Changed database access to PDO using prepared statements

subnetvlanadd.php

@@ -13,44 +13,25 @@ $subnet_id = sanitize($_GET['subnet_id']);
 		
 include("header.php");
 		
-	
-// subnet
-// build query
-$query = "SELECT
-		subnet_address,
-		subnet_mask
-	FROM
-		subnet
-	WHERE
-		subnet_id=" . $subnet_id;
+$sql = "SELECT subnet_id AS id, subnet_address AS address, subnet_mask AS mask
+        FROM subnet
+        WHERE subnet_id=?";
+$sth = $dbh->prepare($sql);
+$sth->execute([$subnet_id]);
 
-// run query
-$subnet = $db->db_select($query);
-
-$smarty->assign("subnet_id", $subnet_id);
-$smarty->assign("subnet_address", $subnet[0]['subnet_address']);
-$smarty->assign("subnet_mask", $subnet[0]['subnet_mask']);
+$smarty->assign("subnet", $sth->fetch(PDO::FETCH_OBJ));
 
 // vlan
-$query = " SELECT
-		vlan_id,
-		vlan_number,
-		vlan_name
-	FROM
-		vlan
-	WHERE
-		vlan_id NOT IN (
-			SELECT
-				vlan_id
-			FROM
-				subnetvlan
-			WHERE
-				subnet_id=" . $subnet_id . "
-		)
-	ORDER BY
-		vlan_number";
+$sql = "SELECT vlan_id, vlan_number, vlan_name
+        FROM vlan
+        WHERE vlan_id NOT IN (
+	    SELECT vlan_id FROM subnetvlan WHERE subnet_id=?
+	)
+        ORDER BY vlan_number";
+$sth = $dbh->prepare($sql);
+$sth->execute([$subnet_id]);
 		
-$vlans = $db->db_select($query);
+$vlans = $sth->fetchAll();
 foreach ($vlans as $vlan) {
     $vlan_options[$vlan['vlan_id']] =  $vlan['vlan_name'];
 }