Parameterise (or vette/mark) more SQL queries

git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3062 c91229c3-7414-0410-bfa2-8a42b809f60b

Parameterise (or vette/mark) more SQL queries
git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3062 c91229c3-7414-0410-bfa2-8a42b809f60b
nbm
1 parent 2f065d4a
Showing 22 changed files with 168 additions and 140 deletions
lib/archiving/ArchiveRestorationRequest.inc
lib/archiving/ArchivingSettings.inc
lib/archiving/ArchivingType.inc
lib/archiving/DocumentArchiving.inc
lib/archiving/TimePeriod.inc
lib/archiving/TimeUnit.inc
lib/authentication/DBAuthenticator.inc
lib/browse/DocumentTypeBrowser.inc
lib/browse/FolderBrowser.inc
lib/dashboard/Dashboard.inc
lib/dashboard/DashboardNews.inc
lib/discussions/DiscussionComment.inc
lib/discussions/DiscussionThread.inc
lib/documentmanagement/DependantDocumentInstance.inc
lib/documentmanagement/DependantDocumentTemplate.inc
lib/documentmanagement/Document.inc
lib/documentmanagement/DocumentCollaboration.inc
lib/subscriptions/SubscriptionManager.inc
lib/unitmanagement/Unit.inc
lib/unitmanagement/UnitOrganisationLink.inc
@@ -199,7 +199,7 @@ class ArchiveRestorationRequest extends KTEntity {
         global $default;
         $aArchiveRestorationRequestArray = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->archive_restoration_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM $default->archive_restoration_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             while ($sql->next_record()) {
                 $aArchiveRestorationRequestArray[] = & ArchiveRestorationRequest::get($sql->f("id"));
@@ -191,7 +191,7 @@ class ArchivingSettings extends KTEntity {
         global $default;
         $aArchivingSettings = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->archiving_settings_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM $default->archiving_settings_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             while ($sql->next_record()) {
                 $oArchivingSettings = & ArchivingSettings::get($sql->f("id"));
@@ -113,7 +113,7 @@ class ArchivingType extends KTEntity {
         global $default;
         $aArchivingTypeArray = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->archiving_type_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM $default->archiving_type_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -156,7 +156,7 @@ class DocumentArchiving extends KTEntity {
         global $default;
         $aDocumentArchivingArray = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->document_archiving_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM $default->document_archiving_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -135,7 +135,7 @@ class TimePeriod extends KTEntity {
         global $default;
         $aTimePeriodArray = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->time_period_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM $default->time_period_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -112,7 +112,7 @@ class TimeUnit extends KTEntity {
         global $default;
         $aTimeUnitArray = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->time_unit_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM $default->time_unit_lookup_table " . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -62,14 +62,15 @@ class DBAuthenticator extends Authenticator {
         global $default;
  
         $sql = $default->db;
-        $sQuery = "SELECT ";
+        $sQuery = "SELECT ";/*ok*/
         // build select
         for ($i=0; $i<count($aAttributes); $i++) {
             $sQuery .= $aAttributes[$i] . (( ($i+1) == count($aAttributes) ) ? "" : ", ");
         }
-        $sQuery .= " FROM $default->users_table WHERE username = '$sUserName'";
+        $sQuery .= " FROM $default->users_table WHERE username = ?";
+        $aParams = array($sUserName);
  
-        if ($sql->query($sQuery)) {
+        if ($sql->query(array($sQuery, $aParams))) {
             $aUserResults = array();
             while ($sql->next_record()) {
                 for ($i=0; $i<count($aAttributes); $i++) {
@@ -93,12 +94,12 @@ class DBAuthenticator extends Authenticator {
         global $default;
  
         $sql = $default->db;
-        $sQuery = "SELECT ";
+        $sQuery = "SELECT ";/*ok*/
         // build select
         for ($i=0; $i<count($aAttributes); $i++) {
             $sQuery .= $aAttributes[$i] . (( ($i+1) == count($aAttributes) ) ? "" : ", ");
         }
-        $sQuery .= " FROM $default->users_table where username like '%$sUserNameSearch%'";
+        $sQuery .= " FROM $default->users_table where username like '%" . DBUtil::escapeSimple($sUserNameSearch) . "%'";
  
         if ($sql->query($sQuery)) {
             $aUserResults = array();
@@ -79,7 +79,7 @@ class DocumentTypeBrowser extends Browser {
             $results["documentTypes"][] = array("id" => $iDocumentTypeID, "name" => $documentTypeName);
  
             // create query to retrieve documents with this document type
-            $documentQuery  = "SELECT d.id as id FROM $default->documents_table d ";
+            $documentQuery  = "SELECT d.id as id FROM $default->documents_table d ";/*wc*/
             if ( isset($aLookupCriteria) ) {
             	//$documentQuery .= "INNER JOIN " .  $aLookupCriteria["table"] . " lt ON d.$this->sSortField=lt.id ";
             	$documentQuery .= "INNER JOIN " .  $aLookupCriteria["table"] . " lt ON ";
@@ -119,7 +119,7 @@ class FolderBrowser extends Browser {
             // if we're sorting by name or creator_id then sort folders in the appropriate direction
  
             $aParams = array();
-            $sFolderQuery = "SELECT f.id FROM $default->folders_table AS f ";
+            $sFolderQuery = "SELECT f.id FROM $default->folders_table AS f ";/*ok*/
 			if (in_array($this->sSortField, array("name", "creator_id"))) {             
 	            if (isset($aLookupCriteria)) {
 	            	$sFolderQuery .= "INNER JOIN " . $aLookupCriteria["table"] . " lt ON f.$this->sSortField=lt.id WHERE parent_id = ?";
@@ -154,7 +154,7 @@ class FolderBrowser extends Browser {
             $default->log->debug("Going on to document checking");
  
