diff --git a/admin/fundraising_campaigns.php b/admin/fundraising_campaigns.php
index 12bcf00b..86e4a3d5 100644
--- a/admin/fundraising_campaigns.php
+++ b/admin/fundraising_campaigns.php
@@ -465,9 +465,9 @@ case 'managelist':
         print_r($_POST);
         if (is_array($_POST['prospectremovefromlist'])) {
             $uidlist = implode(',', $_POST['prospectremovefromlist']);
-            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN (?)";
+            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN ($uidlist)";
             $stmt = $pdo->prepare($query);
-            $stmt->execute([$campaignid,$uidlist]);
+            $stmt->execute([$campaignid]);
             show_pdo_errors_if_any($pdo);
         }
         // if theres nobody left in the list we need to reset the filter params as well
diff --git a/admin/fundraising_main.inc.php b/admin/fundraising_main.inc.php
index 47f93c10..f7f74535 100644
--- a/admin/fundraising_main.inc.php
+++ b/admin/fundraising_main.inc.php
@@ -25,23 +25,24 @@ if ($_GET['action'] == 'fundraisingmain') {
 		$typetotal = 0;
 		$typeprobtotal = 0;
 		$sq = $pdo->prepare("
-            SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
-	\t FROM fundraising_donations
-	\t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
-	\t  WHERE (fundraising_donations.fundraising_goal=? ?) 
-	\t  AND fundraising_donations.fiscalyear=?
+			(SELECT fundraising_donations.id, sponsors.organization AS name, 
+					fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+			FROM fundraising_donations
+			JOIN sponsors ON fundraising_donations.sponsors_id = sponsors.id
+			WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?) 
+			AND fundraising_donations.fiscalyear = ?)
 
-          UNION
+			UNION
 
-        SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
-	\t FROM fundraising_donations
-	\t JOIN users ON fundraising_donations.users_uid=users.uid
-	\t  WHERE (fundraising_donations.fundraising_goal=? ?) 
-	\t  AND fundraising_donations.fiscalyear=?
+			(SELECT fundraising_donations.id, CONCAT(users.firstname, ' ', users.lastname) AS name, 
+					fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+			FROM fundraising_donations
+			JOIN users ON fundraising_donations.users_uid = users.uid
+			WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?) 
+			AND fundraising_donations.fiscalyear = ?)
 
-	\t  ORDER BY status DESC, probability DESC, name
-            ");
-		$sq->execute([$r->goal,$orsql,$config['FISCALYEAR'],$r->goal,$orsql,$config['FISCALYEAR']]);
+			ORDER BY status DESC, probability DESC, name");
+		$sq->execute([$r->goal, $orsql, $config['FISCALYEAR'], $r->goal, $orsql, $config['FISCALYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
 			echo "<tr id=\"sponsorships_$sr->id\" class=\"fundraising{$sr->status}\">";
diff --git a/admin/fundraising_reports_std.php b/admin/fundraising_reports_std.php
index fc13f0a8..e738050c 100644
--- a/admin/fundraising_reports_std.php
+++ b/admin/fundraising_reports_std.php
@@ -46,11 +46,11 @@ if ($id && $type) {
 			}
 			$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ";
 			if ($_GET['fundraising_campaigns_id']) {
-				$sql .= " AND id='" . intval($_GET['fundraising_campaigns_id']) . "'";
+				$sql .= " AND id=?";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute([$config['FISCALYEAR']]);
+			$q->execute([$config['FISCALYEAR'],intval($_GET['fundraising_campaigns_id'])]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$rep->heading($r->name);
@@ -128,11 +128,11 @@ if ($id && $type) {
 			}
 			$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear=? ";
 			if ($_GET['goal']) {
-				$sql .= " AND goal='" . $_GET['goal'] . "'";
+				$sql .= " AND goal=?";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute([$config['FISCALYEAR']]);
+			$q->execute([$config['FISCALYEAR'],$_GET['goal']]);
 			show_pdo_errors_if_any($pdo);
 
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/fundraising_sponsorship_handler.inc.php b/admin/fundraising_sponsorship_handler.inc.php
index 83455364..a1a391cb 100644
--- a/admin/fundraising_sponsorship_handler.inc.php
+++ b/admin/fundraising_sponsorship_handler.inc.php
@@ -69,11 +69,7 @@ if ($_POST['action'] == 'sponsorshipadd') {
 		$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES (?,?,?,?,?,?)");
 		$stmt->execute([$sponsors_id,$fundraising_type,$value,$status,$probability,$config['FISCALYEAR']]);
 
-		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
-			?,
-			NOW(),
-			?,
-			'" . "Created sponsorship: type=?, value=\$?, status=?, probability=?%") . "')";
+		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),?, Created sponsorship: type=?, value=\$?, status=?, probability=?%) ");
 		happy_('Added new sponsorship');
 		$stmt->execute([$sponsors_id,$_SESSION['users_id'],$fundraising_type,$value,$status,$probability]);
 	} else