pushing just over 100 database lines completed

2025-02-04 06:51:38 +00:00 · 2025-02-04 06:51:38 +00:00 · 172189a3ed
commit 172189a3ed
parent 5ccfe2dd6f
17 changed files with 198 additions and 197 deletions
--- a/admin/user_editor_window.php
+++ b/admin/user_editor_window.php
@ -98,8 +98,8 @@ if (array_key_exists('username', $_GET)) {
 	$username = $_GET['username'];
 	$type = $_GET['type'];
 	$un = $username;
-	$q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username='$un' GROUP BY uid");
+	$q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username=? GROUP BY uid");
-	$q->execute();
+	$q->execute([$un]);
 	show_pdo_errors_if_any($pdo);
 	if ($q->rowCount()) {
@ -119,8 +119,8 @@ if (array_key_exists('username', $_GET)) {
 			}
 		} else {
 			// undelete them?
-			$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'");
+			$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$r->id]);
 			// then load them?
 			$u = user_load($r->id);
 		}
--- a/admin/user_list.php
+++ b/admin/user_list.php
@ -164,9 +164,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
 	$user = user_load($id);
 	// Determine if there is a more recent uid that may possibly be in the current FAIRYEAR (allows refresh page to work)
-	$query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid='{$user['uid']}'
+	$query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid=?
 					ORDER BY year DESC LIMIT 1");
-	$query->execute();
+	$query->execute([$user['uid']]);
 	$user_new = $query->fetch(PDO::FETCH_ASSOC);
@ -178,9 +178,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
 		message_push(happy(i18n('User Updated')));
 		// find the newly updated user
-		$q_reload = $pdo->prepare("SELECT id FROM users WHERE uid='{$user['uid']}'
+		$q_reload = $pdo->prepare("SELECT id FROM users WHERE uid=?
 						ORDER BY year DESC LIMIT 1");
-		$q_reload->execute();
+		$q_reload->execute([$user['uid']]);
 		$reload_user = $q_reload->fetch(PDO::FETCH_ASSOC);
@ -296,16 +296,16 @@ $querystr = "SELECT
 			GROUP BY uid
 			HAVING 
 				u1.deleted='no'
-				$having_year
+				?
-				$where_types
+				?
-				$where_complete
+				?
 			ORDER BY 
 				lastname ASC,
 				firstname ASC,
 				year DESC";
 $q = $pdo->prepare($querystr);
-$q->execute();
+$q->execute([$having_year,$where_types,$where_complete]);
 show_pdo_errors_if_any($pdo);
 $num = $q->rowCount();
@ -358,8 +358,8 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 	if (in_array('fair', $types)) {
 		$qq = $pdo->prepare("SELECT * FROM users_fair 
 							LEFT JOIN fairs ON fairs.id=users_fair.fairs_id
-						WHERE users_id='{$r['id']}'");
+						WHERE users_id=?");
-
+		$qq->execute([$r['id']]);
 		$rr = $qq->fetch(PDO::FETCH_ASSOC);
 		$name = '{' . get_value_from_array($rr, 'name') . '}' . ((trim($name) == '') ? '' : "<br />($name)");
 	}
--- a/admin/winners.php
+++ b/admin/winners.php
@ -56,21 +56,21 @@ switch ($action) {
 		}
 		// first check how many we are allowed to have
-		$q = $pdo->prepare("SELECT number FROM award_prizes WHERE id='$prize_id'");
+		$q = $pdo->prepare("SELECT number FROM award_prizes WHERE id=?");
-		$q->execute();
+		$q->execute([$prize_id]);
 		show_pdo_errors_if_any($pdo);
 		$r = $q->fetch(PDO::FETCH_ASSOC);
 		$number = $r['number'];
 		/* Get the award info */
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
-		$q->execute();
+		$q->execute([$award_awards_id]);
 		show_pdo_errors_if_any($pdo);
 		$a = $q->fetch(PDO::FETCH_ASSOC);
 		/* Get the project */
-		$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id='$projects_id'");
+		$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id=?");
-		$q->execute();
+		$q->execute([$projects_id]);
 		show_pdo_errors_if_any($pdo);
 		$p = $q->fetch(PDO::FETCH_ASSOC);
 		$fairs_id = $p['fairs_id'];
@ -89,24 +89,24 @@ switch ($action) {
 			$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners 
 						LEFT JOIN projects ON winners.projects_id=projects.id
 					WHERE 
-						projects.fairs_id='$fairs_id'
+						projects.fairs_id=?
