Use prepared queries on stats and store

sections/stats/torrents.php

 LIMIT 1, 12
 */
 if (!list($Labels, $InFlow, $OutFlow, $Max) = $Cache->get_value('torrents_timeline')) {
-    $DB->query("
+    $DB->prepared_query("
     SELECT
       DATE_FORMAT(`Time`, '%b %Y') AS Month,
       COUNT(`ID`)
     ");
     $TimelineIn = array_reverse($DB->to_array());
 
-    $DB->query("
+    $DB->prepared_query("
     SELECT
       DATE_FORMAT(`Time`, '%b %Y') AS Month,
       COUNT(`ID`)
 }
 
 if (!$CategoryDistribution = $Cache->get_value('category_distribution')) {
-    $DB->query("
+    $DB->prepared_query("
     SELECT
       tg.`category_id`,
       COUNT(t.`ID`) AS Torrents

sections/stats/users.php

 
 
 if (!$ClassDistribution = $Cache->get_value('class_distribution')) {
-    $DB->query("
+    $DB->prepared_query("
       SELECT p.Name, COUNT(m.ID) AS Users
       FROM users_main AS m
         JOIN permissions AS p ON m.PermissionID = p.ID
 }
 
 if (!$PlatformDistribution = $Cache->get_value('platform_distribution')) {
-    $DB->query("
+    $DB->prepared_query("
       SELECT OperatingSystem, COUNT(DISTINCT UserID) AS Users
       FROM users_sessions
       GROUP BY OperatingSystem
 }
 
 if (!$BrowserDistribution = $Cache->get_value('browser_distribution')) {
-    $DB->query("
+    $DB->prepared_query("
       SELECT Browser, COUNT(DISTINCT UserID) AS Users
       FROM users_sessions
       GROUP BY Browser
 
 // Timeline generation
 if (!list($Labels, $InFlow, $OutFlow) = $Cache->get_value('users_timeline')) {
-    $DB->query("
+    $DB->prepared_query("
       SELECT DATE_FORMAT(JoinDate,\"%b %Y\") AS Month, COUNT(UserID)
       FROM users_info
       GROUP BY Month
       LIMIT 1, 11");
     $TimelineIn = array_reverse($DB->to_array());
 
-    $DB->query("
+    $DB->prepared_query("
       SELECT DATE_FORMAT(BanDate,\"%b %Y\") AS Month, COUNT(UserID)
       FROM users_info
       WHERE BanDate > 0

sections/store/badge.php

 
 if (isset($_GET['confirm']) && $_GET['confirm'] === '1') {
     if (!isset($Err)) {
-        $DB->query("
+        $DB->prepared_query("
           SELECT BonusPoints
           FROM users_main
           WHERE ID = $UserID");
                 if (!Badges::award_badge($UserID, $BadgeID)) {
                     $Err = 'Could not award badge, unknown error occurred.';
                 } else {
-                    $DB->query("
+                    $DB->prepared_query("
                       UPDATE users_main
                       SET BonusPoints = BonusPoints - " . $Prices[$BadgeID] ."
                       WHERE ID = $UserID");
 
-                    $DB->query("
+                    $DB->prepared_query("
                       UPDATE users_info
                       SET AdminComment = CONCAT('".sqltime()." - Purchased badge $BadgeID from store\n\n', AdminComment)
                       WHERE UserID = $UserID");

sections/store/coinbadge.php

 #declare(strict_types=1);
 
 $UserID = $LoggedUser['ID'];
-$DB->query("
+$DB->prepared_query("
   SELECT First, Second
   FROM misc
   WHERE Name='CoinBadge'");
 if ($DB->has_results()) {
     list($Purchases, $Price) = $DB->next_record();
 } else {
-    $DB->query("
+    $DB->prepared_query("
     INSERT INTO misc
       (Name, First, Second)
     VALUES ('CoinBadge', 0, 1000)");
   if (isset($_GET['confirm'])
    && $_GET['confirm'] === 1
    && !Badges::has_badge($UserID, 255)) {
-      $DB->query("
+      $DB->prepared_query("
       SELECT BonusPoints
       FROM users_main
       WHERE ID = $UserID");
           if (!Badges::award_badge($UserID, 255)) {
               $Err = 'Could not award badge, unknown error occurred.';
           } else {
-              $DB->query("
+              $DB->prepared_query("
               UPDATE users_main
               SET BonusPoints = BonusPoints - $Price
               WHERE ID = $UserID");
 
-              $DB->query("
+              $DB->prepared_query("
               UPDATE users_info
               SET AdminComment = CONCAT('".sqltime()." - Purchased badge 255 from store\n\n', AdminComment)
               WHERE UserID = $UserID");
               $x = $Purchases;
               $Price = 1000+$x*(10000+1400*((sin($x/1.3)+cos($x/4.21))+(sin($x/2.6)+cos(2*$x/4.21))/2));
 
-              $DB->query("
+              $DB->prepared_query("
               UPDATE misc
               SET First  = $Purchases,
                 Second = $Price

sections/store/freeleechize.php

     $UserID = $LoggedUser['ID'];
 
