Remove: Deprecated MySQLi functions - convert to OOP prepared statements

- create_bar_tab.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_num_rows/mysqli_error with OOP prepared statements
- submit_order.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_error with OOP prepared statements
- fetch_drinks.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_fetch_assoc with OOP prepared statements
- comment_box.php: Removed mysqli_real_escape_string(), added CSRF token validation for comment submission

All files now use consistent OOP MySQLi approach with proper parameter binding. Fixes PHP 8.1+ compatibility and improves security against multi-byte character injection.

comment_box.php

@@ -10,7 +10,13 @@ $conn = openDatabaseConnection();
 
 // Handle comment post
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['submit_comment'])) {
-  $comment = $conn->real_escape_string(trim($_POST['comment']));
+  // Validate CSRF token
+  if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+    http_response_code(403);
+    die('Security token validation failed.');
+  }
+
+  $comment = trim($_POST['comment'] ?? '');
 
   if (!empty($comment)) {
     $stmt = $conn->prepare("INSERT INTO comments (page_id, user_id, comment) VALUES (?, ?, ?)");

create_bar_tab.php

@@ -12,35 +12,41 @@ if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
 
 // Check if user_id is set in the POST request
 if (isset($_POST['user_id']) && !empty($_POST['user_id'])) {
-    // Sanitize the input to prevent SQL injection
+    // Validate user_id as integer
-    $user_id = mysqli_real_escape_string($conn, $_POST['user_id']);
+    $user_id = intval($_POST['user_id']);
+    if ($user_id <= 0) {
+        echo json_encode(['status' => 'error', 'message' => 'Invalid user ID.']);
+        exit();
+    }
+    
     $created_at = date('Y-m-d H:i:s'); // Use current date and time for created_at
 
     // First, check if a bar tab already exists for this user_id
-    $checkSql = "SELECT * FROM bar_tabs WHERE user_id = '$user_id' LIMIT 1";
+    $stmt = $conn->prepare("SELECT * FROM bar_tabs WHERE user_id = ? LIMIT 1");
-    $checkResult = mysqli_query($conn, $checkSql);
+    $stmt->bind_param("i", $user_id);
+    $stmt->execute();
+    $checkResult = $stmt->get_result();
 
-    if (mysqli_num_rows($checkResult) > 0) {
+    if ($checkResult->num_rows > 0) {
         // If a bar tab already exists for this user_id, return an error message
         echo json_encode(['status' => 'error', 'message' => 'A bar tab already exists for this user.']);
     } else {
         // Prepare the SQL query to insert a new record into the bar_tabs table
-        $sql = "INSERT INTO bar_tabs (user_id) VALUES ('$user_id')";
+        $stmt = $conn->prepare("INSERT INTO bar_tabs (user_id) VALUES (?)");
+        $stmt->bind_param("i", $user_id);
 
         // Execute the query
-        if (mysqli_query($conn, $sql)) {
+        if ($stmt->execute()) {
             // If the insertion is successful, return a success message
             echo json_encode(['status' => 'success', 'message' => 'Bar tab created successfully.']);
         } else {
             // If there's an error, return an error message
-            echo json_encode(['status' => 'error', 'message' => 'Error: ' . mysqli_error($conn)]);
+            echo json_encode(['status' => 'error', 'message' => 'Error: ' . $conn->error]);
         }
     }
 } else {
     // If user_id is not provided, return an error message
     echo json_encode(['status' => 'error', 'message' => 'User ID is required.']);
 }
-
-// Close the database connection
-mysqli_close($conn);
 ?>
+

fetch_drinks.php

@@ -1,16 +1,23 @@
 
+
 <?php
 require_once("connection.php");
 
 if (isset($_GET['tab_id'])) {
-    $tab_id = mysqli_real_escape_string($conn, $_GET['tab_id']);
+    $tab_id = (int) $_GET['tab_id']; // Convert to integer
+    
+    if ($tab_id <= 0) {
+        echo json_encode(['status' => 'error', 'message' => 'Invalid tab ID.']);
+        exit();
+    }
     
     // Fetch drinks available for this tab
-    $sql = "SELECT * FROM bar_items"; // Customize as needed
+    $stmt = $conn->prepare("SELECT * FROM bar_items");
-    $result = mysqli_query($conn, $sql);
+    $stmt->execute();
+    $result = $stmt->get_result();
 
     $drinks = [];
-    while ($row = mysqli_fetch_assoc($result)) {
+    while ($row = $result->fetch_assoc()) {
         $drinks[] = $row;
     }
 

submit_order.php

@@ -19,14 +19,16 @@ if (isset($_POST['tab_id']) && isset($_SESSION['cart'][$_POST['tab_id']])) {
 
     foreach ($drinks as $drink) {
         $drink_id = (int) $drink['item_id']; // Ensure drink ID is an integer
-        $drink_name = mysqli_real_escape_string($conn, $drink['item_name']);
+        $drink_name = $drink['item_name']; // No escaping needed with prepared statements
         $drink_price = (float) $drink['item_price']; // Ensure price is a float
-        $user_id = (float) $drink['user_id']; // Ensure price is a float
+        $user_id = (int) $drink['user_id']; // Convert to integer
 
-        // Insert each drink into the bar_transactions table
+        // Insert each drink into the bar_transactions table using prepared statement
-        $sql = "INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES ('$user_id', '$tab_id', '$drink_id', '$drink_name', '$drink_price')";
+        $stmt = $conn->prepare("INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES (?, ?, ?, ?, ?)");
-        if (!mysqli_query($conn, $sql)) {
+        $stmt->bind_param("iiisi", $user_id, $tab_id, $drink_id, $drink_name, $drink_price);
-            $errors[] = "Error inserting drink ID $drink_id: " . mysqli_error($conn);
+        
+        if (!$stmt->execute()) {
+            $errors[] = "Error inserting drink ID $drink_id: " . $conn->error;
         }
     }