-						awards_prizes_id='$prize_id'");
+						awards_prizes_id=?");
-			$q->execute();
+			$q->execute([$fairs_id,$prize_id]);
 			show_pdo_errors_if_any($pdo);
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			$count = $r['count'];
 		} else {
 			/* Count is the total number assigned */
-			$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id='$prize_id'");
+			$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id=?");
-			$q->execute();
+			$q->execute([$prize_id]);
 			show_pdo_errors_if_any($pdo);
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			$count = $r['count'];
 		}
 		if ($count < $number) {
-			$stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES ('$prize_id','$projects_id','{$config['FAIRYEAR']}')");
+			$stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES (?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$prize_id,$projects_id,$config['FAIRYEAR']]);
 			happy_('Winning project added');
 		} else {
 			error_('This prize cannot accept any more winners.  Maximum: %1', $number);
@ -119,8 +119,8 @@ switch ($action) {
 		$projects_id = intval($_GET['projects_id']);
 		if ($prize_id && $projects_id) {
-			$stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id='$prize_id' AND projects_id='$projects_id'");
+			$stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id=? AND projects_id=?");
-			$stmt->execute();
+			$stmt->execute([$prize_id,$projects_id]);
 			happy_('Winning project removed');
 		}
 		exit;
@ -140,12 +140,12 @@ switch ($action) {
 				award_awards ,
 				award_types
 			WHERE 
-					award_awards.year='{$config['FAIRYEAR']}'
+					award_awards.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND \taward_types.year=award_awards.year
-				AND\taward_awards.id='$award_awards_id'
+				AND\taward_awards.id=?
 			");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$award_awards_id]);
 		show_pdo_errors_if_any($pdo);
@ -177,12 +177,12 @@ switch ($action) {
 				award_awards ,
 				award_types
 			WHERE 
-					award_awards.year='{$config['FAIRYEAR']}'
+					award_awards.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND \taward_types.year=award_awards.year
-				AND\taward_awards.id='$award_awards_id'
+				AND\taward_awards.id=?
 			");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$award_awards_id]);
 		show_pdo_errors_if_any($pdo);
@ -218,15 +218,15 @@ switch ($action) {
 	case 'additional_materials':
 		$fairs_id = intval($_GET['fairs_id']);
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
-		$q->execute();
+		$q->execute([$award_awards_id]);
 		if ($fairs_id == 0) {
 			echo "Unsupported Action: Can't get additional materials for fairs_id=0.  Edit the project and set it's fair to anything except 'Local/Unspecified'.";
 			exit;
 		}
 		$a = $q->fetch(PDO::FETCH_ASSOC);
-		$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
+		$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
-		$q->execute();
+		$q->execute([$fairs_id]);
 		$fair = $q->fetch(PDO::FETCH_ASSOC);
 		$pdf = fair_additional_materials($fair, $a, $config['FAIRYEAR']);
 		foreach ($pdf['header'] as $h)
@ -412,17 +412,17 @@ $q = $pdo->prepare("SELECT
 			award_types.type,
 			sponsors.organization
 		FROM 
-			award_awards $fair_join,
+			award_awards ?,
 			award_types,
 			sponsors
 		WHERE 
-				award_awards.year='{$config['FAIRYEAR']}'
+				award_awards.year=?
 			AND\taward_awards.award_types_id=award_types.id
-			AND\taward_types.year='{$config['FAIRYEAR']}'
+			AND\taward_types.year=?
 			AND\taward_awards.sponsors_id=sponsors.id
-			$fair_where
+			?
 		ORDER BY awards_order");
-$q->execute();
+$q->execute([$fair_join,$config['FAIRYEAR'],$config['FAIRYEAR'],$fair_where]);
 show_pdo_errors_if_any($pdo);
@ -500,11 +500,11 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
 			FROM 
 				award_prizes 
 			WHERE 
-				award_awards_id='{$r['id']}' 
+				award_awards_id=? 
-				AND award_prizes.year='{$config['FAIRYEAR']}'
+				AND award_prizes.year=?
 			ORDER BY 
 				`order`");
-	$q->execute();
+	$q->execute([$r['id'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	echo '<table width="100%"><tr><td>';
@ -535,9 +535,9 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
 					winners
 					LEFT JOIN projects ON projects.id=winners.projects_id
 				WHERE 
-					winners.awards_prizes_id='{$pr->id}'
+					winners.awards_prizes_id=?
