e->getMessage();
+	}
+	echo "<a href=\"install2.php\">Proceed to installation step 2</a><br />";
+}
+else
+{
+	echo "<div class=\"error\">Cannot write to data/config.inc.php.  Make sure the web server has write access to the data/ subdirectory</div>";
 
-		}
+}
-		else
+
-		{
+}
-			echo "<div class=\"error\">Connected, but cannot select database.  Make sure Database Name is correct, and that the user '".$_POST['dbuser']."' has access to it</div>";
+else
-		}
+{
-	
+echo "<div class=\"error\">Connected, but cannot select database.  Make sure Database Name is correct, and that the user '".$_POST['dbuser']."' has access to it</div>";
-	
+}
-	}
+
-	else
+
-	{
+}
-		echo "<div class=\"error\">Cannot connect to database.  Make sure Host, User and Pass are correct</div>";
+else
-	}
+{
-	echo "<br />";
+echo "<div class=\"error\">Cannot connect to database.  Make sure Host, User and Pass are correct</div>";
+}
+echo "<br />";
 }
 
 

install2.php

@@ -50,8 +50,7 @@ if(!file_exists("data/config.inc.php"))
 
 require_once("data/config.inc.php");
 $DBUSER=substr($DBUSER,0,16);
-mysql_connect($DBHOST,$DBUSER,$DBPASS);
+pdo = new PDO($DBHOST,$DBUSER,$DBPASS);
-mysql_select_db($DBNAME);
 
 		echo "Getting database version requirements for code... ";
 
@@ -69,8 +68,10 @@ mysql_select_db($DBNAME);
 
 		echo "Checking for existing SFIAB database... ";
 
-		$q=@mysql_query("SELECT val FROM config WHERE var='DBVERSION' AND year='0'");
+		$q = $pdo->prepare("SELECT val FROM config WHERE var = 'DBVERSION' AND year = '0'");
-		$r=@mysql_fetch_object($q);
+$q->execute();
+
+$r = $q->fetch(PDO::FETCH_OBJ);
 		$dbdbversion=$r->val;
 
 		if($dbdbversion)
@@ -124,8 +125,8 @@ mysql_select_db($DBNAME);
 					if (substr(trim($line), -1, 1) == ';')
 					{
 					// Perform the query
-					if(!mysql_query($templine)){
+					if(!pdo->exec($templine)){
-						echo('<br/>Error performing query!<br/>'.$templine.'<br/>  mysqlerror: '.mysql_error().'<br /><br />');
+						echo('<br/>Error performing query!<br/>'.$templine.'<br/>  mysqlerror: '.pdo->errorInfo().'<br /><br />');
 						$exit_code = -1;   // do we bail out here or keep going?  keep going for now,  get all errors
 					}
 					// Reset temp variable to empty
@@ -142,7 +143,11 @@ mysql_select_db($DBNAME);
 			echo "<b>Done! installed database version $dbcodeversion</b><br />\n";
 
 			//now update the db version in the database
-			mysql_query("UPDATE config SET val='$dbcodeversion' WHERE var='DBVERSION' AND year='0'");
+			$stmt = $pdo->prepare("UPDATE config SET val = :dbcodeversion WHERE var = 'DBVERSION' AND year = '0'");
+$stmt->execute([
+    ':dbcodeversion' => $dbcodeversion
+]);
+
 
 			echo "<br />";
 			echo "<b>Done!</b><br />";
@@ -161,7 +166,8 @@ mysql_select_db($DBNAME);
 			echo "Trying to find an older version... <br />";
 