             // create query to retrieve documents in this folder
-            $documentQuery  = "SELECT d.id as id FROM $default->documents_table AS d ";
+            $documentQuery  = "SELECT d.id as id FROM $default->documents_table AS d ";/*wc*/
             if (isset($aLookupCriteria)) {
             	$documentQuery .= "INNER JOIN " .  $aLookupCriteria["table"] . " lt ON ";
             	$documentQuery .= "d.$this->sSortField" . "=lt." . (isset($aLookupCriteria["joinColumn"]) ? $aLookupCriteria["joinColumn"] : "id");
@@ -49,12 +49,13 @@ class Dashboard {
 	 */
 	function getPendingWebDocuments(){
 	    global $default;
-	    $sQuery = "SELECT wd.id FROM web_documents wd " . 
+	    $sQuery = "SELECT wd.id FROM web_documents wd " . /*ok*/
 	              "INNER JOIN web_sites ws ON wd.web_site_id = ws.id " .
-	              "WHERE ws.web_master_id=" . $this->iUserID . " AND wd.status_id=1";
+	              "WHERE ws.web_master_id = ? AND wd.status_id = 1";
+        $aParams = array($this->iUserID);
 	    $aDocumentList = array();
 	    $sql = $default->db;
-	    if ($sql->query($sQuery)) {
+	    if ($sql->query(array($sQuery, $aParams))) {
 	        while ($sql->next_record()) {
 	            $aDocumentList[] = & WebDocument::get($sql->f("id"));
 	        }
@@ -77,7 +78,7 @@ class Dashboard {
 	function getPendingCollaborationDocuments(){
 	    global $default;
  
-	    $sQuery = "SELECT document_id FROM $default->folders_user_roles_table WHERE active=1 AND user_id=" . $this->iUserID;
+	    $sQuery = array("SELECT document_id FROM $default->folders_user_roles_table WHERE active=1 AND user_id = ?", $this->iUserID);/*ok*/
 	    $aDocumentList = array();
 	    $sql = $default->db;
 	    if ($sql->query($sQuery)) {
@@ -120,7 +121,7 @@ class Dashboard {
 	 */
 	function getDependantDocuments() {
 		global $default;
-		$sQuery = "SELECT id FROM $default->dependant_document_instance_table WHERE user_id = " . $this->iUserID;
+		$sQuery = array("SELECT id FROM $default->dependant_document_instance_table WHERE user_id = ?", $this->iUserID);/*ok*/
 		$aDocumentList = array();
 		$sql = $default->db;
 		$sql->query($sQuery);
@@ -129,4 +130,4 @@ class Dashboard {
 		}
 		return $aDocumentList;	
 	}	
-}
 \ No newline at end of file
+}
@@ -322,7 +322,7 @@ class DashboardNews extends KTEntity {
     function & get($iNewsID) {
         global $default;
         $sql = $default->db;
-        $sql->query("SELECT * FROM $default->news_table WHERE id = $iNewsID");
+        $sql->query(array("SELECT * FROM $default->news_table WHERE id = ?", $iNewsID));/*ok*/
         if ($sql->next_record()) {
             $aImage = array( "image" => $sql->f("image"),
             				 "filesize" => $sql->f("image_size"),
@@ -346,7 +346,7 @@ class DashboardNews extends KTEntity {
         global $default;
         $aDashboardNewsArray = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM " . $default->news_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "") . " ORDER BY rank ASC");
+        $result = $sql->query("SELECT * FROM " . $default->news_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "") . " ORDER BY rank ASC");/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -155,7 +155,7 @@ class DiscussionComment extends KTEntity {
     function & get($iNewCommentID) {
         global $default;
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->discussion_comments_table WHERE id = $iNewCommentID");
+        $result = $sql->query(array("SELECT * FROM $default->discussion_comments_table WHERE id = ?", $iNewCommentID));/*ok*/
         if ($result) {
             if ($sql->next_record()) {                
                 $oDiscussionComment = & new DiscussionComment($sql->f("body"),$sql->f("subject"),$sql->f("user_id"),$sql->f("thread_id"),$sql->f("in_reply_to"));
@@ -180,7 +180,7 @@ class DiscussionComment extends KTEntity {
         global $default;
         $aDiscussionComments = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM " . $default->discussion_comments_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM " . $default->discussion_comments_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             while ($sql->next_record()) {
                 $aDiscussionComments[] = & DiscussionComment::get($sql->f("id"));
@@ -212,7 +212,7 @@ class DiscussionComment extends KTEntity {
 		if ($this->iId > 0) {
 			//check to see if group is linked to a unit
 			$sql = $default->db;
-			$query = "SELECT * FROM ". $default->discussion_comments_table . " WHERE id = " . $this->iId  ;
+			$query = array("SELECT * FROM ". $default->discussion_comments_table . " WHERE id = ?", $this->iId);/*ok*/
 			$sql->query($query);
 			$rows = $sql->num_rows($sql);
  
@@ -142,12 +142,16 @@ class DiscussionThread extends KTEntity{
     	global $default;
  
     	$sql = $default->db;
-        $result = $sql->query("SELECT id FROM $default->discussion_threads_table WHERE document_id = $this->iDocumentID ORDER BY id");
+        $aQuery = array("SELECT id FROM $default->discussion_threads_table WHERE document_id = ? ORDER BY id",/*ok*/
+            $this->iDocumentID);
+        $result = $sql->query($aQuery);
         if ($result) {
         	$sql->next_record();
         	$iThreadID = $sql->f("id");
  