-					$fairs_where ");
+					? ");
-		$cq->execute();
+		$cq->execute([$pr->id,$fairs_where]);
 		show_pdo_errors_if_any($pdo);
 		$count = $cq->rowCount();
 		//		echo "winners=$count";
--- a/app/projectinfo.php
+++ b/app/projectinfo.php
@ -32,8 +32,8 @@ require ('../common.inc.php');
 global $pdo;
 // first, lets make sure someone isng tryint to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
-$q->execute();
+$q->execute([$config['dates']['postparticipants']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $pn = trim($_GET['n']);
@ -56,20 +56,21 @@ if ($r->test) {
 					LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
-					registrations.year='" . $config['FAIRYEAR'] . "' 
+					registrations.year=? 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
+					AND projectcategories.year=? 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					AND projectdivisions.year=? 
 					AND (status='complete' OR status='paymentpending')
-					AND projects.projectnumber='$pn'
+					AND projects.projectnumber=?
 				LIMIT 1
 				");
 	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$pn]);
 	show_pdo_errors_if_any($pdo);
 	$r = $q->fetch(PDO::FETCH_ASSOC);
 	$regid = $r['reg_id'];
-	$q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id='$regid' ORDER BY lastname");
+	$q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id=? ORDER BY lastname");
-	$q2->execute();
+	$q2->execute([$regid]);
 	$students = '';
 	while ($stud = $q2->fetch(PDO::FETCH_OBJ)) {
 		if ($stud->webfirst == 'yes')
--- a/app/projectlist.php
+++ b/app/projectlist.php
@ -31,8 +31,8 @@ require ('../common.inc.php');
 global $pdo;
 // first, lets make sure someone isnt trying to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
-$q->execute();
+$q->execute([$config['dates']['postparticipants']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 if ($r->test) {
@ -52,16 +52,16 @@ if ($r->test) {
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
 					1
-					AND registrations.year='" . $config['FAIRYEAR'] . "' 
+					AND registrations.year=? 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
+					AND projectcategories.year=? 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					AND projectdivisions.year=? 
 					AND (status='complete' OR status='paymentpending')
 				ORDER BY
 					projectcategories.id,
 					projectdivisions.id,
 					projects.projectnumber
 				");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$lastcat = 'something_that_does_not_exist';
--- a/app/projects.php
+++ b/app/projects.php
@ -31,8 +31,8 @@ require ('../common.inc.php');
 global $pdo;
 // first, lets make sure someone isnt trying to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
-$q->execute();
+$q->execute([$config['dates']['postparticipants']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $ret = array();
@ -56,16 +56,16 @@ if ($r->test) {
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
 					1
-					AND registrations.year='" . $config['FAIRYEAR'] . "' 
+					AND registrations.year=? 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
+					AND projectcategories.year=? 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					AND projectdivisions.year=? 
 					AND (status='complete' OR status='paymentpending')
 				ORDER BY
 					projectcategories.id,
 					projectdivisions.id,
 					projects.projectnumber
 				");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$lastcat = 'something_that_does_not_exist';
--- a/config/backuprestore.php
+++ b/config/backuprestore.php
@ -40,13 +40,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 	$dump .= '#SFIAB FAIR NAME: ' . $config['fairname'] . "\n";
 	$dump .= "#-------------------------------------------------\n";
-	$tableq = $pdo->prepare("SHOW TABLES FROM `$DBNAME`");
+	$tableq = $pdo->prepare("SHOW TABLES FROM ?");
-	$tableq->execute();
+	$tableq->execute($DBNAME);
 	while ($tr = $tableq->fetch(PDO::FETCH_NUM)) {
 		$table = $tr[0];
 		$dump .= "#TABLE: $table\n";
-		$columnq = $pdo->prepare("SHOW COLUMNS FROM `$table`");
+		$columnq = $pdo->prepare("SHOW COLUMNS FROM ?");
-		$columnq->execute();
