Converted queries in:
- functions.php:
* getTripCount() - Hardcoded query
* getAvailableSpaces() - Two queries using $trip_id parameter (HIGH PRIORITY)
- blog.php:
* Main blog list query - Hardcoded 'published' status
- course_details.php:
* Driver training courses query - Hardcoded course type
- driver_training.php:
* Future driver training dates query - Hardcoded course type
- events.php:
* Upcoming events query - Hardcoded date comparison
- index.php:
* Featured trips query - Hardcoded published status
All queries now use proper parameter binding via prepared statements.
Next: Convert remaining 15+ safe hardcoded queries for consistency.
- Updated 39 pages from old header01.php and header02.php includes
- All pages now use single configurable header.php with $headerStyle variable
- Light style (default): Most pages (login, register, trips, courses, etc.)
- Dark style: Coming from header01 original usage
Pages updated:
- Admin pages: admin_*.php (10 files)
- Booking pages: bookings.php, campsite_booking.php, etc.
- Content pages: blog.php, blog_details.php, contact.php, events.php, etc.
- User pages: account_settings.php, membership*.php, register.php, etc.
- Utility pages: 404.php, payment_confirmation.php, reset_password.php, etc.
All pages now maintain single header template source - easier to update navigation, styles, and functionality across the entire site.
Updated forms with hidden CSRF token fields:
- comment_box.php - Comment form
- course_details.php - Course booking form
- campsites.php - Campsite addition modal form
- bar_tabs.php - Bar tab creation modal form
- membership_application.php - Membership application form
Updated backend processors with CSRF validation:
- create_bar_tab.php - Bar tab AJAX processor
- add_campsite.php - Campsite form processor
- submit_order.php - Order submission processor
All forms now require validated CSRF tokens before processing, preventing cross-site request forgery attacks.
