Changed database access to PDO using prepared statements

assetclassview.php

@@ -13,37 +13,22 @@ $assetclass_id = sanitize($_GET['assetclass_id']);
 
 include("header.php");
 
-  $query = "SELECT
-		a.assetclass_id, a.assetclass_name,
-		g.assetclassgroup_id, g.assetclassgroup_name, g.assetclassgroup_color
-	FROM
-		assetclass AS a LEFT OUTER JOIN assetclassgroup AS g USING (assetclassgroup_id)
-	WHERE
-		a.assetclass_id=" . $assetclass_id;
+$sql = "SELECT a.assetclass_id, a.assetclass_name, g.assetclassgroup_id,
+            g.assetclassgroup_name, g.assetclassgroup_color
+	FROM assetclass AS a LEFT OUTER JOIN assetclassgroup AS g USING (assetclassgroup_id)
+	WHERE a.assetclass_id=?";
+$sth = $dbh->prepare($sql);
+$sth->execute([$assetclass_id]);
+$smarty->assign("assetclass", $sth->fetch(PDO::FETCH_OBJ));
 
-$assetclass = $db->db_select($query);
-
-$smarty->assign("assetclass_id", $assetclass[0]['assetclass_id']);
-$smarty->assign("assetclass_name", $assetclass[0]['assetclass_name']);
-$smarty->assign("assetclass_selected", "");
-
-$smarty->assign("assetclassgroup_id", $assetclass[0]['assetclassgroup_id']);
-$smarty->assign("assetclassgroup_name", $assetclass[0]['assetclassgroup_name']);
-$smarty->assign("assetclassgroup_color", $assetclass[0]['assetclassgroup_color']);
-
-$query = "SELECT
-		asset_id,
-		asset_name,
-		CONCAT(LEFT(asset_info, 80), IF(CHAR_LENGTH(asset_info)>80,'...','')) AS asset_info
-	FROM
-		asset
-	WHERE
-		assetclass_id='" . $assetclass_id . "'
-	ORDER BY
-		asset_name";
-
-$assets = $db->db_select($query);
-$smarty->assign("assets", $assets);
+$sql = "SELECT asset_id, asset_name,
+            CONCAT(LEFT(asset_info, 80), IF(CHAR_LENGTH(asset_info)>80,'...','')) AS asset_info
+	FROM asset
+	WHERE assetclass_id=?
+	ORDER BY asset_name";
+$sth = $dbh->prepare($sql);
+$sth->execute([$assetclass_id]);
+$smarty->assign("assets", $sth->fetchAll(PDO::FETCH_ASSOC));
 
 $smarty->display("assetclassview.tpl");