+		$columnq->execute($table);
 		$str = "INSERT INTO `$table` (";
 		unset($fields);
 		$fields = array();
@ -57,8 +57,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 		$str = substr($str, 0, -1);
 		$str .= ') VALUES (';
-		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY `{$fields[0]}`");
+		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY ?");
-		$dataq->execute();
+		$dataq->execute([$fields[0]]);
 		while ($data = $dataq->fetch(PDO::FETCH_OBJ)) {
 			$insertstr = $str;
 			foreach ($fields AS $field) {
@ -171,25 +171,25 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 	if (mb_ereg('^[a-z0-9]{32}$', $_POST['realfilename']) && file_exists('../data/backuprestore/' . $_POST['realfilename'])) {
 		$filename = $_POST['realfilename'];
 		echo i18n('Proceeding with database restore from %1', array($_POST['filename'])) . '...';
-		$lines = file("../data/backuprestore/$filename");
+		$lines = file("../data/backuprestore/?");
 		$err = false;
 		echo '<pre>';
 		foreach ($lines AS $line) {
 			$line = trim($line);
 			if (mb_ereg('^#TABLE: (.*)', $line, $args)) {
 				// empty out the table
-				$sql = 'TRUNCATE TABLE `' . $args[1] . '`';
+				$sql = 'TRUNCATE TABLE ?';
 				//			echo $sql."\n";
 				$stmt = $pdo->prepare($sql);
-				$stmt->execute();
+				$stmt->execute([$args[1]]);
 			} else if (mb_ereg('^#', $line)) {
 				// just skip it
 			} else {
 				// insert the new data
 				$stmt = $pdo->prepare($line);
-				$stmt->execute();
+				$stmt->execute([$filename]);
 				if ($pdo->errorInfo()) {
 					echo $line . "\n";
 					echo $pdo->errorInfo() . "\n";
@ -226,13 +226,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 			user_purge($judge, 'judge');
 		} else {
 			// Find max year of judge
-			$max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid = ' . $judge['uid'] . ' ORDER BY year DESC limit 1');
+			$max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid =? ORDER BY year DESC limit 1');
-			$max_year_query->execute();
+			$max_year_query->execute([$judge['uid']]);
 			$judge_max_year = $max_year_query->fetch(PDO::FETCH_ASSOC);
 			// Grab old judge info.
 			// Old judge info consists of all entries in the database that are not the most recent for the specific judge
-			$deletable = $pdo->prepare('SELECT * FROM users WHERE uid =' . $judge['uid'] . ' AND year NOT LIKE ' . $judge_max_year['year']);
+			$deletable = $pdo->prepare('SELECT * FROM users WHERE uid =? AND year NOT LIKE ?');
-			$deletable->execute();
+			$deletable->execute([$judge['uid'],$judge_max_year['year']]);
 			// and if they have old data from previous fair years
 			if ($deletable->rowCount() > 0) {
 				// delete old data one by one
@ -260,8 +260,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 		error(i18n($pdo->errorInfo()[0]));
 	}
 } else if (get_value_from_array($_POST, 'action') == 'clean_parents') {
-	$query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=' . $config['FAIRYEAR']);
+	$query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=?');
-	$query_parents->execute();
+	$query_parents->execute([$config['FAIRYEAR']]);
 	while ($parent = $query_parents->fetch(PDO::FETCH_ASSOC)) {
 		if (!is_array($parent['types'])) {
 			$parent['types'] = array($parent['types']);
--- a/config/categories.php
+++ b/config/categories.php
@ -42,21 +42,21 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 if (get_value_from_array($_POST, 'action') == 'edit') {
 	// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'category') && isset($_POST['mingrade']) && $_POST['maxgrade']) {
-		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
 			echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
 		} else {
 			$stmt = $pdo->prepare('UPDATE projectcategories SET '
-				. "id='" . $_POST['id'] . "', "
+				. "id=?, "
-				. "category='" . stripslashes($_POST['category']) . "', "
+				. "category=?, "
-				. "category_shortform='" . stripslashes($_POST['category_shortform']) . "', "
+				. "category_shortform=?, "
-				. "mingrade='" . $_POST['mingrade'] . "', "
+				. "mingrade=?, "
-				. "maxgrade='" . $_POST['maxgrade'] . "' "
+				. "maxgrade=?"