-	        $result = $sql->query("SELECT id FROM $default->discussion_comments_table WHERE thread_id = $iThreadID ORDER BY date Desc");
+            $aQuery = array("SELECT id FROM $default->discussion_comments_table WHERE thread_id = ? ORDER BY date DESC",/*ok*/
+                $iThreadID);
+	        $result = $sql->query($aQuery);
  
 	        if ($result) {           
 	            while ($sql->next_record()) {
@@ -178,7 +182,7 @@ class DiscussionThread extends KTEntity{
         global $default;
         $aDiscussionThreads = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM " . $default->discussion_threads_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM " . $default->discussion_threads_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             while ($sql->next_record()) {
                 $aDiscussionThreads[] = & DiscussionThread::get($sql->f("id"));
@@ -191,7 +195,7 @@ class DiscussionThread extends KTEntity{
     function getThreadIDforDoc($iDocumentID){
     	global $default;	
 		$sql = $default->db;
-        $result = $sql->query("SELECT id FROM $default->discussion_threads_table WHERE document_id = $iDocumentID");
+        $result = $sql->query(array("SELECT id FROM $default->discussion_threads_table WHERE document_id = ?", $iDocumentID));/*ok*/
         if ($result) {        
             if ($sql->next_record()) {
                 if ($sql->f("id") > 0) {
@@ -217,7 +221,7 @@ class DiscussionThread extends KTEntity{
     function & get($iNewThreadID) {
         global $default;
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->discussion_threads_table WHERE id = $iNewThreadID");
+        $result = $sql->query(array("SELECT * FROM $default->discussion_threads_table WHERE id = ?", $iNewThreadID));/*ok*/
         if ($result) {
             if ($sql->next_record()) {
  
@@ -262,7 +266,7 @@ class DiscussionThread extends KTEntity{
         if ($this->iId > 0) {
             //check to see if group is linked to a unit
             $sql = $default->db;
-            $query = "SELECT * FROM ". $default->discussion_threads_table ." WHERE id = " . $this->iId  ;
+            $query = array("SELECT * FROM ". $default->discussion_threads_table ." WHERE id = ?", $this->iId);/*ok*/
             $sql->query($query);
             $rows = $sql->num_rows($sql);
  
@@ -141,7 +141,7 @@ class DependantDocumentInstance extends KTEntity {
 	function & get($iDependantDocumentID) {
 		global $default;
 		$sql = $default->db;
-		$result = $sql->query("SELECT * FROM $default->dependant_document_instance_table WHERE id = $iDependantDocumentID");
+		$result = $sql->query(array("SELECT * FROM $default->dependant_document_instance_table WHERE id = ?", $iDependantDocumentID));/*ok*/
 		if ($result) {
 			if ($sql->next_record()) {
 				$oDependantDocument = & new DependantDocumentInstance($sql->f("document_title"), $sql->f("user_id"), $sql->f("template_document_id"), $sql->f("parent_document_id"));
@@ -149,7 +149,7 @@ class DependantDocumentTemplate extends KTEntity {
 	function & get($iDependantDocumentID) {
 		global $default;
 		$sql = $default->db;
-		$result = $sql->query("SELECT * FROM $default->dependant_document_template_table WHERE id = $iDependantDocumentID");
+		$result = $sql->query(array("SELECT * FROM $default->dependant_document_template_table WHERE id = ?", $iDependantDocumentID));/*ok*/
 		if ($result) {
 			if ($sql->next_record()) {
 				$DependantDocumentTemplate = & new DependantDocumentTemplate($sql->f("document_title"), $sql->f("default_user_id"), $sql->f("group_folder_approval_link_id"), $sql->f("template_document_id"));
@@ -177,7 +177,7 @@ class DependantDocumentTemplate extends KTEntity {
         $aDependantDocumentTemplateArray = array();
         $sql = $default->db;
         // TODO: join on sys_deleted
-        $result = $sql->query("SELECT * FROM " . $default->dependant_document_template_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM " . $default->dependant_document_template_table  . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -286,7 +286,7 @@ class Document extends KTEntity {
 		//if the folder is not the root folder 
 		if ($iFolderID != 0) {
 			$sql = $default->db;
-			$sql->query("SELECT parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID));
+			$sql->query(array("SELECT parent_id FROM $default->folders_table WHERE ID = ?", $iFolderID));/*ok*/
 			$sql->next_record();
 			return $this->generateParentFolderIDS($sql->f("parent_id")) . ",$iFolderID";
 		}
@@ -314,7 +314,7 @@ class Document extends KTEntity {
 		//if the folder is not the root folder 
 		if ($iFolderID != 0) {
 			$sql = $default->db;
-			$sql->query("SELECT name, parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID));
+			$sql->query(array("SELECT name, parent_id FROM $default->folders_table WHERE ID = ?", $iFolderID));/*ok*/
 			$sql->next_record();			
 			return $this->generateFullFolderPath($sql->f("parent_id")) . "/" . $sql->f("name");
 		}
@@ -382,12 +382,12 @@ class Document extends KTEntity {
 	    $sql = $default->db;
  
 	    // group permissions                
-	    $sGroupPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
-				       "SELECT UGL.user_id AS user_id, D.id AS document_id " .
+	    $sGroupPerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " .
+				       "SELECT UGL.user_id AS user_id, D.id AS document_id " ./*ok*/
 				       "FROM $default->documents_table AS D INNER JOIN folders AS F ON D.folder_id = F.id " .
 				       "INNER JOIN $default->groups_folders_table AS GFL ON GFL.folder_id = F.id " .
 				       "INNER JOIN $default->users_groups_table AS UGL ON UGL.group_id = GFL.group_id " .
-				       "WHERE D.id=" . quote($this->iId);
+				       "WHERE D.id = ?", $this->iId);
 		$default->log->debug("addDocument groupPerms=$sGroupPerms");
 		if ($sql->query($sGroupPerms)) {
 			$default->log->debug("groupPerms succeeded");
@@ -395,10 +395,10 @@ class Document extends KTEntity {
 			$default->log->error("groupPerms failed");
 		}
 		// role permissions
-	    $sRolePerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
-				      "SELECT user_id, document_id " .
+	    $sRolePerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " .
+				      "SELECT user_id, document_id " ./*ok*/
 				      "FROM $default->folders_user_roles_table " .
-				      "WHERE document_id=" . quote($this->iId);
+				      "WHERE document_id = ?", $this->iId);
 		$default->log->info("addDocument rolePerms=$sRolePerms");
 		if ($sql->query($sRolePerms)) {
 			$default->log->debug("rolePerms succeeded");
@@ -407,11 +407,11 @@ class Document extends KTEntity {
 		}
  