     // Make sure torrent exists
-    $DB->query("
+    $DB->prepared_query("
       SELECT FreeTorrent, FreeLeechType
       FROM torrents
       WHERE ID = $TorrentID");
         error('Torrent does not exist');
     }
 
-    $DB->query("
+    $DB->prepared_query("
       SELECT BonusPoints
       FROM users_main
       WHERE ID = $UserID");
         list($Points) = $DB->next_record();
 
         if ($Points >= $Cost) {
-            $DB->query("
+            $DB->prepared_query("
               SELECT TorrentID
               FROM shop_freeleeches
               WHERE TorrentID = $TorrentID");
 
             if ($DB->has_results()) {
-                $DB->query("
+                $DB->prepared_query("
                   UPDATE shop_freeleeches
                   SET ExpiryTime = ExpiryTime + INTERVAL 1 DAY
                   WHERE TorrentID = $TorrentID");
             } else {
-                $DB->query("
+                $DB->prepared_query("
                   INSERT INTO shop_freeleeches
                     (TorrentID, ExpiryTime)
                   VALUES($TorrentID, NOW() + INTERVAL 1 DAY)");
                 Torrents::freeleech_torrents($TorrentID, 1, 3);
             }
 
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_main
               SET BonusPoints = BonusPoints - $Cost
               WHERE ID = $UserID");
 
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_info
               SET AdminComment = CONCAT('".sqltime()." - Made TorrentID $TorrentID freeleech for 24 more hours via the store\n\n', AdminComment)
               WHERE UserID = $UserID");

sections/store/freeleechpool.php

     }
 
     $UserID = $LoggedUser['ID'];
-    $DB->query("
+    $DB->prepared_query("
       SELECT BonusPoints
       FROM users_main
       WHERE ID = $UserID");
         if ($Points >= $Donation) {
             $PoolTipped = false;
 
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_main
               SET BonusPoints = BonusPoints - $Donation
               WHERE ID = $UserID");
 
-            $DB->query("
+            $DB->prepared_query("
               UPDATE misc
               SET First = First + $Donation
               WHERE Name = 'FreeleechPool'");
             $Cache->delete_value('user_info_heavy_'.$UserID);
 
             // Check to see if we're now over the target pool size
-            $DB->query("
+            $DB->prepared_query("
               SELECT First, Second
               FROM misc
               WHERE Name = 'FreeleechPool'");
 
                     for ($i = 0; $i < $NumTorrents; $i++) {
                         $TorrentSize = intval($Pool * (($i===$NumTorrents-1)?1:(rand(10, 80)/100)) * 100000); # todo
-                        $DB->query("
+                        $DB->prepared_query("
                           SELECT ID, Size
                           FROM torrents
                           WHERE Size < $TorrentSize
                         if ($DB->has_results()) {
                             list($TorrentID, $Size) = $DB->next_record();
 
-                            $DB->query("
+                            $DB->prepared_query("
                               INSERT INTO shop_freeleeches
                                 (TorrentID, ExpiryTime)
                               VALUES($TorrentID, NOW() + INTERVAL 2 DAY)");
                     }
 
                     $Target = rand(10000, 100000);
-                    $DB->query("
+                    $DB->prepared_query("
                       UPDATE misc
                       SET First = 0,
                         Second = $Target
 <?php
 View::show_footer();
 } else {
-    $DB->query("
+    $DB->prepared_query("
       SELECT First
       FROM misc
       WHERE Name = 'FreeleechPool'");

sections/store/invite.php

 $Purchase = "1 invite";
 $UserID = $LoggedUser['ID'];
 
-$DB->query("
+$DB->prepared_query("
   SELECT BonusPoints
   FROM users_main
   WHERE ID = $UserID");
     list($Points) = $DB->next_record();
 
     if ($Points >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints - $Cost,
             Invites = Invites + 1
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - Purchased an invite from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/points_1.php

 $GiB = 1024 * 1024 * 1024;
 $Cost = intval(0.15 * $GiB);
 
-$DB->query("
+$DB->prepared_query("
   SELECT Uploaded
   FROM users_main
   WHERE ID = $UserID");
     list($Upload) = $DB->next_record();
 
     if ($Upload >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints + 10,
             Uploaded = Uploaded - $Cost
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/points_10.php

 $GiB = 1024 * 1024 * 1024;
 $Cost = 1.5 * $GiB;
 
-$DB->query("
+$DB->prepared_query("
   SELECT Uploaded
   FROM users_main
   WHERE ID = $UserID");
     list($Upload) = $DB->next_record();
 
     if ($Upload >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints + 100,
             Uploaded = Uploaded - $Cost
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/points_100.php

 $GiB = 1024 * 1024 * 1024;
 $Cost = 15.0 * $GiB;
 
-$DB->query("
+$DB->prepared_query("
   SELECT Uploaded
   FROM users_main
   WHERE ID = $UserID");
     list($Upload) = $DB->next_record();
 
     if ($Upload >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints + 1000,
             Uploaded = Uploaded - $Cost
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/points_1000.php

 $GiB = 1024*1024*1024;
 $Cost = 150.0 * $GiB;
 