-				. "WHERE id='" . $_POST['saveid'] . "'");
+				. "WHERE id=?");
 			echo happy(i18n('Category successfully saved'));
-			$stmt->execute();
+			$stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),$_POST['mingrade'],$_POST['maxgrade'],$_POST['saveid']]);
 		}
 	} else {
 		echo error(i18n('All fields are required'));
@ -66,8 +66,8 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
 if (get_value_from_array($_POST, 'action') == 'new') {
 	// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
 	if (get_value_from_array($_POST, 'id') && $_POST['category'] && isset($_POST['mingrade']) && $_POST['maxgrade']) {
-		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount()) {
 			echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
 		} else {
@ -89,11 +89,11 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
 	// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
 	// for this division exist they should be deleted
-	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	// ####
-	$stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	echo happy(i18n('Category successfully removed'));
 }
@ -118,8 +118,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo '<input type="hidden" name="action" value="' . get_value_from_array($_GET, 'action') . "\">\n";
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
 		$categoryr = $q->fetch(PDO::FETCH_OBJ);
 		$buttontext = 'Save';
 	} else if (get_value_from_array($_GET, 'action') == 'new') {
@ -135,8 +135,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <td><input type="submit" value="' . i18n($buttontext) . '"></td>';
 	echo '</tr>';
 } else {
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
 		echo " <td align=\"center\">$r->id</td>";
--- a/config/dates.php
+++ b/config/dates.php
@ -57,8 +57,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 			$d = stripslashes($val);
 			$t = stripslashes($_POST['savetimes'][$key]);
 			$v = "$d $t";
-			$stmt = $pdo->prepare("UPDATE dates SET date='$v' WHERE year='" . $config['FAIRYEAR'] . "' AND id='$key'");
+			$stmt = $pdo->prepare("UPDATE dates SET date=? WHERE year=? AND id=?");
-			$stmt->execute();
+			$stmt->execute([$v,$config['FAIRYEAR'],$key]);
 		}
 	}
 	echo happy(i18n('Dates successfully saved'));
@ -83,8 +83,8 @@ $dates = array('fairdate' => array(),
 /* Now copy the SQL data into the above array */
-$q = $pdo->prepare("SELECT * FROM dates WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY date");
+$q = $pdo->prepare("SELECT * FROM dates WHERE year=? ORDER BY date");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$dates[$r->name]['description'] = $r->description;
 	$dates[$r->name]['id'] = $r->id;
@ -131,12 +131,12 @@ foreach ($dates as $dn => $d) {
 		$def = $defaultdates[$dn];
 		// hmm if we dont have a record for this date this year, INSERT the sql from the default
 		$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
-			'" . $def->date . "',
+			?,
-			'" . $dn . "',
+			?,
-			'" . $def->description . "',
+			?,
-			'" . $config['FAIRYEAR'] . "'
+			?
 			)");
-		$stmt->execute();
+		$stmt->execute([$def->date,$dn,$def->description,$config['FAIRYEAR']]);
 		$d['id'] = $pdo->lastInsertId();
 		$d['description'] = $def->description;
 		$d['date'] = $def->date;
--- a/config/divisions.php
+++ b/config/divisions.php
@ -45,22 +45,22 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 if (get_value_from_array($_POST, 'action') == 'edit') {
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
-		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
 			echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
 		} else {
 			$stmt = $pdo->prepare('UPDATE projectdivisions SET '
-				. "id='" . $_POST['id'] . "', "
+				. "id=?, "
-				. "division='" . stripslashes($_POST['division']) . "', "
+				. "division=?, "
-				. "division_shortform='" . stripslashes($_POST['division_shortform']) . "' "
+				. "division_shortform=?"
-				. "WHERE id='" . $_POST['saveid'] . "' AND year='{$config['FAIRYEAR']}'");
+				. "WHERE id=? AND year=?");
-			$stmt->execute();
+			$stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$_POST['saveid'],$config['FAIRYEAR']]);
 			// ###### Feature Specific - filtering divisions by category
 			if ($config['filterdivisionbycategory'] == 'yes') {
-				$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id='" . $_POST['saveid'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+				$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND year=?");
-				$stmt->execute();
+				$stmt->execute([ $_POST['saveid'],$config['FAIRYEAR']]);
 				if (is_array($_POST['divcat'])) {
 					foreach ($_POST['divcat'] as $tempcat) {
 						$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
--- a/config/divisions_cwsf.php
+++ b/config/divisions_cwsf.php
@ -35,8 +35,8 @@ send_header('CWSF Project Divisions',
 // //// FIX ME!!!!!
