diff --git a/admin/registration_receivedforms.php b/admin/registration_receivedforms.php
index cc32bef8..d1cd724a 100644
--- a/admin/registration_receivedforms.php
+++ b/admin/registration_receivedforms.php
@@ -77,7 +77,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 						FROM
 							projects,projectcategories,projectdivisions
 						WHERE
-							projects.registrations_id='$reg_id'
+							projects.registrations_id=?
 							AND
 							projects.projectcategories_id=projectcategories.id
 							AND
@@ -87,7 +87,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 							AND
 							projectdivisions.year=projects.year
 						");
-				$q->execute();
+				$q->execute([$reg_id]);
 
 				show_pdo_errors_if_any($pdo);
 				$projectinfo = $q->fetch(PDO::FETCH_OBJ);
@@ -116,11 +116,11 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 						FROM
 							students,schools
 						WHERE
-							students.registrations_id='$reg_id'
+							students.registrations_id=?
 							AND
 							students.schools_id=schools.id
 						");
-				$q->execute();
+				$q->execute([$reg_id]);
 
 				$studnum = 1;
 				while ($studentinfo = $q->fetch(PDO::FETCH_OBJ)) {
@@ -193,14 +193,14 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	$checkNumQuery = $pdo->prepare("SELECT projectnumber
 					FROM projects, registrations 
 					WHERE projects.registrations_id = registrations.id 
-						AND num='$regnum'
-						AND registrations.year='{$config['FAIRYEAR']}'");
-	$checkNumQuery->execute();
+						AND num=?
+						AND registrations.year=?");
+	$checkNumQuery->execute([$regnum,$config['FAIRYEAR']]);
 	$checkNumResults = $checkNumQuery->fetch(PDO::FETCH_OBJ);
 	$projectnum = $checkNumResults->projectnumber;
 
-	$q = $pdo->prepare("SELECT id FROM registrations WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM registrations WHERE num=? AND year=?");
+	$q->execute([$regnum, $config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$reg_id = $r->id;
 
@@ -218,8 +218,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 
 	if ($_POST['action'] == 'receivedyes') {
 		// actually set it to 'complete'
-		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
+		$stmt->execute([$regnum,$config['FAIRYEAR']]);
 		foreach ($recipients AS $recip) {
 			$to = $recip['to'];
 			$subsub = array();
@@ -238,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 		echo happy(i18n('Registration of form %1 successfully completed', array($regnum)));
 	} else if ($_POST['action'] == 'receivedyesnocash') {
 		// actually set it to 'paymentpending'
-		$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num=? AND year=?");
+		$stmt->execute([$regnum,$config['FAIRYEAR']]);
 		foreach ($recipients AS $recip) {
 			$to = $recip['to'];
 			$subsub = array();
@@ -261,13 +261,13 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	echo notice(i18n('Registration of form %1 cancelled', array($_POST['registration_number'])));
 } else if (get_value_from_array($_GET, 'action') == 'unregister' && get_value_from_array($_GET, 'registration_number')) {
 	$reg_num = intval(trim($_GET['registration_number']));
-	$q = $pdo - prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year='{$config['FAIRYEAR']}' AND registrations.num='$reg_num'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year=? AND registrations.num=?");
+	$q->execute([$config['FAIRYEAR'],$reg_num]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
-	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id='$r->proj_id' AND year='{$config['FAIRYEAR']}'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->reg_id' AND year='{$config['FAIRYEAR']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id=? AND year=?");
+	$stmt->execute([$r->proj_id,$config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=? AND year=?");
+	$stmt->execute([$r->reg_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Successfully unregistered project'));
 }
 
