From 2544676685540072905c3e1ae3759e5addee6b87 Mon Sep 17 00:00:00 2001 From: twotalesanimation <80506065+twotalesanimation@users.noreply.github.com> Date: Wed, 3 Dec 2025 19:38:18 +0200 Subject: [PATCH] Standardize: Convert 7 high-priority $conn->query() to prepared statements Converted queries in: - functions.php: * getTripCount() - Hardcoded query * getAvailableSpaces() - Two queries using $trip_id parameter (HIGH PRIORITY) - blog.php: * Main blog list query - Hardcoded 'published' status - course_details.php: * Driver training courses query - Hardcoded course type - driver_training.php: * Future driver training dates query - Hardcoded course type - events.php: * Upcoming events query - Hardcoded date comparison - index.php: * Featured trips query - Hardcoded published status All queries now use proper parameter binding via prepared statements. Next: Convert remaining 15+ safe hardcoded queries for consistency. --- blog.php | 16 +++++++++------- course_details.php | 19 +++++++++++-------- driver_training.php | 24 +++++++++++++----------- events.php | 8 ++++---- functions.php | 21 ++++++++++++++------- index.php | 11 +++++++---- 6 files changed, 58 insertions(+), 41 deletions(-) diff --git a/blog.php b/blog.php index 9500c534..53e1c094 100644 --- a/blog.php +++ b/blog.php @@ -28,10 +28,10 @@ include_once('header.php') ?> } - 'index.php']]; - require_once('components/banner.php'); + 'index.php']]; + require_once('components/banner.php'); ?> @@ -41,9 +41,11 @@ include_once('header.php') ?>
query($sql); + // Query to retrieve data from blogs table + $stmt = $conn->prepare("SELECT blog_id, title, date, category, image, description, author, members_only, link FROM blogs WHERE status = ? ORDER BY date DESC"); + $stmt->bind_param("s", $status = 'published'); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { // Loop through each row diff --git a/course_details.php b/course_details.php index de16b643..d4963790 100644 --- a/course_details.php +++ b/course_details.php @@ -1,18 +1,21 @@ -query($sql); +$stmt = $conn->prepare("SELECT course_id, date FROM courses WHERE course_type = ?"); +$course_type = 'driver_training'; +$stmt->bind_param("s", $course_type); +$stmt->execute(); +$result = $stmt->get_result(); ?> - 'index.php']]; - require_once('components/banner.php'); + 'index.php']]; + require_once('components/banner.php'); ?> diff --git a/driver_training.php b/driver_training.php index 3f904b40..9470454f 100644 --- a/driver_training.php +++ b/driver_training.php @@ -1,15 +1,17 @@ -prepare("SELECT course_id, date FROM courses - WHERE course_type = 'driver_training' - AND date >= CURDATE()"; - -$result = $conn->query($sql); + WHERE course_type = ? + AND date >= CURDATE()"); +$course_type = 'driver_training'; +$stmt->bind_param("s", $course_type); +$stmt->execute(); +$result = $stmt->get_result(); $page_id = 'driver_training'; ?> @@ -24,10 +26,10 @@ $page_id = 'driver_training'; padding: 8px; font-size: 16px; } - 'index.php']]; - require_once('components/banner.php'); + 'index.php']]; + require_once('components/banner.php'); ?> diff --git a/events.php b/events.php index 82dd07cd..435ab845 100644 --- a/events.php +++ b/events.php @@ -88,10 +88,10 @@ include_once('header.php') ?>
CURDATE() ORDER BY date ASC"; - - $result = $conn->query($sql); + // Query to retrieve upcoming events + $stmt = $conn->prepare("SELECT event_id, date, time, name, image, description, feature, location, type, promo FROM events WHERE date > CURDATE() ORDER BY date ASC"); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { // Loop through each row diff --git a/functions.php b/functions.php index 6e12222c..91fd2808 100644 --- a/functions.php +++ b/functions.php @@ -31,9 +31,12 @@ function getTripCount() // Database connection $conn = openDatabaseConnection(); - // SQL query to count the number of rows - $sql = "SELECT COUNT(*) AS total FROM trips WHERE published = 1 AND start_date > CURDATE()"; - $result = $conn->query($sql); + // SQL query to count the number of upcoming trips + $stmt = $conn->prepare("SELECT COUNT(*) AS total FROM trips WHERE published = ? AND start_date > CURDATE()"); + $published = 1; + $stmt->bind_param("i", $published); + $stmt->execute(); + $result = $stmt->get_result(); // Fetch the count from the result if ($result->num_rows > 0) { @@ -918,8 +921,10 @@ function getAvailableSpaces($trip_id) $trip_id = intval($trip_id); // Step 1: Get the vehicle capacity for the trip from the trips table - $query = "SELECT vehicle_capacity FROM trips WHERE trip_id = $trip_id"; - $result = $conn->query($query); + $stmt = $conn->prepare("SELECT vehicle_capacity FROM trips WHERE trip_id = ?"); + $stmt->bind_param("i", $trip_id); + $stmt->execute(); + $result = $stmt->get_result(); // Check if the trip exists if ($result->num_rows === 0) { @@ -931,8 +936,10 @@ function getAvailableSpaces($trip_id) $vehicle_capacity = $trip['vehicle_capacity']; // Step 2: Get the total number of booked vehicles for this trip from the bookings table - $query = "SELECT SUM(num_vehicles) as total_booked FROM bookings WHERE trip_id = $trip_id"; - $result = $conn->query($query); + $stmt = $conn->prepare("SELECT SUM(num_vehicles) as total_booked FROM bookings WHERE trip_id = ?"); + $stmt->bind_param("i", $trip_id); + $stmt->execute(); + $result = $stmt->get_result(); // Fetch the total number of vehicles booked $bookings = $result->fetch_assoc(); diff --git a/index.php b/index.php index e571582a..53cd6f7d 100644 --- a/index.php +++ b/index.php @@ -83,12 +83,15 @@ if (countUpcomingTrips() > 0) { ?>
prepare("SELECT trip_id, trip_name, location, short_description, start_date, end_date, vehicle_capacity, cost_members, places_booked FROM trips - WHERE published = 1 + WHERE published = ? ORDER BY trip_id DESC - LIMIT 4"; - $result = $conn->query($sql); + LIMIT 4"); + $published = 1; + $stmt->bind_param("i", $published); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { // Loop through each row