 if (count(get_value_from_array($_POST, 'cwsfdivision', []))) {
 	foreach ($_POST['cwsfdivision'] AS $k => $v) {
-		$stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid='$v' WHERE id='$k' AND year='" . $config['FAIRYEAR'] . "'");
+		$stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid=? WHERE id=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$v,$k,$config['FAIRYEAR']]);
 	}
 	echo happy(i18n('Corresponding CWSF divisions saved'));
 }
@ -53,8 +53,8 @@ echo '<th>' . i18n('Your Division') . "</th>\n";
 echo '<th>' . i18n('Corresponding CWSF Division') . "</th>\n";
 echo '</tr>';
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr>';
 	echo ' <td>' . i18n($r->division) . '</td>';
--- a/config/languagepacks.php
+++ b/config/languagepacks.php
@ -88,7 +88,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
 	$packs = loadLanguagePacks();
 	$loaded = 0;
 	if ($packs[$_GET['install']]) {
-		$lines = file("http://www.sfiab.ca/languages/{$packs[$_GET['install']]['filename']}");
+		$lines = file("http://www.sfiab.ca/languages/?");
 		$totallines = count($lines);
 		$numtranslations = round($totallines / 2);
 		echo i18n('There are %1 translations in this language pack... processing...', array($numtranslations));
@ -98,7 +98,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
 				if (substr($line, 0, 6) == 'UPDATE' || substr($line, 0, 6) == 'INSERT') {
 					$stmt = $pdo->prepare($line);
-					$stmt->execute();
+					$stmt->execute([$packs[$_GET['install']]['filename']]);
 					$a = $pdo->rowwCount();
 					$loaded += $a;
 				} else
--- a/config/pagetexts.php
+++ b/config/pagetexts.php
@ -43,8 +43,8 @@
 while($r=$q->fetch(PDO::FETCH_OBJ))
 {
 	 foreach($config['languages'] AS $lang=>$langname) {
-		$q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=".$pdo->quote($config['FAIRYEAR'])." and textname=".$pdo->quote($r->textname)."");
+		$q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=? and textname=?");
-		$q_current->execute();
+		$q_current->execute([$pdo->quote($config['FAIRYEAR']),$pdo->quote($r->textname)]);
 		if ($q_current->rowCount() == 0) {
 			$q1 = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES (
@ -82,8 +82,8 @@
 if(get_value_from_array($_GET, 'textname'))
 {
-	$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."'");
+	$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=?");
-	$q->execute();
+	$q->execute([$_GET['textname'],$config['FAIRYEAR']]);
 	//needs to be at least one entry in any languages
 	if($r=$q->fetch(PDO::FETCH_OBJ))
 	{
@ -93,14 +93,14 @@
 		foreach($config['languages'] AS $lang=>$langname) {
-			$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."' AND lang='$lang'");
+			$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=? AND lang=?");
-			$q->execute();
+			$q->execute([$_GET['textname'],$config['FAIRYEAR'],$lang]);
 			$r=$q->fetch(PDO::FETCH_OBJ);
 			if(!$r)
 			{
-					$stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES ('".$pdo->quote($_GET['textname'])."','".$config['FAIRYEAR']."','$lang')");
+					$stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES (?,?,?)");
-					$stmt->execute();
+					$stmt->execute([$pdo->quote($_GET['textname']),$config['FAIRYEAR'],$lang]);
 					show_pdo_errors_if_any($pdo);
 			}
@ -140,8 +140,8 @@
 	 echo i18n("Choose a page text to edit");
 	 echo "<table class=\"summarytable\">";
-	 $q=$pdo->prepare("SELECT * FROM pagetext WHERE year='".$config['FAIRYEAR']."' AND lang='".$config['default_language']."' ORDER BY textname");
+	 $q=$pdo->prepare("SELECT * FROM pagetext WHERE year=? AND lang=? ORDER BY textname");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['default_language']]);
 	 echo "<tr><th>".i18n("Page Text Description")."</th><th>".i18n("Last Update")."</th></tr>";
 	 while($r=$q->fetch(PDO::FETCH_OBJ))
 	 {
--- a/config/rollover.php
+++ b/config/rollover.php
@ -66,8 +66,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 	 */
 	/* Get field list for this table */
-	$q = $pdo->prepare("SHOW COLUMNS IN `$table`");
+	$q = $pdo->prepare("SHOW COLUMNS IN ?");
-	$q->execute();
+	$q->execute([$table]);
 	show_pdo_errors_if_any($pdo);
 	while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
 		$col[$c['Field']] = $c;
@ -91,8 +91,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 		$where = '1';
 	/* Get data */
-	$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear' AND $where");
+	$q = $pdo->prepare("SELECT * FROM ? WHERE year=? AND ?");
-	$q->execute();
+	$q->execute([$table,$currentfairyear,$where]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
@ -108,8 +108,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 				$vals .= ',' . $pdo->quote($r[$f]);
 		}
-		$stmt = $pdo->prepare("INSERT INTO `$table`(`year`,$names) VALUES ('$newfairyear'$vals)");
