sanitize the CurrentFundraiser provided from query params, use ORM to…

… get fundraiser data

- Validate the CurrentFundraiser parameter in FRBidSheets, FRCatalog, and FRCertificates, throwing an exception when it's missing or invalid.
- Replace direct SQL queries with object-oriented FundRaiserQuery for cleaner code.
- Update constructors to work with FundRaiser objects, improving encapsulation.
- Streamline variable handling by removing global variable extraction.

src/Reports/FRBidSheets.php

@@ -14,51 +14,42 @@
 require '../Include/Functions.php';
 
 use ChurchCRM\dto\SystemConfig;
+use ChurchCRM\model\ChurchCRM\FundRaiserQuery;
+use ChurchCRM\Utils\InputUtils;
 
-$iCurrentFundraiser = $_GET['CurrentFundraiser'];
+if (!isset($_GET['CurrentFundraiser'])) {
+    throw new \InvalidArgumentException('Missing required CurrentFundraiser parameter');
+}
+$iCurrentFundraiser = (int) InputUtils::legacyFilterInput($_GET['CurrentFundraiser'], 'int');
 
 class PdfFRBidSheetsReport extends ChurchInfoReport
 {
-    // Constructor
     public function __construct()
     {
         parent::__construct('P', 'mm', $this->paperFormat);
+
         $this->SetFont('Times', '', 10);
         $this->SetMargins(15, 25);
 
         $this->SetAutoPageBreak(true, 25);
     }
-
-    public function addPage($orientation = '', $format = '', $rotation = 0): void
-    {
-        global $fr_title, $fr_description;
-
-        parent::addPage($orientation, $format, $rotation);
-
-        //      $this->SetFont("Times",'B',16);
-//      $this->Write (8, $fr_title."\n");
-        //      $curY += 8;
-        //      $this->Write (8, $fr_description."\n\n");
-        //      $curY += 8;
-        //      $this->SetFont("Times",'',10);
-    }
 }
 
 // Get the information about this fundraiser
-$sSQL = 'SELECT * FROM fundraiser_fr WHERE fr_ID=' . $iCurrentFundraiser;
-$rsFR = RunQuery($sSQL);
-$thisFR = mysqli_fetch_array($rsFR);
-extract($thisFR);
+$fundraiser = FundRaiserQuery::create()->findOneById($iCurrentFundraiser);
+if ($fundraiser === null) {
+    throw new \InvalidArgumentException('No results found for provided CurrentFundraiser parameter');
+}
 
 // Get all the donated items
 $sSQL = 'SELECT * FROM donateditem_di LEFT JOIN person_per on per_ID=di_donor_ID ' .
-        ' WHERE di_FR_ID=' . $iCurrentFundraiser .
+        ' WHERE di_FR_ID=' . $fundraiser->getId() .
         ' ORDER BY SUBSTR(di_item,1,1),cast(SUBSTR(di_item,2) as unsigned integer),SUBSTR(di_item,4)';
 
 $rsItems = RunQuery($sSQL);
 
 $pdf = new PdfFRBidSheetsReport();
-$pdf->SetTitle($fr_title);
+$pdf->SetTitle($fundraiser->getTitle());
 
 // Loop through items
 while ($oneItem = mysqli_fetch_array($rsItems)) {

src/Reports/FRCatalog.php

@@ -15,52 +15,62 @@
 require '../Include/Functions.php';
 
 use ChurchCRM\dto\SystemConfig;
+use ChurchCRM\model\ChurchCRM\Base\FundRaiser;
+use ChurchCRM\model\ChurchCRM\FundRaiserQuery;
+use ChurchCRM\Utils\InputUtils;
 
-$iCurrentFundraiser = $_GET['CurrentFundraiser'];
+if (!isset($_GET['CurrentFundraiser'])) {
+    throw new \InvalidArgumentException('Missing required CurrentFundraiser parameter');
+}
 
-$curY = 0;
+$iCurrentFundraiser = (int) InputUtils::legacyFilterInput($_GET['CurrentFundraiser'], 'int');
 
 class PdfFRCatalogReport extends ChurchInfoReport
 {
-    // Constructor
-    public function __construct()
+    public int $curY = 0;
+    private FundRaiser $fundraiser;
+
+    public function __construct(FundRaiser $fundraiser)
     {
         parent::__construct('P', 'mm', $this->paperFormat);
+
         $this->SetFont('Times', '', 10);
         $this->SetMargins(10, 20);
 
         $this->addPage();
         $this->SetAutoPageBreak(true, 25);
+
+        $this->fundraiser = $fundraiser;
     }
 
-    public function addPage($orientation = '', $format = '', $rotation = 0): void
+    public function addPage($orientation = '', $size = '', $rotation = 0): void
     {
-        global $fr_title, $fr_description, $curY;
-
-        parent::addPage($orientation, $format, $rotation);
+        parent::addPage($orientation, $size, $rotation);
 
