Changed database access to PDO using prepared statements

asset.php

@@ -13,41 +13,33 @@ include("header.php");
 	
 
 // create letter links
-$query = "SELECT
-		SUBSTRING(UPPER(asset.asset_name),1,1) AS asset_letter
-	FROM
-		asset
-	GROUP BY
-		asset_letter
-	ORDER BY
-		asset_letter";
+$sql = "SELECT DISTINCT SUBSTRING(UPPER(asset_name),1,1) AS asset_letter
+	FROM asset
+	ORDER BY asset_letter";
+$sth = $dbh->query($sql);
 
-$alphabet = $db->db_select($query);
+$alphabet = $sth->fetchAll();
 $smarty->assign("alphabet", $alphabet);
 
-// setup current letter
-if(isset($_GET['asset_letter'])) {
-	$asset_letter = sanitize($_GET['asset_letter']);
+// total asset count
+$sth = $dbh->query("SELECT COUNT(*) FROM asset");
+$smarty->assign("assetcount", $sth->fetchColumn());
+
+// assetf for current letter
+if (isset($_GET['asset_letter'])) {
+    $asset_letter = sanitize($_GET['asset_letter']);
 } else {
-	$asset_letter = $alphabet[0]['asset_letter'];
+   $asset_letter = $alphabet[0]['asset_letter'];
 }
 		
-$query = "SELECT
-		a.asset_id,
-		IF(LENGTH(a.asset_name)>0, a.asset_name, '...') AS asset_name,
-		a.asset_info,
-		c.assetclass_id,
-		c.assetclass_name
-	FROM
-		asset AS a LEFT OUTER JOIN assetclass AS c USING (assetclass_id)
-	WHERE
-		SUBSTRING(a.asset_name,1,1) = '" . $asset_letter . "'
-	ORDER BY
-		a.asset_name";
-
-$assets = $db->db_select($query);
-
-$smarty->assign("assets", $assets);
+$sql = "SELECT a.asset_id, IF(LENGTH(a.asset_name)>0, a.asset_name, '...') AS asset_name,
+            a.asset_info, c.assetclass_id, c.assetclass_name
+	FROM asset AS a LEFT OUTER JOIN assetclass AS c USING (assetclass_id)
+	WHERE SUBSTRING(a.asset_name,1,1)=?
+	ORDER BY a.asset_name";
+$sth = $dbh->prepare($sql);
+$sth->execute([$asset_letter]);
+$smarty->assign("assets", $sth->fetchAll());
 
 $smarty->display("asset.tpl");