 			for($x=$dbcodeversion;$x>0;$x--)
-			{
+			{ALTER TABLE `reports_items` ADD `on_overflow` ENUM( 'truncate', '...', 'scale' ) NOT NULL;
+
 				if(file_exists("db/db.full.$x.sql"))
 				{
 					echo "<b>db/db.full.$x.sql found</b><br />";
@@ -192,8 +198,8 @@ mysql_select_db($DBNAME);
 							if (substr(trim($line), -1, 1) == ';')
 							{
 							// Perform the query
-							if(!mysql_query($templine)){
+							if(!pdo->exec($templine)){
-								echo('<br/>Error performing query!<br/>'.$templine.'<br/>  mysqlerror: '.mysql_error().'<br /><br />');
+								echo('<br/>Error performing query!<br/>'.$templine.'<br/>  mysqlerror: '.pdo->errorInfo().'<br /><br />');
 							    $exit_code = -1;   // do we bail out here or keep going?  keep going for now,  get all errors
 							}
 							// Reset temp variable to empty
@@ -210,7 +216,9 @@ mysql_select_db($DBNAME);
 					echo "<b>Done! installed database version $x</b><br />\n";
 
 					//now update the db version in the database
-					mysql_query("UPDATE config SET val='$x' WHERE var='DBVERSION' AND year='0'");
+					$stmt = $pdo->prepare("UPDATE config SET val = :x WHERE var = 'DBVERSION' AND year = '0'");$stmt->execute([
+    ':x' => $x
+]);
 
 					echo "<b>Attempting to update database using standard update script to update from $x to $dbcodeversion<br />";
 					echo "<br />Please scroll to the bottom of this page for the link to the next step of the installation process.<br /></b>";

install3.php

@@ -43,13 +43,21 @@ require_once("config_editor.inc.php");
 require_once("user.inc.php");
 require_once("committee.inc.php");
 $DBUSER=substr($DBUSER,0,16);
-mysql_connect($DBHOST,$DBUSER,$DBPASS);
+
-mysql_select_db($DBNAME);
+
+pdo = new PDO($DBHOST,$DBUSER,$DBPASS)
+
 
 		echo "Checking for SFIAB database... ";
 
-		$q=@mysql_query("SELECT val FROM config WHERE var='DBVERSION' AND year='0'");
+
-		$r=@mysql_fetch_object($q);
+
+		$stmt = $pdo->prepare("SELECT val FROM config WHERE var = :var AND year = :year");
+		$stmt->execute([':var' => 'DBVERSION', ':year' => 0]);
+
+
+    	$r = $stmt->fetch(PDO::FETCH_OBJ);
+
 		$dbdbversion=$r->val;
 
 		if(!$dbdbversion)
@@ -61,9 +69,9 @@ mysql_select_db($DBNAME);
 		}
 
 //a fresh install should ONLY have DBVERSION defined in the config table.  If there are others (FAIRYEAR, SFIABDIRECTORY) then this is NOT fresh
-$q=mysql_query("SELECT * FROM config WHERE year='0' AND ( var='DBVERSION' OR var='FAIRYEAR' OR var='SFIABDIRECTORY') ");
+$q=pdo->query("SELECT * FROM config WHERE year='0' AND ( var='DBVERSION' OR var='FAIRYEAR' OR var='SFIABDIRECTORY') ");
 //we might get an error if the config table does not exist (ie, installer step 2 failed)
-if(mysql_error())
+if(pdo->errorInfo)
 {
 	//we say all tables, but really only we check for config where year=0;
 	echo "<div class=\"error\">ERROR: No SFIAB tables detected,  It seems like step 2 failed.  Please go <a href=\"install2.php\">Back to Installation Step 2</a> and try again.</div>";
@@ -110,9 +118,37 @@ if($_POST['action']=="save")
 	if(!$err)
 	{
 		echo "Creating configuration settings...";
-		mysql_query("INSERT INTO config (var,val,category,ord,year) VALUES ('FAIRYEAR','".$_POST['fairyear']."','Special','0','0')");
+		
-		mysql_query("INSERT INTO config (var,val,category,ord,year) VALUES ('FISCALYEAR','".$_POST['fiscalyear']."','Special','0','0')");
+
-		mysql_query("INSERT INTO config (var,val,category,ord,year) VALUES ('SFIABDIRECTORY','".$_POST['sfiabdirectory']."','Special','','0')");
+
+$stmt = $pdo->prepare("INSERT INTO config (var, val, category, ord, year) VALUES (:var, :val, :category, :ord, :year)");
+
+
+$stmt->execute([
+    ':var' => 'FAIRYEAR',
+    ':val' => $_POST['fairyear'],
+    ':category' => 'Special',
+    ':ord' => '0',
+    ':year' => '0'
+]);
+
+$stmt->execute([
+    ':var' => 'FISCALYEAR',
+    ':val' => $_POST['fiscalyear'],
+    ':category' => 'Special',
+    ':ord' => '0',
+    ':year' => '0'
+]);
+
+$stmt->execute([
+    ':var' => 'SFIABDIRECTORY',
+    ':val' => $_POST['sfiabdirectory'],
+    ':category' => 'Special',
+    ':ord' => '',
+    ':year' => '0'
+]);
+
+
 