 		// public folders
-		$sPublicFolderPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . 
-                			  "SELECT U.id, D.id " . 
+		$sPublicFolderPerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " . 
+                			  "SELECT U.id, D.id " . /*ok*/
                 			  "FROM $default->users_table AS U, $default->documents_table AS D INNER JOIN $default->folders_table AS F ON D.folder_id = F.id " .
 							  "WHERE F.is_public = 1 " .
-							  "AND D.id=" . quote($this->iId);
+							  "AND D.id = ?", $this->iId);
 		$default->log->debug("addDocument publicFolder=$sPublicFolderPerms");
 		if ($sql->query($sPublicFolderPerms)) {
 			$default->log->debug("publicFolder succeeded");
@@ -420,10 +420,10 @@ class Document extends KTEntity {
 		}
  
 		// creator permissions
-		$sCreatorPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
-						 "SELECT creator_id, id " .
+		$sCreatorPerms = array("INSERT INTO $default->search_permissions_table (user_id, document_id) " .
+						 "SELECT creator_id, id " ./*ok*/
 						 "FROM $default->documents_table " .
-						 "WHERE id=" . quote($this->iId);
+						 "WHERE id = ?", $this->iId);
 		$default->log->debug("addDocument creatorPerms=$sCreatorPerms");
 		if ($sql->query($sCreatorPerms)) {
 			$default->log->debug("creatorPerms succeeded");
@@ -439,11 +439,11 @@ class Document extends KTEntity {
 	function beginCollaborationProcess() {
 		global $default;
 		//get the steps in this document's collaboration process
-		$sQuery = "SELECT FURL.id, GFAL.precedence " .
+		$sQuery = array("SELECT FURL.id, GFAL.precedence " ./*ok*/
 				  "FROM $default->folders_user_roles_table AS FURL " .
                   "INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " .
-				  "WHERE document_id = " . quote($this->iId) . " " .
-				  "ORDER BY GFAL.precedence ASC";
+				  "WHERE document_id = ? " .
+				  "ORDER BY GFAL.precedence ASC", $this->iId);
 		$sql = $default->db;
 		$sql->query($sQuery);
 		if  ($sql->next_record()) {
@@ -498,12 +498,12 @@ class Document extends KTEntity {
 		//get the current step
 		//if the user is assinged to two or more roles, make sure we get the current
 		//one by ordering by precedence
-		$sql->query("SELECT FURL.id AS id, GFAT.precedence " .
+		$sql->query(array("SELECT FURL.id AS id, GFAT.precedence " ./*ok*/
 					"FROM $default->groups_folders_approval_table AS GFAT " . 
                     "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " .
-					"WHERE document_id = $this->iId AND FURL.user_id = " . quote($_SESSION["userID"]) . "  " . 
+					"WHERE document_id = ? AND FURL.user_id = ? " . 
 					"AND done = 0 " . 
-					"ORDER BY precedence ASC");
+					"ORDER BY precedence ASC", array($this->iId, $_SESSION["userID"])));
 		if ($sql->next_record()) {
 			//set it as done
 			$oFolderUserRole = FolderUserRole::get($sql->f("id"));
@@ -527,7 +527,7 @@ class Document extends KTEntity {
         global $default, $lang_err_doc_not_exist;
         if (strlen($iDocumentID) > 0) {
 	        $sql = $default->db;
-	        $sql->query("SELECT * FROM $default->documents_table WHERE id = " . quote($iDocumentID));
+	        $sql->query(array("SELECT * FROM $default->documents_table WHERE id = ?", $iDocumentID));/*ok*/
 	        if ($sql->next_record()) {			
 	            $oDocument = & new Document($sql->f("name"), $sql->f("filename"), $sql->f("size"), $sql->f("creator_id"), $sql->f("mime_id"), $sql->f("folder_id"), $sql->f("description"));
 	            $oDocument->setDocumentTypeID($sql->f("document_type_id"));
@@ -562,7 +562,7 @@ class Document extends KTEntity {
         $aDocumentArray;
         settype($aDocumentArray, "array");
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM " . $default->documents_table  . 
+        $result = $sql->query("SELECT * FROM " . $default->documents_table  . /*wc*/
                               (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
         if ($result) {
             $iCount = 0;
@@ -589,11 +589,11 @@ class Document extends KTEntity {
         $aDocumentFieldArray;
         settype($aDocumentFieldArray,"array");
         $sql = $default->db;
-        $result = $sql->query("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type " .
+        $result = $sql->query(array("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type " ./*ok*/
                               "FROM $default->document_fields_table AS DF " .
                               "INNER JOIN $default->document_type_fields_table AS DTFL ON DF.id = DTFL.field_id " . 
-                              "WHERE DTFL.document_type_id = " . quote($iDocumentTypeID) . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") . 
-                              "ORDER BY DF.name ASC");
+                              "WHERE DTFL.document_type_id = ? " . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") . 
+                              "ORDER BY DF.name ASC", $iDocumentTypeID));
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -619,9 +619,9 @@ class Document extends KTEntity {
         global $default, $lang_err_database;
         $aDocumentHistory = array();
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM  " . $default->document_transactions_table . " " .
-                              "WHERE document_id = " . quote($this->iId) . " " .
-                              "ORDER BY datetime DESC");
+        $result = $sql->query(array("SELECT * FROM  " . $default->document_transactions_table . " " ./*ok*/
+                              "WHERE document_id = ? " .
+                              "ORDER BY datetime DESC", $this->iId));
         if ($result) {
             $iCount = 0;
             while($sql->next_record()) {
@@ -695,10 +695,11 @@ class Document extends KTEntity {
     function documentExists($sFileName, $iFolderID) {
         global $default;
         $sql = $default->db;
-        $sQuery = "SELECT * FROM $default->documents_table " .
-        		  "WHERE filename = " . quote($sFileName)  . 
-        		  " AND folder_id = " . quote($iFolderID)  .
-        		  " AND status_id = " . LIVE;
+        $sQuery = "SELECT * FROM $default->documents_table " ./*ok*/
+        		  "WHERE filename = ? " .
+        		  " AND folder_id = ?" . 
+        		  " AND status_id = ?";
+        $aParams = array($sFileName, $iFolderID, LIVE);
         $sql->query($sQuery);
         if ($sql->next_record()) {
             return true;
@@ -716,8 +717,8 @@ class Document extends KTEntity {
         global $default, $lang_err_database, $lang_err_doc_not_exist;
         $sql = $default->db;
  