         $this->SetFont('Times', 'B', 16);
-        $this->Write(8, $fr_title . "\n");
-        $curY += 8;
-        $this->Write(8, $fr_description . "\n\n");
-        $curY += 8;
+        $this->Write(8, $this->fundraiser->getTitle() . "\n");
+        $this->curY += 8;
+
+        $this->Write(8, $this->fundraiser->getDescription() . "\n\n");
+        $this->curY += 8;
+
         $this->SetFont('Times', '', 12);
     }
 }
 
 // Get the information about this fundraiser
-$sSQL = 'SELECT * FROM fundraiser_fr WHERE fr_ID=' . $iCurrentFundraiser;
-$rsFR = RunQuery($sSQL);
-$thisFR = mysqli_fetch_array($rsFR);
-extract($thisFR);
+$fundraiser = FundRaiserQuery::create()->findOneById($iCurrentFundraiser);
+if ($fundraiser === null) {
+    throw new \InvalidArgumentException('No results found for provided CurrentFundraiser parameter');
+}
 
 // Get all the donated items
-$sSQL = 'SELECT * FROM donateditem_di LEFT JOIN person_per on per_ID=di_donor_ID WHERE di_FR_ID=' . $iCurrentFundraiser .
+$sSQL = 'SELECT * FROM donateditem_di LEFT JOIN person_per on per_ID=di_donor_ID WHERE di_FR_ID=' . $fundraiser->getId() .
 ' ORDER BY SUBSTR(di_item,1,1),cast(SUBSTR(di_item,2) as unsigned integer),SUBSTR(di_item,4)';
 $rsItems = RunQuery($sSQL);
 
-$pdf = new PdfFRCatalogReport();
-$pdf->SetTitle($fr_title);
+$pdf = new PdfFRCatalogReport($fundraiser);
+$pdf->SetTitle($fundraiser->getTitle());
 
 // Loop through items
 $idFirstChar = '';
@@ -104,7 +114,7 @@ public function addPage($orientation = '', $format = '', $rotation = 0): void
 }
 
 header('Pragma: public');  // Needed for IE when using a shared SSL certificate
-if (SystemConfig::getValue('iPDFOutputType') == 1) {
+if ((int) SystemConfig::getValue('iPDFOutputType') === 1) {
     $pdf->Output('FRCatalog' . date(SystemConfig::getValue('sDateFilenameFormat')) . '.pdf', 'D');
 } else {
     $pdf->Output();

src/Reports/FRCertificates.php

@@ -12,23 +12,28 @@
 require '../Include/Functions.php';
 
 use ChurchCRM\dto\SystemConfig;
+use ChurchCRM\model\ChurchCRM\FundRaiserQuery;
 use ChurchCRM\Reports\PdfCertificatesReport;
+use ChurchCRM\Utils\InputUtils;
 
-$iCurrentFundraiser = $_GET['CurrentFundraiser'];
-$curY = 0;
+if (!isset($_GET['CurrentFundraiser'])) {
+    throw new \InvalidArgumentException('Missing required CurrentFundraiser parameter');
+}
+$iCurrentFundraiser = (int) InputUtils::legacyFilterInput($_GET['CurrentFundraiser'], 'int');
 
-// Get the information about this fundraiser
-$sSQL = 'SELECT * FROM fundraiser_fr WHERE fr_ID=' . $iCurrentFundraiser;
-$rsFR = RunQuery($sSQL);
-$thisFR = mysqli_fetch_array($rsFR);
-extract($thisFR);
+$fundraiser = FundRaiserQuery::create()->findOneById($iCurrentFundraiser);
+if ($fundraiser === null) {
+    throw new \InvalidArgumentException('No results found for provided CurrentFundraiser parameter');
+}
+
+$curY = 0;
 
 // Get all the donated items
-$sSQL = 'SELECT * FROM donateditem_di LEFT JOIN person_per on per_ID=di_donor_ID WHERE di_FR_ID=' . $iCurrentFundraiser . ' ORDER BY di_item';
+$sSQL = 'SELECT * FROM donateditem_di LEFT JOIN person_per on per_ID=di_donor_ID WHERE di_FR_ID=' . $fundraiser->getId() . ' ORDER BY di_item';
 $rsItems = RunQuery($sSQL);
 
 $pdf = new PdfCertificatesReport();
-$pdf->SetTitle($fr_title);
+$pdf->SetTitle($fundraiser->getTitle());
 
 // Loop through items
 while ($oneItem = mysqli_fetch_array($rsItems)) {
@@ -44,13 +49,13 @@
     if ($di_estprice > 0) {
         $pdf->Write(8, gettext('Estimated value ') . '$' . $di_estprice . '.  ');
     }
-    if ($per_LastName != '') {
+    if ($per_LastName !== '') {
         $pdf->Write(8, gettext('Donated by ') . $per_FirstName . ' ' . $per_LastName . ".\n\n");
     }
 }
 
 header('Pragma: public');  // Needed for IE when using a shared SSL certificate
-if (SystemConfig::getValue('iPDFOutputType') == 1) {
+if ((int) SystemConfig::getValue('iPDFOutputType') === 1) {
     $pdf->Output('FRCertificates' . date(SystemConfig::getValue('sDateFilenameFormat')) . '.pdf', 'D');
 } else {
     $pdf->Output();