 		$year = intval($_POST['fairyear']);
 		
@@ -120,25 +156,52 @@ if($_POST['action']=="save")
 		config_update_variables($year);
 
 		// Update some variables 
-		mysql_query("UPDATE config SET 
+	
-				val='".mysql_escape_string(stripslashes($_POST['fairname']))."'
-				WHERE var='fairname' AND year='$year'");
 
-		mysql_query("UPDATE config SET 
+		$stmt = pdo->prepare("UPDATE config SET val = :fairname WHERE var = 'fairname' AND year = :year")
-				val='".mysql_escape_string(stripslashes($_POST['email']))."'
+		$stmt.execute(':fairname' => stripslashes($_POST['fairname']),
-				WHERE var='fairmanageremail' AND year='$year'");
+    					':year' => $year)
+		
+		$stmt = pdo->prepare("UPDATE config SET val = :email WHERE var = 'fairmanageremail' AND year = :year")
+		$stmt->execute([':email' => $_POST['email'],':year' => $year
+		]);
 
-		$q=mysql_query("SELECT * FROM dates WHERE year='-1'");
+
-		while($r=mysql_fetch_object($q))
+	
-		{
+		$stmt = $pdo->prepare("SELECT * FROM dates WHERE year = :year");
-			mysql_query("INSERT INTO dates (date,name,description,year) VALUES ('$r->date','$r->name','$r->description','".$_POST['fairyear']."')");
+
+		$stmt->execute([':year' => '-1']);
+
+
+		$results = $stmt->fetchAll(PDO::FETCH_OBJ);
+
+		$stmt = pdo->prepare("INSERT INTO dates (date, name, description, year) VALUES (:date, :name, :description, :fairyear)")
+
+		foreach($results as $r){
+			$stmt->execute([
+				':date' => $r->date,
+       			 ':name' => $r->name,
+        		':description' => $r->description,
+        		':fairyear' => $_POST['fairyear']
+			]);
 		}
 
+		$stmt = pdo->prepare('SELECT * FROM award_types WHERE year=:year')
+
+		$stmt->execute(['year' => -1])
+
+		$results = $stmt->fetchAll(PDO::FETCH_OBJ);
+
+		$insertStmt = $pdo->prepare("INSERT INTO award_types (id, type, `order`, year) VALUES (:id, :type, :order, :year)");
 		//copy over the award_types defautls
-		$q=mysql_query("SELECT * FROM award_types WHERE year='-1'");
+
-		while($r=mysql_fetch_object($q))
+		foreach($results as $r){
-		{
+			$insertStmt->execute([
-			mysql_query("INSERT INTO award_types (id,type,`order`,year) VALUES ('$r->id','$r->type','$r->order','".$_POST['fairyear']."')");
+				'id' => $r->id,
+				'type' => $r->type,
+				'order' => $r->order,
+				'year' => $fairYear
+			]);
 		}
 
 		echo "<b>Done!</b><br />";
@@ -159,7 +222,7 @@ if($_POST['action']=="save")
 		$u['password'] = mysql_escape_string(stripslashes($_POST['pass1']));
 		$u['access_admin'] = 'yes';
 		$u['access_config'] = 'yes';
-		$u['access_super'] = 'yes';
+		$u['access_super'] = 'yes'; 
 		user_save($u);
 
 		echo "<b>Done!</b><br />";
@@ -172,7 +235,10 @@ if($_POST['action']=="save")
 }
 
 echo "<br />";
+
 echo "Please enter the following options <br />";
+
+}
 echo "<br />";
 