-        if ($sql->query("SELECT name FROM $default->documents_table " .
-                        "WHERE id = " . quote($iDocumentID))) {
+        if ($sql->query(array("SELECT name FROM $default->documents_table " ./*ok*/
+                        "WHERE id = ?", $iDocumentID))) {
             if ($sql->next_record()) {
                 return $sql->f("name");
             } 
@@ -746,11 +747,11 @@ class Document extends KTEntity {
 	function documentIsAssignedDocTypeInFolder($iFolderID, $iFolderDocTypeID) {
 		global $default;
 		$sql = $default->db;
-		$sql->query("SELECT * " . 
+		$sql->query(array("SELECT * " . /*ok*/
 					"FROM $default->folder_doctypes_table AS FDL " .
 					"INNER JOIN $default->documents_table AS D ON D.document_type_id = FDL.document_type_id " .
-					"WHERE FDL.id = " . quote($iFolderDocTypeID) . " " .
-					"AND D.folder_id = " . quote($iFolderID));
+					"WHERE FDL.id = ? " .
+					"AND D.folder_id = ?", array($iFolderDocTypeID, $iFolderID)));
 		if ($sql->next_record()) {
 			return true;
 		}
@@ -763,10 +764,10 @@ class Document extends KTEntity {
 	*/
 	function removeInvalidDocumentTypeEntries() {
 		global $default;
-		$sQuery = "SELECT field_id FROM $default->document_type_fields_table DTFL " .
+		$sQuery = array("SELECT field_id FROM $default->document_type_fields_table DTFL " . /*ok*/
                   "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " .
-                  "WHERE DTFL.document_type_id = " . quote($this->iDocumentTypeID) . " " .
-                  "AND DF.is_generic = 0";
+                  "WHERE DTFL.document_type_id = ? " .
+                  "AND DF.is_generic = 0", $this->iDocumentTypeID);
 		$sql = $default->db;
 		$sql->query($sQuery);
 		$aFieldIDs = array();
@@ -798,7 +799,7 @@ class Document extends KTEntity {
     function hasCollaboration() {
 		global $default;
 		$sql = $default->db;
-		$sql->query("SELECT id AS count from $default->groups_folders_approval_table WHERE folder_id = $this->iFolderID");
+		$sql->query(array("SELECT id AS count from $default->groups_folders_approval_table WHERE folder_id = ?", $this->iFolderID));/*ok*/
 		if ($sql->next_record()) {
 			return true;
 		}
@@ -34,7 +34,9 @@ class DocumentCollaboration {
 	function documentCollaborationStarted($iDocumentID) {
 		global $default;
 		$sql = $default->db;
-		$sql->query("SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND (active = 1 OR done = 1)");
+        $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = ? AND (active = 1 OR done = 1)";/*ok*/
+        $aParams = array($iDocumentID);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			return true;
 		}
@@ -44,7 +46,9 @@ class DocumentCollaboration {
     function documentCollaborationDone($iDocumentID) {
 		global $default;
 		$sql = $default->db;
-		$sql->query("SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND done = 0");
+        $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = ? AND done = 0";/*ok*/
+        $aParams = array($iDocumentID);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->num_rows() > 0) {
 			return false;
 		} else {
@@ -60,7 +64,9 @@ class DocumentCollaboration {
 	function userIsPerformingCurrentCollaborationStep($iDocumentID) {
 		global $default;
 		$sql = $default->db;
-		$sql->query("SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND active = 1 AND user_id = " . $_SESSION["userID"]);
+        $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = ? AND active = 1 AND user_id = ?";/*ok*/
+        $aParams = array($iDocumentID, $_SESSION["userID"]);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			return true;
 		}
@@ -98,7 +104,7 @@ class DocumentCollaboration {
 	function isLastStepInCollaborationProcess($iDocumentID) {
 		global $default;
 		$sql = $default->db;
-        $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND done = 0";
+        $sQuery = "SELECT id FROM $default->folders_user_roles_table WHERE document_id = $iDocumentID AND done = 0";/*ok*/
 		$sql->query($sQuery);
         $default->log->info("lastCollabStep:$sQuery");
         if ($sql->num_rows() > 1) {
@@ -116,11 +122,12 @@ class DocumentCollaboration {
 		global $default;
 		$sql = $default->db;
         // returns all users, the sequence of their collaboration and the time of completion
-        $sQuery = "SELECT FURL.user_id, FURL.datetime, GFAL.precedence FROM $default->folders_user_roles_table FURL " .
+        $sQuery = "SELECT FURL.user_id, FURL.datetime, GFAL.precedence FROM $default->folders_user_roles_table FURL " ./*ok*/
                   "INNER JOIN $default->groups_folders_approval_table GFAL ON FURL.group_folder_approval_id = GFAL.id " .
-                  "WHERE FURL.document_id = $iDocumentID " .
+                  "WHERE FURL.document_id = ? " .
                   "ORDER BY GFAL.precedence";
-		$sql->query($sQuery);
+        $aParams = array($iDocumentID);
+		$sql->query(array($sQuery, $aParams));
         $iPrecedence = -1;
         $iDateTime = 0;
         $iUserID = -1;
@@ -148,11 +155,13 @@ class DocumentCollaboration {
 		//get the current step
 		//if the user is assigned to two or more roles, make sure we get the current
 		//one by ordering by precedence
-		$sql->query("SELECT FURL.id AS id, GFAT.precedence " .
+        $sQuery = "SELECT FURL.id AS id, GFAT.precedence " ./*ok*/
 					"FROM $default->groups_folders_approval_table AS GFAT " . 
 					"INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " .
-					"WHERE document_id = $iDocumentID AND FURL.user_id = " . $_SESSION["userID"] . " AND done=0 " . 
-					"ORDER BY precedence ASC");
+					"WHERE document_id = ? AND FURL.user_id = ? AND done=0 " . 
+					"ORDER BY precedence ASC";
+        $aParams = array($iDocumentID, $_SESSION["userID"]);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			//set it as done
 			$oFolderUserRole = FolderUserRole::get($sql->f("id"));
@@ -162,18 +171,22 @@ class DocumentCollaboration {
 			$oFolderUserRole->update();
 			//get it's sequence number
 			$iCurrentSequenceNumber =  $sql->f("precedence");
-			$sql->query("SELECT MIN(precedence) AS precedence " . 
+            $sQuery = "SELECT MIN(precedence) AS precedence " . /*ok*/
 						"FROM $default->groups_folders_approval_table AS GFAT " . 
 						"INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . 
-						"WHERE document_id = $iDocumentID AND done = 0");			
+						"WHERE document_id = ? AND done = 0";
+            $aParams = array($iDocumentID);
+            $sql->query(array($sQuery, $aParams));
 			if ($sql->next_record()) {
 				if ($sql->f("precedence") != $iCurrentSequenceNumber) {
 					//if there are no concurrent steps outstanding
 					$iNextSequenceNumber = $sql->f("precedence");
-					$sql->query("SELECT FURL.id " .
+					$sQuery = "SELECT FURL.id " ./*ok*/
 								"FROM $default->groups_folders_approval_table AS GFAT " . 
 								"INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " . 
-								"WHERE document_id = $iDocumentID AND precedence = $iNextSequenceNumber");
+								"WHERE document_id = ? AND precedence = ?";
+                    $aParams = array($iDocumentID, $iNextSequenceNumber);
+                    $sql->query(array($sQuery, $aParams));
 					while ($sql->next_record()) {
 						$oFolderUserRole = FolderUserRole::get($sql->f("id"));
 						$oFolderUserRole->setActive(true);
@@ -212,9 +225,10 @@ class DocumentCollaboration {
 		global $default;
 		//only create the documents if they haven't been created		
 		if ($oFolderUserRole->getDependantDocumentsCreated() == false) {
-			$sQuery = "SELECT * FROM $default->dependant_document_template_table WHERE group_folder_approval_link_id = " . $oFolderUserRole->getGroupFolderApprovalID();
+			$sQuery = "SELECT * FROM $default->dependant_document_template_table WHERE group_folder_approval_link_id = ?";/*ok*/
+            $aParams = array($oFolderUserRole->getGroupFolderApprovalID());
 			$sql = $default->db;
-			$sql->query($sQuery);
+			$sql->query(array($sQuery, $aParams));
 			while ($sql->next_record()) {				
 				$oDependantDocumentInstance = & new DependantDocumentInstance($sql->f("document_title"), $sql->f("default_user_id"), $sql->f("template_document_id"), $oFolderUserRole->getDocumentID());				
 				if ($oDependantDocumentInstance->create()) {
@@ -255,16 +269,17 @@ class DocumentCollaboration {
 	function rollbackCollaborationStep($iDocumentID, $sComment = "") {
 		global $default;
 		//get the current sequence number		
-		$sQuery = "SELECT GFAT.precedence, GFAT.folder_id, FURL.id AS furl_id, FURL.document_id AS document_id " . 
+		$sQuery = "SELECT GFAT.precedence, GFAT.folder_id, FURL.id AS furl_id, FURL.document_id AS document_id " . /*ok*/
 				"FROM $default->folders_user_roles_table AS FURL " .
 				"INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " .
-				"WHERE FURL.document_id = $iDocumentID " .
-				"AND FURL.user_id = " . $_SESSION["userID"] . " " .
+				"WHERE FURL.document_id = ? " .
+				"AND FURL.user_id = ? " .
 				"AND FURL.active = 1 " .
 				"ORDER BY GFAT.precedence ASC";
+        $aParams = array($iDocumentID, $_SESSION["userID"]);
  