+		$stmt = $pdo->prepare("INSERT INTO ?(`year`,?) VALUES (??)");
-		$stmt->execute();
+		$stmt->execute([$table,$names,$newfairyear,$vals]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
@ -134,8 +134,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		// now the dates
 		echo i18n('Rolling dates') . '<br />';
-		$q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
@ -149,8 +149,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		// page text
 		echo i18n('Rolling page texts') . '<br />';
-		$q = $pdo->prepare("SELECT * FROM pagetext WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM pagetext WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,lastupdate,year,lang) VALUES (
@ -166,8 +166,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling project categories') . '<br />';
 		// project categories
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
@ -183,8 +183,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling project divisions') . '<br />';
 		// project divisions
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectdivisions (id,division,division_shortform,cwsfdivisionid,year) VALUES (
@ -199,8 +199,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling project category-division links') . '<br />';
 		// project categories divisions links
-		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (
@ -213,8 +213,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling project sub-divisions') . '<br />';
 		// project subdivisions
-		$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (
@ -228,8 +228,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling safety questions') . '<br />';
 		// safety questions
-		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES (
@ -245,8 +245,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling awards') . '<br />';
 		// awards
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			/* Roll the one award */
@ -265,8 +265,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling award types') . '<br />';
 		// award types
-		$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
@ -280,8 +280,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		echo i18n('Rolling schools') . '<br />';
 		// award types
-		$q = $pdo->prepare("SELECT * FROM schools WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$puid = ($r->principal_uid == null) ? 'NULL' : ("'" . intval($r->principal_uid) . "'");
@ -314,8 +314,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		}
 		echo i18n('Rolling questions') . '<br />';
-		$q = $pdo->prepare("SELECT * FROM questions WHERE year='$currentfairyear'");
+		$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES (
@ -341,8 +341,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		// timeslots and rounds
 		echo i18n('Rolling judging timeslots and rounds') . '<br />';
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='$currentfairyear' AND round_id='0'");
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND round_id='0'");
-		$q->execute();
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 			$d = $newfairyear - $currentfairyear;
@ -352,8 +352,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 			$stmt->execute();
 			show_pdo_errors_if_any($pdo);
 			$round_id = $pdo->lastInsertId();
-			$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
+			$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
-			$qq->execute();
+			$qq->execute([$r['id']]);
 			show_pdo_errors_if_any($pdo);
 			while ($rr = $qq->fetch(PDO::FETCH_ASSOC)) {
 				$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`)
@ -365,8 +365,8 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		}
 		echo '<br /><br />';
-		$stmt = $pdo->prepare("UPDATE config SET val='$newfairyear' WHERE var='FAIRYEAR' AND year=0");
+		$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FAIRYEAR' AND year=0");
-		$stmt->execute();
+		$stmt->execute([$newfairyear]);
 		show_pdo_errors_if_any($pdo);
 		echo happy(i18n('Fair year has been rolled over from %1 to %2', array($currentfairyear, $newfairyear)));
 		send_footer();
--- a/config/rolloverfiscal.php
+++ b/config/rolloverfiscal.php
@ -82,8 +82,8 @@ function rolloverfiscalyear($newYear)
 	// first we'll roll over fundraising_campaigns:
 	$fields = '`name`,`type`,`startdate`,`enddate`,`followupdate`,`active`,`target`,`fundraising_goal`,`filterparameters`';
-	$q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear = $oldYear");
+	$q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear =?");
-	$q->execute();
+	$q->execute([$oldYear]);
 	while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
 		foreach (array('startdate', 'enddate', 'followupdate') as $dateField) {
@ -100,16 +100,16 @@ function rolloverfiscalyear($newYear)
 		foreach ($values as $idx => $val) {