-$DB->query("
+$DB->prepared_query("
   SELECT Uploaded
   FROM users_main
   WHERE ID = $UserID");
     list($Upload) = $DB->next_record();
 
     if ($Upload >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints + 10000,
             Uploaded = Uploaded - $Cost
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/promotion.php

 );
 
 $To = -1;
-$DB->query("
+$DB->prepared_query("
   SELECT PermissionID, BonusPoints, Warned, Uploaded, Downloaded, (Uploaded / Downloaded) AS Ratio, Enabled, COUNT(torrents.ID) AS Uploads, COUNT(DISTINCT torrents.GroupID) AS Groups
   FROM users_main
     JOIN users_info ON users_main.ID = users_info.UserID
         $Err[] = "This account is disabled, how did you get here?";
     } else {
         if ($Classes[$To]['NonSmall'] > 0) {
-            $DB->query("
+            $DB->prepared_query("
               SELECT COUNT(torrents.ID)
               FROM torrents
               JOIN torrents_group ON torrents.GroupID = torrents_group.ID
         }
 
         if (!isset($Err)) {
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_main
               SET
                 BonusPoints = BonusPoints - ".$Classes[$To]['Price'].",
                 PermissionID = $To
               WHERE ID = $UserID");
 
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_info
               SET AdminComment = CONCAT('".sqltime()." - Class changed to ".Users::make_class_string($To)." via store purchase\n\n', AdminComment)
               WHERE UserID = $UserID");

sections/store/store.php

 
 if (!$LoggedUser['DisablePoints']) {
     $PointsRate = 0;
-    $getTorrents = $DB->query("
+    $getTorrents = $DB->prepared_query("
       SELECT um.BonusPoints,
         COUNT(DISTINCT x.fid) AS Torrents,
         SUM(t.Size) AS Size,
       </tr>
 
       <?php
-$DB->query("
+$DB->prepared_query("
   SELECT ID AS BadgeID, Name, Description
   FROM badges
   WHERE ID IN (40, 41, 42, 43, 44, 45, 46, 47, 48)

sections/store/title.php

     $Title = htmlspecialchars($_POST['title'], ENT_QUOTES);
     $UserID = $LoggedUser['ID'];
 
-    $DB->query("
+    $DB->prepared_query("
       SELECT BonusPoints
       FROM users_main
       WHERE ID = $UserID");
         list($Points) = $DB->next_record();
 
         if ($Points >= $Cost) {
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_main
               SET BonusPoints = BonusPoints - $Cost,
                 Title = ?
               WHERE ID = ?", $Title, $UserID);
 
-            $DB->query("
+            $DB->prepared_query("
               UPDATE users_info
               SET AdminComment = CONCAT(NOW(), ' - Changed title to ', ?, ' via the store\n\n', AdminComment)
               WHERE UserID = ?", $Title, $UserID);

sections/store/token.php

 $Purchase = "1 freeleech token";
 $UserID = $LoggedUser['ID'];
 
-$DB->query("
+$DB->prepared_query("
   SELECT BonusPoints
   FROM users_main
   WHERE ID = $UserID");
     list($Points) = $DB->next_record();
 
     if ($Points >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints - $Cost,
             FLTokens = FLTokens + 1
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - Purchased a freeleech token from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/upload_1.php

 $GiB = 1024*1024*1024;
 $Cost = 15;
 
-$DB->query("
+$DB->prepared_query("
   SELECT BonusPoints
   FROM users_main
   WHERE ID = $UserID");
     list($Points) = $DB->next_record();
 
     if ($Points >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints - $Cost,
             Uploaded = Uploaded + ($GiB * 0.1)
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/upload_10.php

 $GiB = 1024*1024*1024;
 $Cost = 150;
 
-$DB->query("
+$DB->prepared_query("
   SELECT BonusPoints
   FROM users_main
   WHERE ID = $UserID");
     list($Points) = $DB->next_record();
 
     if ($Points >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints - $Cost,
             Uploaded = Uploaded + ($GiB * 1)
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/upload_100.php

 $GiB = 1024*1024*1024;
 $Cost = 1500;
 
-$DB->query("
+$DB->prepared_query("
   SELECT BonusPoints
   FROM users_main
   WHERE ID = $UserID");
     list($Points) = $DB->next_record();
 
     if ($Points >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints - $Cost,
             Uploaded = Uploaded + ($GiB * 10)
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");

sections/store/upload_1000.php

 $GiB = 1024*1024*1024;
 $Cost = 15000;
 
-$DB->query("
+$DB->prepared_query("
   SELECT BonusPoints
   FROM users_main
   WHERE ID = $UserID");
     list($Points) = $DB->next_record();
 
     if ($Points >= $Cost) {
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_main
           SET BonusPoints = BonusPoints - $Cost,
             Uploaded = Uploaded + ($GiB * 100)
           WHERE ID = $UserID");
 
-        $DB->query("
+        $DB->prepared_query("
           UPDATE users_info
           SET AdminComment = CONCAT('".sqltime()." - $Purchase from the store\n\n', AdminComment)
           WHERE UserID = $UserID");