Changed database access to PDO using prepared statements

useredit.php

@@ -13,20 +13,13 @@ $user_id = sanitize($_GET['user_id']);
 		
 include("header.php");
 
-$query = "SELECT
-	user_name,
-	user_displayname
-FROM
-	user
-WHERE
-	user_id=" . $user_id;
-		
-$user = $db->db_select($query);
-		
-$smarty->assign("user_id", $user_id);
-$smarty->assign("user_name", $user[0]['user_name']);
-$smarty->assign("user_displayname", $user[0]['user_displayname']);
-	
+$sql = "SELECT user_name AS name, user_displayname AS displayname
+        FROM user
+        WHERE user_id=?";
+$sth = $dbh->prepare($sql);
+$sth->execute([$user_id]);
+$smarty->assign("user", $sth->fetch(PDO::FETCH_OBJ));
+
 $smarty->display("useredit.tpl");
 		
 include("footer.php");