Changed database access to PDO using prepared statements

node.php

@@ -10,31 +10,43 @@ SPDX-License-Identifier: GPL-3.0-or-later
 include("includes.php");
 include("header.php");
 
+// filter preparation
+$p = array();
+$w = array();
+
 if(isset($_GET['subnet_id'])) {
     $subnet_id = sanitize($_GET['subnet_id']);
-    $subnet_view = "WHERE node.subnet_id=" . $subnet_id;
+    $w[] = "n.subnet_id=?";
+    $p[] = $subnet_id;
     $smarty->assign("subnet_id", $subnet_id);
+
+    // get subnet details for title
+    $sql = "SELECT CONCAT_WS('/',subnet_address,subnet_mask) AS subnet
+            FROM subnet
+            WHERE subnet_id=?";
+	$sth = $dbh->prepare($sql);
+	$sth->execute([$subnet_id]);
+    $smarty->assign("subnet", $sth->fetchColumn());
+
 } else {
     $smarty->assign("subnet_id", '');
-    $subnet_view = '';
 }
 
-$query = "SELECT
-        asset.asset_id,
-        REPLACE(asset.asset_name, ' ', ' ') AS asset_name,
-        asset.asset_info,
-        node.node_id,
-        node.node_ip
-    FROM
-        asset LEFT JOIN node USING (asset_id)
-    " . $subnet_view . "
-    GROUP BY
-        node.node_id
-    ORDER BY
-        INET_ATON(node.node_ip)";
+// create sql with optional filter
+$where = join(' AND ', $w);
+
+$sql = "SELECT a.asset_id, a.asset_info, 
+            REPLACE(a.asset_name, ' ', ' ') AS asset_name,
+            n.node_id, n.node_ip
+    FROM asset AS a LEFT JOIN node AS n USING (asset_id)";
+if ($where) {
+	$sql .= ' WHERE ' . $where;
+}
+$sql .= "GROUP BY n.node_id ORDER BY INET_ATON(n.node_ip)";
+$sth = $dbh->prepare($sql);
+$sth->execute($p);
+$smarty->assign("nodes", $sth->fetchAll());
 
-$nodes = $db->db_select($query);
-$smarty->assign("nodes", $nodes);
 $smarty->display("node.tpl");
 
 include("footer.php");