 		$sql = $default->db;
-		$sql->query($sQuery);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			$iCurrentSequenceNumber = $sql->f("precedence");
 			$iFolderID = $sql->f("folder_id");
@@ -275,11 +290,12 @@ class DocumentCollaboration {
  
 			//if there are concurrent collaboration steps and one is rejected, then all
 			//must be rolled back, whether they were accepted or not			
-			$sQuery = "SELECT FURL.id, FURL.user_id  " .
+			$sQuery = "SELECT FURL.id, FURL.user_id  " ./*ok*/
 					  "FROM $default->folders_user_roles_table AS FURL " . 
 					  "INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " .
-					  "WHERE FURL.document_id = $iDocumentID AND GFAT.precedence = $iCurrentSequenceNumber";			
-			$sql->query($sQuery);
+					  "WHERE FURL.document_id = ? AND GFAT.precedence = ?";			
+            $aParams = array($iDocumentID, $iCurrentSequenceNumber);
+			$sql->query(array($sQuery, $aParams));
  
 			while ($sql->next_record()) {
 				//roll back each user's step and then email them to inform them
@@ -311,11 +327,12 @@ class DocumentCollaboration {
 			}
  
 			//get the previous sequence number
-			$sQuery = "SELECT COALESCE(MAX(precedence), -1) AS precedence " .
+			$sQuery = "SELECT COALESCE(MAX(precedence), -1) AS precedence " ./*ok*/
 						"FROM $default->groups_folders_approval_table AS GFAT " .
-						"WHERE precedence < $iCurrentSequenceNumber";
-						"AND folder_id = $iFolderID";			
-			$sql->query($sQuery);			 
+						"WHERE precedence < ?";
+						"AND folder_id = ?";			
+            $aParams = array($iCurrentSequenceNumber, $iFolderID);
+			$sql->query(array($sQuery, $aParams));
 			//there will always be a result in the result set
 			$sql->next_record();			
 			if ($sql->f("precedence") == -1) {
@@ -336,12 +353,13 @@ class DocumentCollaboration {
 				}
 			} else {
 				//there are steps prior to this step
-				$sQuery = "SELECT FURL.id AS furl_id " . 
+				$sQuery = "SELECT FURL.id AS furl_id " . /*ok*/
 					"FROM $default->folders_user_roles_table AS FURL INNER JOIN $default->groups_folders_approval_table AS GFAT ON FURL.group_folder_approval_id = GFAT.id " .
-					"WHERE FURL.document_id = $iDocumentID " .
-					"AND GFAT.precedence = " . $sql->f("precedence");
+					"WHERE FURL.document_id = ? " .
+					"AND GFAT.precedence = ?";
+                $aParams = array($iDocumentID, $sql->f("precedence"));
  