 			$values[$idx] = $val;
 		}
-		$query = 'INSERT INTO fundraising_campaigns (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+		$query = 'INSERT INTO fundraising_campaigns (?) VALUES(?)';
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([implode('`,`', $fields),implode("','", $values)]);
 	}
 	// next we'll hit findraising_donor_levels
 	$fields = '`level`,`min`,`max`,`description`';
 	if ($pdo->errorInfo()[0] == 0)
-		$q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear = $oldYear");
+		$q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear =?");
-	$q->execute();
+	$q->execute([$oldYear]);
 	while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$r['fiscalyear'] = $newYear;
 		$fields = array_keys($r);
@ -117,16 +117,16 @@ function rolloverfiscalyear($newYear)
 		foreach ($values as $idx => $val) {
 			$values[$idx] = $val;
 		}
-		$query = 'INSERT INTO fundraising_donor_levels (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+		$query = 'INSERT INTO fundraising_donor_levels (?) VALUES(?)';
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([implode('`,`', $fields),implode("','", $values)]);
 	}
 	// and now we'll do findraising_goals
 	$fields = '`goal`,`name`,`description`,`system`,`budget`,`deadline`';
 	if ($pdo->errorInfo()[0] == 0) {
-		$q = $pdo->prepare("SELECT $fields FROM fundraising_goals WHERE fiscalyear = $oldYear");
+		$q = $pdo->prepare("SELECT ? FROM fundraising_goals WHERE fiscalyear =?");
-		$q->execute();
+		$q->execute([$fields,$oldYear]);
 	}
 	while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$dateval = $r['deadline'];
@ -142,15 +142,15 @@ function rolloverfiscalyear($newYear)
 		foreach ($values as $idx => $val) {
 			$values[$idx] = $val;
 		}
-		$query = 'INSERT INTO fundraising_goals (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+		$query = 'INSERT INTO fundraising_goals (?) VALUES(?)';
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([implode('`,`', $fields),implode("','", $values)]);
 	}
 	// finally, let's update the fiscal year itself:
 	if ($pdo->errorInfo()[0] == 0) {
-		$stmt = $pdo->prepare("UPDATE config SET val='$newYear' WHERE var='FISCALYEAR'");
+		$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FISCALYEAR'");
-		$stmt->execute();
+		$stmt->execute([$newYear]);
 	}
 	if ($pdo->errorInfo()[0] == 0) {
--- a/config/safetyquestions.php
+++ b/config/safetyquestions.php
@ -67,8 +67,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 }
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
-	$stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	echo happy(i18n('Safety question successfully removed'));
 }
@ -82,8 +82,8 @@ if ((get_value_from_array($_GET, 'action') == 'edit' && get_value_from_array($_G
 	} else if ($_GET['action'] == 'edit') {
 		$buttontext = 'Save safety question';
 		echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
-		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id='" . $_GET['edit'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([$_GET['edit'],$config['FAIRYEAR'] ]);
 		echo '<input type="hidden" name="save" value="' . $_GET['edit'] . "\">\n";
 		if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
 			$showform = false;
@ -141,8 +141,8 @@ echo '<br />';
 echo '<a href="safetyquestions.php?action=new">' . i18n('Add new safety question') . '</a>';
 echo '<table class="summarytable">';
-$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY ord");
+$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 echo '<tr><th>' . i18n('Ord') . '</th><th>' . i18n('Question') . '</th><th>' . i18n('Type') . '</th><th>' . i18n('Required') . '</th><th>' . i18n('Actions') . '</th></tr>';
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr>';
--- a/judge.inc.php
+++ b/judge.inc.php
@ -85,16 +85,16 @@ function judge_status_questions($u)
 	 */
 	global $config, $pdo;
 	// get the questions we're looking for
-	$q = $pdo->prepare('SELECT id FROM questions WHERE year=' . $config['FAIRYEAR'] . " AND required='yes'");
+	$q = $pdo->prepare('SELECT id FROM questions WHERE year=?'"AND required='yes'");
-	$q->execute([]);
+	$q->execute([$config['FAIRYEAR']]);
 	$idList = array();
 	while ($row = $q->fetch(PDO::FETCH_ASSOC))
 		$idList[] = $row['id'];
 	$rval = 'complete';
 	if (count($idList)) {
-		$q = $pdo->prepare('SELECT COUNT(*) AS tally FROM question_answers WHERE questions_id IN(' . implode(',', $idList) . ') AND users_id=' . $u['id'] . ' AND answer IS NOT NULL');
+		$q = $pdo->prepare('SELECT COUNT(*) AS tally FROM question_answers WHERE questions_id IN(?) AND users_id=? AND answer IS NOT NULL');
-		$q->execute();
+		$q->execute([implode(',', $idList),$u['id']]);
 		$row = $q->fetch(PDO::FETCH_ASSOC);
 		if (intval($row['tally']) != count($idList))
 			$rval = 'incomplete';