- All staff paths (build, lock, edit, editgame, delete, add, search) and the
render SELECTs now use db.php helpers with bound params. Removes SQL injection
via playerid/missionid/callsign/newtype/newmap/buildmissions.
- Delete routes through new pqs_remove_player() (shared lock + transaction,
resyncs numplayers from real occupancy instead of a raw numplayers-1).
- Drop a stray buggy line ($callsign from an undefined $line) and guard
$_SERVER['SERVER_ADDR']. build now sets nummercs=0 (strict-mode safe).
Verified on the stack: build/edit/delete/editgame/lock/search all work; delete
resyncs numplayers; no errors.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>