-				$sql->query($sQuery);
+				$sql->query(array($sQuery, $aParams));
 				while ($sql->next_record()) {
 					//reset all the previous steps and email the users
 					//to tell them to re-reperform their steps
@@ -379,9 +397,10 @@ class DocumentCollaboration {
 	 */
 	function documentIsPendingWebPublishing($iDocumentID) {
 		global $default;
-		$sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = $iDocumentID AND status_id = 1";
+		$sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = ? AND status_id = 1";/*ok*/
+        $aParams = array($iDocumentID);
 		$sql = $default->db;
-		$sql->query($sQuery);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			return true;;
 		}
@@ -393,9 +412,10 @@ class DocumentCollaboration {
 	 */
 	function documentIsPublished($iDocumentID) {
 		global $default;
-		$sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = $iDocumentID AND status_id = 2";
+		$sQuery = "SELECT id FROM $default->web_documents_table WHERE document_id = ? AND status_id = 2";/*ok*/
+        $aParams = array($iDocumentID);
 		$sql = $default->db;
-		$sql->query($sQuery);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			return true;;
 		}
@@ -410,13 +430,13 @@ class DocumentCollaboration {
 	 */
 	function notifyWebMaster($iDocumentID, $sComment) {
 		global $default;
-		$sQuery = "SELECT WS.web_master_id, WS.web_site_name, WS.web_site_url " .
+		$sQuery = "SELECT WS.web_master_id, WS.web_site_name, WS.web_site_url " ./*ok*/
 				  "FROM $default->web_sites_table AS WS " .
                   "INNER JOIN $default->web_documents_table AS WD ON WS.id = WD.web_site_id " .
-				  "WHERE WD.document_id = $iDocumentID";
-		
+				  "WHERE WD.document_id = ?";
+        $aParams = array($iDocumentID);
 		$sql = $default->db;
-		$sql->query($sQuery);
+		$sql->query(array($sQuery, $aParams));
 		if ($sql->next_record()) {
 			$oUser = User::get($sql->f("web_master_id"));
 			if (!($oUser === false)) {
@@ -88,8 +88,8 @@ class SubscriptionManager {
         global $default;
  
         $sql = $default->db;
-        if ($sql->query("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) .  " " .
-                        "WHERE " . Subscription::getIdFieldName($iSubscriptionType) . " = $iExternalID")) {
+        if ($sql->query(array("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) .  " " ./*ok*/
+                        "WHERE " . Subscription::getIdFieldName($iSubscriptionType) . " = ?", $iExternalID))) {
             $aSubscriptions = array();
             while ($sql->next_record()) {
                 $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType);
@@ -150,8 +150,8 @@ class SubscriptionManager {
         global $default;
  
         $sql = $default->db;
-        if ($sql->query("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) .  " " .
-                        "WHERE user_id = $iUserID")) {
+        if ($sql->query(array("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) .  " " ./*ok*/
+                        "WHERE user_id = ?", $iUserID))) {
             $aSubscriptions = array();
             while ($sql->next_record()) {
                 $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType);
@@ -184,9 +184,9 @@ class SubscriptionManager {
         global $default;
  
         $sql = $default->db;
-        if ($sql->query("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) .  " " .
-                        "WHERE user_id = $iUserID " .
-                        "AND is_alerted = 1")) {
+        if ($sql->query(array("SELECT id FROM " . Subscription::getTableName($iSubscriptionType) .  " " ./*ok*/
+                        "WHERE user_id = ? " .
+                        "AND is_alerted = 1", $iUserID))) {
             $aSubscriptions = array();
             while ($sql->next_record()) {
                 $aSubscriptions[] = & Subscription::get($sql->f("id"), $iSubscriptionType);
@@ -192,7 +192,7 @@ class Unit extends KTEntity {
     function & get($iUnitID) {
         global $default;
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->units_table WHERE id = $iUnitID");
+        $result = $sql->query(array("SELECT * FROM $default->units_table WHERE id = ?", $iUnitID));/*ok*/
         if ($result) {
             if ($sql->next_record()) {
                 $oUnit = & new Unit($sql->f("name"));
@@ -213,7 +213,7 @@ class Unit extends KTEntity {
 		global $default;
 		// check to see if group is linked to a unit
 		$sql = $default->db;
-		$query = "SELECT unit_id FROM ". $default->groups_units_table ." WHERE unit_id = " . $this->iId;
+		$query = array("SELECT unit_id FROM ". $default->groups_units_table ." WHERE unit_id = ?", $this->iId);/*ok*/
 		$sql->query($query);
 		if ($sql->num_rows($sql) > 0) {
 			return true;
@@ -262,7 +262,7 @@ class Unit extends KTEntity {
         $aUnitArray;
         settype($aUnitArray, "array");
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM " . $default->units_table  . (isset($sWhereClause) ? " " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM " . $default->units_table  . (isset($sWhereClause) ? " " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -115,8 +115,9 @@ class UnitOrganisationLink extends KTEntity {
 		if ($this->iId < 0) {
  