 $month=date("m");
@@ -200,7 +266,8 @@ echo "<h3>Superuser Account</h3>";
 echo "Please choose your superuser account which is required to login to SFIAB and configure the system, as well as to add other users. <br />";
 echo "<table>";
 echo "<tr><td>Superuser Email Address</td><td><input size=\"40\" type=\"text\" name=\"email\"></td></tr>";
-echo "<tr><td>Superuser Password</td><td><input size=\"15\" type=\"password\" name=\"pass1\"></td></tr>";
+echo "<tr><td>Superuser Password</td><td><input size=\"15\" type=\"password\" name=
+		}\"pass1\"></td></tr>";
 echo "<tr><td>Superuser Password (Confirm)</td><td><input size=\"15\" type=\"password\" name=\"pass2\"></td></tr>";
 echo "</table>";
 echo "<br />";

lpdf.php

@@ -220,6 +220,8 @@ class lpdf
 //				echo "breaking because nr==prevnr ($nr==$prevnr) trying to output [$textstr] (debug: fontsize=$fontsize, lineheight=$lineheight, stringwidth=$stringwidth, left=".$this->loc(0.75).", top=".$this->loc($this->yloc).", width=".$this->loc(7).", height=$lineheight)\n";
 				break;
 			}
+			$q=mysql_query("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'");
+			if($r=@mysql_fetch_object($q))
 
 			$prevnr=$nr;
 //			printf("x=%f y=%f w=%f h=%f",$this->loc(0.75),$this->loc($this->yloc),$this->loc(7),$lineheight);

questions.inc.php

@@ -40,15 +40,17 @@ function questions_load_answers($section, $users_id)
 }
 
 function questions_load_questions($section, $year)
-{
+{	global $pdo;
-	$q = mysql_query('SELECT * FROM questions '.
+	$q = $pdo->prepare('SELECT * FROM questions '.
 			"WHERE year='$year' ".
 			"   AND section='$section'  ".
 			'ORDER BY ord ASC');
-	print(mysql_error());
+	$q->execute();
+
+	print($pdo->errorInfo());
 
 	$qs = array();
-	while($r=mysql_fetch_object($q)) {
+	while($r=$q->fetch(PDO::FETCH_OBJ)) {
 		$qs[$r->id]['id'] = $r->id;
 		$qs[$r->id]['ord'] = $r->ord;
 		$qs[$r->id]['section'] = $r->section;

register_participants.php

@@ -24,10 +24,11 @@
 <?
  require("common.inc.php");
 
-	$q=mysql_query("SELECT (NOW()>'".$config['dates']['regopen']."' AND NOW()<'".$config['dates']['regclose']."') AS datecheck,
+    $q = $pdo->query("SELECT (NOW()>'".$config['dates']['regopen']."' AND NOW()<'".$config['dates']['regclose']."') AS datecheck,
 			NOW()<'".$config['dates']['regopen']."' AS datecheckbefore,
 			NOW()>'".$config['dates']['regclose']."' AS datecheckafter");
-	$datecheck=mysql_fetch_object($q);
+	
+	$datecheck = $q->fetch(PDO::FETCH_OBJ);
 
  if($_POST['action']=="new") {
  	$q=mysql_query("SELECT email,num,id,schools_id FROM registrations WHERE email='".$_SESSION['email']."' AND num='".$_POST['regnum']."' AND year=".$config['FAIRYEAR']);
@@ -128,7 +129,7 @@
  
  if($_POST['action']=="login" && ( $_POST['email'] || $_SESSION['email']) ) {
  	if($_POST['email'])
-	 	$_SESSION['email']=stripslashes(mysql_escape_string($_POST['email']));
+	 	$_SESSION['email']=stripslashes($pdo->quote($_POST['email']));
 
  	echo "<form method=\"post\" action=\"register_participants.php\">";
 
