Standardize: Convert 5 more queries to prepared statements

Converted queries in:
- functions.php:
  * countUpcomingTrips() - Trip count query
  * getNextOpenDayDate() - Next open day event lookup

- campsites.php:
  * All campsites query for map display

- fetch_users.php:
  * User list query (AJAX handler)

- get_campsites.php:
  * Campsites with user join (AJAX handler)

All now use prepared statements with proper parameter binding.
Progress: 12/21 queries converted. Remaining: fetch_drinks, fetch_bar_tabs, admin pages (legacy_members queries), bush_mechanics course query

functions.php

@@ -1544,10 +1544,12 @@ function countUpcomingTrips()
     // Open database connection
     $conn = openDatabaseConnection();
 
-    $query = "SELECT COUNT(*) AS trip_count FROM trips WHERE published = 1 AND start_date > CURDATE()";
+    $stmt = $conn->prepare("SELECT COUNT(*) AS trip_count FROM trips WHERE published = ? AND start_date > CURDATE()");
+    $published = 1;
+    $stmt->bind_param("i", $published);
+    $stmt->execute();
 
-
-    if ($result = $conn->query($query)) {
+    if ($result = $stmt->get_result()) {
         $row = $result->fetch_assoc();
         return (int)$row['trip_count'];
     } else {
@@ -1636,16 +1638,19 @@ function getUserIP()
 function getNextOpenDayDate()
 {
     $conn = openDatabaseConnection();
-    $sql = "
+    $stmt = $conn->prepare("
         SELECT date 
         FROM events 
-        WHERE name = '4WDCSA Open Day' 
+        WHERE name = ? 
           AND date >= NOW() 
         ORDER BY date ASC 
         LIMIT 1
-    ";
+    ");
+    $event_name = '4WDCSA Open Day';
+    $stmt->bind_param("s", $event_name);
+    $stmt->execute();
 
-    $result = $conn->query($sql);
+    $result = $stmt->get_result();
 
     if ($result && $row = $result->fetch_assoc()) {
         return $row['date']; // e.g. "2025-05-01 10:00:00"