Changed database access to PDO using prepared statements

locationedit.php

@@ -14,39 +14,33 @@ $location_id = sanitize($_GET['location_id']);
 include("header.php");
 
 // location			
-$query = "SELECT
-	location_name,
-	location_parent,
-	location_info,
-	location_sort
-FROM
-	location
-WHERE
-	location_id=" . $location_id;
+$sql = "SELECT location_name AS name, location_parent AS parent,
+            location_info AS info, location_sort AS sort
+        FROM location
+        WHERE location_id=?";
+$sth = $dbh->prepare($sql);
+$sth->execute([$location_id]);
+$location = $sth->fetch(PDO::FETCH_OBJ);
 		
-$location = $db->db_select($query);
-		
-$location_parent = $location[0]['location_parent'];
-		
-$smarty->assign("location_id", $location_id);
+$location_parent = $location->parent;
+
+$smarty->assign("location", $location);
+
+/*$smarty->assign("location_id", $location_id);
 $smarty->assign("location_name", $location[0]['location_name']);
 $smarty->assign("location_info", $location[0]['location_info']);
-$smarty->assign("location_sort", $location[0]['location_sort']);
+$smarty->assign("location_sort", $location[0]['location_sort']); */
 
 // parent location
-$query = "SELECT
-	location_id,
-	location_name,
-	location_parent
-FROM
-	location
-WHERE
-	location_id != " . $location_id . "
-ORDER BY
-	location_name";
-			
-$locations = $db->db_select($query);
-			
+$sql = "SELECT location_id, location_name, location_parent
+        FROM location
+        WHERE location_id != ?
+        ORDER BY location_name";
+$sth = $dbh->prepare($sql);
+$sth->execute([$location_id]);
+		
+$locations = $sth->fetchAll();
+
 $location_counter = count($locations);
 			
 $smarty->assign("location_counter", $location_counter);