@@ -137,32 +138,42 @@
 
 
  	//first, check if they have any registrations waiting to be opened
-	$q=mysql_query("SELECT * FROM registrations WHERE email='".$_SESSION['email']."' AND status='new' AND year='".$config['FAIRYEAR']."'");
+	 $q = $pdo->prepare("SELECT * FROM `registrations` WHERE `email` = :email AND `status` = 'new' AND `year` = :year");
-	if(mysql_num_rows($q)>0) {
+	 $q->bindParam(':email', $_SESSION['email'], PDO::PARAM_STR);
+	 $q->bindParam(':year', $config['FAIRYEAR'], PDO::PARAM_INT);
+	 
+	 $q->execute();
+	 
+
+	if($q->rowCount()>0) {
 		echo i18n("Please enter your <b>registration number</b> that you received in your email, in order to begin your new registration");
 		echo "<input type=\"hidden\" name=\"action\" value=\"new\">";
 		$allownew=false;
 	}
 	else {
 		//check if they have an already open registration
-		$q=mysql_query("SELECT 
+		
+			
+					$q = $pdo->prepare("SELECT 
 					students.email,
 					registrations.status,
 					registrations.id
 				FROM 
-					students,
+					students, registrations
-					registrations
 				WHERE 
-					students.email='".$_SESSION['email']."'
+					students.email = :email
-					AND students.year=".$config['FAIRYEAR']."
+					AND students.year = :year
-					AND registrations.year=".$config['FAIRYEAR']."
+					AND registrations.year = :year
-					AND 
+					AND registrations.status IN ('open', 'paymentpending', 'complete')
-					( 	registrations.status='open'
+					AND students.registrations_id = registrations.id");
-						OR registrations.status='paymentpending'
+
-						OR registrations.status='complete'
+$q->bindParam(':email', $_SESSION['email'], PDO::PARAM_STR);
-					)
+$q->bindParam(':year', $config['FAIRYEAR'], PDO::PARAM_INT);
-					AND students.registrations_id=registrations.id");
+
-		if(mysql_num_rows($q)>0) {
+$q->execute();
+
+		
+		if($q->rowCount()>0) {
 			$r=mysql_fetch_object($q);
 //			print_r($r);
 			echo i18n("Please enter your <b>registration number</b> in order to login");

user.inc.php

@@ -60,7 +60,7 @@ function user_generate_password($pwlen=8)
 
         $key="";
         for($x=0;$x<$pwlen;$x++)
-                $key.=$available{rand(0,$len)};
+                $key.=$available[rand(0,$len)];
         return $key;
 }
 
@@ -174,7 +174,7 @@ function user_load_alumni(&$u)
 }
 
 function user_load($user, $uid = false)
-{
+{	global $pdo;
 	/* So, it turns out that doing one big load is faster than loading just
 	 * from the users table then loading only the specific types the user
 	 * has.. go figure. */
@@ -197,16 +197,17 @@ function user_load($user, $uid = false)
 		$id = intval($user);
 		$query .= "	`users`.`id`='$id'";
 	}
-	$q=mysql_query($query);
+	$q=$pdo->query($query);
 
-	if(mysql_num_rows($q)!=1) {
+	if($q->rowCount()!=1) {
 //		echo "Query [$query] returned ".mysql_num_rows($q)." rows\n";
 //		echo "<pre>";
 //		print_r(debug_backtrace());
 		return false;
 	}
 
