Changed database access to PDO using prepared statements

natadd.php

@@ -14,20 +14,19 @@ $node_id = sanitize($_GET['node_id']);
 include("header.php");
 	
 // node_ext
-$query = "SELECT
-		node_ip AS node_ip_ext
-	FROM
-		node
-	WHERE
-		node_id=" . $node_id;
+$sql = "SELECT node_ip AS node_ip_ext
+        FROM node
+        WHERE node_id=?";
+$sth = $dbh->prepare($sql);
+$sth->execute([$node_id]);
 
-$node = $db->db_select($query);
+$node = $sth->fetch(PDO::FETCH_OBJ);
 
 $smarty->assign("node_id_ext", $node_id);
-$smarty->assign("node_ip_ext", $node[0]['node_ip_ext']);
+$smarty->assign("node_ip_ext", $node->node_ip_ext);
 
 // node_int
-$query = "SELECT
+$sql = "SELECT
 		a.asset_name,
 		n.node_id AS node_id_int,
 		n.node_ip AS node_ip_int
@@ -40,13 +39,16 @@ $query = "SELECT
 			FROM
 				nat
 			WHERE
-				nat_ext=" . $node_id . "
+				nat_ext=?
 		)
-		AND n.node_id!=" . $node_id . "
+		AND n.node_id!=?
 	ORDER BY
 		INET_ATON(n.node_ip)";
+$sth = $dbh->prepare($sql);
+$sth->execute([$node_id, $node_id]);
+
+$nodes = $sth->fetchAll();
 
-$nodes = $db->db_select($query);
 foreach ($nodes as $rec) {
      $node_options[$rec['node_id_int']] = $rec['node_ip_int'] . '/' . $rec['asset_name'];
 }