 			$sql = $default->db;
-			$query = "SELECT unit_id FROM $default->units_organisations_table WHERE unit_id = $this->iUnitID AND organisation_id = $this->iOrgID";
-    		$sql->query($query);
+			$query = "SELECT unit_id FROM $default->units_organisations_table WHERE unit_id = ? AND organisation_id = ?";/*ok*/
+            $params = array($this->iUnitID, $this->iOrgID);
+    		$sql->query(array($query, $params));
    			$rows = $sql->num_rows($sql);
  
   			if ($rows > 0) {
@@ -138,7 +139,7 @@ class UnitOrganisationLink extends KTEntity {
 	function & get($iUnitOrganisationLinkID) {
 		global $default;	
 		$sql = $default->db;
-		$result = $sql->query("SELECT * FROM $default->units_organisations_table WHERE id = $iUnitOrganisationLinkID");
+		$result = $sql->query(array("SELECT * FROM $default->units_organisations_table WHERE id = ?", $iUnitOrganisationLinkID));/*ok*/
 		if ($result) {
 			if ($sql->next_record()) {
 				$oUnitOrganisationLink = & new UnitOrganisationLink($sql->f("unit_id"),$sql->f("organisation_id") );
@@ -164,7 +165,7 @@ class UnitOrganisationLink extends KTEntity {
 		$aUnitOrganisationLink;
 		settype($aUnitOrganisationLink, "array");
 		$sql = $default->db;
-		$result = $sql->query("SELECT * FROM "  . $default->units_organisations_table  . (isset($sWhereClause) ? " " . $sWhereClause : ""));
+		$result = $sql->query("SELECT * FROM "  . $default->units_organisations_table  . (isset($sWhereClause) ? " " . $sWhereClause : ""));/*wc*/
 		if ($result) {			
 			$iCount = 0;
 			while ($sql->next_record()) {
@@ -208,7 +209,7 @@ class UnitOrganisationLink extends KTEntity {
 	function getByUnitID($unitId) {
 		global $default;
 		$sql = $default->db;
-		$result = $sql->query("SELECT * FROM $default->units_organisations_table WHERE unit_id = $unitId");
+		$result = $sql->query(array("SELECT * FROM $default->units_organisations_table WHERE unit_id = ?", $unitId));/*ok*/
 		if ($result) {		    	
 			if ($sql->next_record()) {
 				$oUnitOrganisationLink = & UnitOrganisationLink::get($sql->f("id"));
@@ -353,7 +353,7 @@ class User extends KTEntity {
     function & get($iUserID) {
         global $default;
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM $default->users_table WHERE id = $iUserID");
+        $result = $sql->query(array("SELECT * FROM $default->users_table WHERE id = ?", $iUserID));/*ok*/
         if ($result) {
             if ($sql->next_record()) {
                 $oUser = & new User($sql->f("username"), $sql->f("name"), $sql->f("password"), $sql->f("quota_max"), $sql->f("email"), $sql->f("mobile"), $sql->f("email_notification"), $sql->f("sms_notification"), $sql->f("ldap_dn"), $sql->f("max_sessions"), $sql->f("language_id"));
@@ -380,7 +380,7 @@ class User extends KTEntity {
         $aUserArray;
         settype($aUserArray, "array");
         $sql = $default->db;
-        $result = $sql->query("SELECT * FROM " . $default->users_table  . (isset($sWhereClause) ? " " . $sWhereClause : ""));
+        $result = $sql->query("SELECT * FROM " . $default->users_table  . (isset($sWhereClause) ? " " . $sWhereClause : ""));/*wc*/
         if ($result) {
             $iCount = 0;
             while ($sql->next_record()) {
@@ -406,9 +406,9 @@ class User extends KTEntity {
         global $default, $lang_err_database;
  
         $sql = $default->db;
-        $result = $sql->query("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " .
+        /*ok*/$result = $sql->query(array("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " .
                               "INNER JOIN $default->groups_units_table gul ON ugl.group_id = gul.group_id ".
-                              "WHERE ugl.user_id=$userID");
+                              "WHERE ugl.user_id = ?", $userID));
         if ($result) {
             $aUnitIDs = array();
             while ($sql->next_record()) {
@@ -430,9 +430,9 @@ class User extends KTEntity {
         global $default, $lang_err_database;
  
         $sql = $default->db;
-        $result = $sql->query("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " .
+        /*ok*/$result = $sql->query(array("SELECT DISTINCT gul.unit_id FROM $default->users_groups_table ugl " .
                               "INNER JOIN $default->groups_units_table gul ON ugl.group_id = gul.group_id ".
-                              "WHERE ugl.user_id=$userID");
+                              "WHERE ugl.user_id = ?", $userID));
         if ($result) {
             if ($sql->next_record()) {
                 return $sql->f("unit_id");
@@ -503,17 +503,17 @@ class User extends KTEntity {
 	        // then find the group that is unit_admin
 	        $sql = $default->db;
 	        $sEmail = "";
-	        if ($sql->query("SELECT group_id FROM $default->groups_units_table GUL " . 
+	        if ($sql->query(array("SELECT group_id FROM $default->groups_units_table GUL " . /*ok*/
 	                        "INNER JOIN $default->groups_table GL on GUL.group_id=GL.id " .
 	                        "WHERE GL.is_unit_admin=1 " .
-	                        "AND unit_id=$iUnitID")) {
+	                        "AND unit_id = ?", $iUnitID))) {
 	            // get the first record
 	            if ($sql->next_record()) {
 	                $iGroupID = $sql->f("group_id");
 	                // then find the first user in this group that has an email address
-	                if ($sql->query("SELECT U.id, U.email FROM $default->users_table U " .
+	                if ($sql->query(array("SELECT U.id, U.email FROM $default->users_table U " . /*ok*/
 	                                "INNER JOIN $default->users_groups_table UGL on UGL.user_id=U.id " .
-	                                "WHERE group_id=$iGroupID")) {
+	                                "WHERE group_id = ?", $iGroupID))) {
 	                    while ($sql->next_record()) {
 	                        if (strlen($sql->f("email")) > 0) {
 	                            return User::get($sql->f("id"));
@@ -151,7 +151,7 @@ class WebDocument extends KTEntity {
 		global $default, $lang_err_database;
 		$aWebDocumentArray = array();
 		$sql = $default->db;
-        $sQuery = "SELECT * FROM " . $default->web_documents_table;
+        $sQuery = "SELECT * FROM " . $default->web_documents_table;/*wc*/
         if (isset($sWhereClause)) {
             $sQuery .= " WHERE " . $sWhereClause;
         }