-	$ret = mysql_fetch_assoc($q);
+	
+	$ret = $q->fetch(PDO::FETCH_ASSOC);
 	/*
 	echo "ret looks like: ";
 	echo "<pre>";
@@ -686,7 +687,7 @@ function user_dupe_row($db, $key, $val, $newval)
 }
 /* Used by the login scripts to copy one user from one year to another */
 function user_dupe($u, $new_year)
-{
+{	global $pdo;
 	/* Dupe a user if:
 	 * - They don't exist in the current year
 	 *	(users->year != the target year (passed in so we can use it in the rollover script) )
@@ -695,9 +696,11 @@ function user_dupe($u, $new_year)
 	 * - That previous entry has deleted=no */
 
 	/* Find the last entry */
-	$q = mysql_query("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
 				ORDER BY year DESC LIMIT 1");
-	$r = mysql_fetch_object($q);
+	$q->execute();
+	$r = $q->fetch(PDO::FETCH_OBJ);
+	
 	if($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
 		exit;

user_login.php

@@ -27,7 +27,7 @@
  require_once("user.inc.php");
 
  function try_login($user, $pass)
- {
+ {	global $pdo;
 	/* Ensure sanity of inputs, user should be an email address, but it's stored
 	 * in the username field */
 	/* FIXME: this should be user_valid_email, but can't be yet, because
@@ -43,21 +43,27 @@
 	//$x = user_valid_password($pass);
 	if(!strlen($pass))
 		return false;
-
+	
-	$user = mysql_escape_string($user);
+	$q = $pdo->prepare("SELECT id, username, password, year, deleted
-	$q = mysql_query("SELECT id,username,password,year,deleted
 				FROM users 
-				WHERE username='$user'
+				WHERE username = :username
-				AND deleted='no'
+				AND deleted = 'no'
 				ORDER BY year DESC LIMIT 1");
-	if(mysql_num_rows($q) < 1) return false;
 
-	$r = mysql_fetch_object($q);
+	$q->bindParam(':username', $user, PDO::PARAM_STR);
+
+
+	$q->execute();
+	if($q->rowCount() < 1) return false;
+
+	#$r = mysql_fetch_object($q);
+	$r = $q->fetch(PDO::FETCH_OBJ);
 
 	/* See if the user account has been deleted */
 	if($r->deleted == 'yes') return false;
 
 	/* See if the password matches */
+	/////// FIXME Use hash passwords
 	if($r->password != $pass) return false;
 
 	/* Login successful */
@@ -129,7 +135,7 @@
 	$reg_open = 'closed';
 	break;
  }
- if($_POST['action']=="login" )
+ if($_POST['action'] == "login")
  {
  	if($_POST['pass'] && $_POST['user'])
 	{
@@ -139,6 +145,7 @@
 			header("location: user_login.php?type=$type$redirect_url");
 			exit;
 		} 
+	
 
 		$u = user_load($id);
 
@@ -207,8 +214,10 @@
 			}
 		}
 
-		mysql_query("UPDATE users SET lastlogin=NOW() 
+
+		$q = $pdo->prepare("UPDATE users SET lastlogin=NOW() 
 				WHERE id={$u['id']}");
+		$q->execute();
 
 		/* Setup multirole so a multirole user can switch if they want to
 		 * without logging in/out */
@@ -247,7 +256,6 @@
 		header("location: {$type}_main.php");
 		exit;
 	}
-
 	message_push(error(i18n("Invalid Email/Password")));
 	header("location: user_login.php?type=$type");
 	exit;

winners.php

@@ -226,8 +226,7 @@ if($_GET['year'] && $_GET['type']) {
 	}
 }
 else
-{
+{	$q = $pdo->query("SELECT 
-	$q=mysql_query("SELECT 
 				DISTINCT(winners.year) AS year, 
 				dates.date 
 			FROM 
@@ -239,8 +238,9 @@ else
 				AND dates.date<=NOW()
 			ORDER BY 
 				year DESC");
+	
 	$first=true;
-	if(mysql_num_rows($q))
+	if($q->rowCount())
 	{
 		while($r=mysql_fetch_object($q))
 		{