Changed database access to PDO using prepared statements

nodeview.php

@@ -18,66 +18,70 @@ if (isset($_GET['node_id']) && (!empty($_GET['node_id']))) {
 }
 
 include("header.php");
-// node
-$query = "SELECT
-        asset.asset_id,
-        asset.asset_name,
-        node.node_id,
-        node.node_ip,
-        node.node_mac,
-        node.node_dns1,
-        node.node_dns2,
-        node.node_info,
-        node.node_type,
-        subnet.subnet_id,
-        subnet.subnet_address,
-        subnet.subnet_mask,
-        zone.zone_origin
-    FROM
-        node
-        JOIN asset USING (asset_id)
-        JOIN subnet USING (subnet_id)
-        LEFT JOIN zone USING (zone_id)
-    WHERE
-        node.node_id=" . $node_id;
 
-$node = $db->db_select($query);
-$node[0]['node_mac'] = write_mac($node[0]['node_mac']);
-$smarty->assign("node", $node[0]);
+// node
+$sql = "SELECT
+            asset.asset_id,
+            asset.asset_name,
+            node.node_id AS id,
+            node.node_ip AS ip,
+            node.node_mac AS mac,
+            node.node_dns1 AS dns1,
+            node.node_dns2 AS dns2,
+            node.node_info AS info,
+            node.node_type AS type,
+            subnet.subnet_id,
+            subnet.subnet_address,
+            subnet.subnet_mask,
+            zone.zone_origin
+        FROM
+            node
+            JOIN asset USING (asset_id)
+            JOIN subnet USING (subnet_id)
+            LEFT JOIN zone USING (zone_id)
+        WHERE
+            node.node_id=?";
+$sth = $dbh->prepare($sql);
+$sth->execute([$node_id]);
+
+$node = $sth->fetch(PDO::FETCH_OBJ);
+$node->mac = write_mac($node->mac);
+$smarty->assign("node", $node);
 
 // nat
-$query = "SELECT
-        asset_ext.asset_id AS asset_id_ext,
-        asset_int.asset_id AS asset_id_int,
-        asset_ext.asset_name AS asset_name_ext,
-        asset_int.asset_name AS asset_name_int,
-        nat.nat_id AS nat_id,
-        nat.nat_type AS nat_type,
-        nat.nat_ext AS nat_ext,
-        nat.nat_int AS nat_int,
-        node_ext.node_ip AS node_ip_ext,
-        node_int.node_ip AS node_ip_int,
-        node_int.node_id AS node_id_int,
-        node_ext.node_id AS node_id_ext
-    FROM
-        asset AS asset_ext,
-        asset AS asset_int,
-        nat,
-        node AS node_ext,
-        node AS node_int
-    WHERE
-        (nat.nat_ext=" . $node_id . "
-        OR nat.nat_int=" . $node_id . ")
-        AND node_ext.node_id=nat.nat_ext
-        AND node_int.node_id=nat.nat_int
-        AND asset_ext.asset_id=node_ext.asset_id
-        AND asset_int.asset_id=node_int.asset_id
-    ORDER BY
-        INET_ATON(node_ext.node_ip),
-        INET_ATON(node_int.node_ip)";
+$sql = "SELECT
+            asset_ext.asset_id AS asset_id_ext,
+            asset_int.asset_id AS asset_id_int,
+            asset_ext.asset_name AS asset_name_ext,
+            asset_int.asset_name AS asset_name_int,
+            nat.nat_id AS nat_id,
+            nat.nat_type AS nat_type,
+            nat.nat_ext AS nat_ext,
+            nat.nat_int AS nat_int,
+            node_ext.node_ip AS node_ip_ext,
+            node_int.node_ip AS node_ip_int,
+            node_int.node_id AS node_id_int,
+            node_ext.node_id AS node_id_ext
+        FROM
+            asset AS asset_ext,
+            asset AS asset_int,
+            nat,
+            node AS node_ext,
+            node AS node_int
+        WHERE
+            (nat.nat_ext=:node_id OR nat.nat_int=:node_id)
+            AND node_ext.node_id=nat.nat_ext
+            AND node_int.node_id=nat.nat_int
+            AND asset_ext.asset_id=node_ext.asset_id
+            AND asset_int.asset_id=node_int.asset_id
+        ORDER BY
+            INET_ATON(node_ext.node_ip),
+            INET_ATON(node_int.node_ip)";
 
-$natrules = $db->db_select($query);
-$smarty->assign("natrules", $natrules);
+$sth = $dbh->prepare($sql);
+$sth->execute(['node_id' => $node_id]);
+
+$smarty->assign("natrules", $sth->fetchAll());
 
 $smarty->display("nodeview.tpl");