@@ -305,9 +305,9 @@ if ($showformatbottom) {
 
 if (get_value_from_array($_POST, 'action') == 'receive_all') {
 	// Grab all projects that don't have project numbers. Status should therefor be open or new but not complete
-	$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =' . $config['FAIRYEAR'] . '');
+	$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =?');
 	// Define arrays to append to later
-	$query_noprojectnumber->execute();
+	$query_noprojectnumber->execute([$config['FAIRYEAR']]);
 	$completed_students = array();
 	$incomplete_students = array();
 	$newstatus_students = array();
@@ -315,8 +315,8 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
 	// loop through each project that doesn't have a project number
 	while ($studentproject = $query_noprojectnumber->fetch(PDO::FETCH_ASSOC)) {
 		// Grab registration information about the current project
-		$q = $pdo->prepare("SELECT * FROM registrations WHERE id='" . $studentproject['registrations_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM registrations WHERE id=? AND year=?");
+		$q->execute([$studentproject['registrations_id'],$config['FAIRYEAR']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$reg_id = $r->id;
 		$reg_num = $r->num;
@@ -347,18 +347,18 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
 			) {
 				// Generate project number and update it in data base
 				list($projectnumber, $ps, $pns, $pss) = generateProjectNumber($reg_id);
-				$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$projectnumber',
-							projectsort='$ps',projectnumber_seq='$pns',projectsort_seq='$pss'
-							WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,
+							projectsort=?,projectnumber_seq=?,projectsort_seq=?
+							WHERE registrations_id=? AND year=?");
+				$stmt->execute([$projectnumber,$ps,$pns,$pss,$reg_id,$config['FAIRYEAR']]);
 
 				// email stuff
 				// get all students with this registration number
 				// $recipients=getEmailRecipientsForRegistration($reg_id);
 
 				// Set status to 'complete'
-				$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$reg_num' AND year='{$config['FAIRYEAR']}'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
+				$stmt->execute([$reg_num,$config['FAIRYEAR']]);
 				/*foreach($recipients AS $recip) {
 					$to=$recip['to'];
 					$subsub=array();
diff --git a/admin/registration_stats.php b/admin/registration_stats.php
index dd4383bb..6ac902e0 100644
--- a/admin/registration_stats.php
+++ b/admin/registration_stats.php
@@ -63,13 +63,13 @@ foreach ($status_str as $s => $str) {
 echo '</select>';
 echo '</form>';
 
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$cats[$r->id] = $r->category;
 
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$divs[$r->id] = $r->division;
 
@@ -133,12 +133,12 @@ $q = $pdo->prepare("SELECT  registrations.id AS reg_id,
 				left outer join projects on projects.registrations_id=registrations.id
 			WHERE
 				1
-				AND registrations.year='$year' 
-				$wherestatus
+				AND registrations.year=? 
+				?
 			ORDER BY
-				$ORDERBY
+				?
 			");
-$q->execute();
+$q->execute([$year,$wherestatus,$ORDERBY]);
 show_pdo_errors_if_any($pdo);
 
 $stats_totalprojects = 0;
@@ -188,10 +188,11 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students,schools
 				WHERE
-					students.registrations_id='$r->reg_id'
+					students.registrations_id=?
 					AND
 					students.schools_id=schools.id
 				");
+	$sq->execute([$r->reg_id]);
 	show_pdo_errors_if_any($pdo);
 
 	$studnum = 1;
diff --git a/admin/registration_webconsent.php b/admin/registration_webconsent.php
index d531ef49..43bcea80 100644
--- a/admin/registration_webconsent.php
+++ b/admin/registration_webconsent.php
@@ -44,12 +44,12 @@ if (get_value_from_array($_POST, 'changed')) {
 			$webphoto = get_value_from_2d_array($_POST, 'webphoto', $id) == 'yes' ? 'yes' : 'no';
 
 			$stmt = $pdo->prepare("UPDATE students SET 
-					webfirst='$webfirst',
-					weblast='$weblast',
-					webphoto='$webphoto'
+					webfirst=?,
+					weblast=?,
+					webphoto=?
 					WHERE
-					id='$id'");
-			$stmt->execute();
+					id=?");
+			$stmt->execute([$webfirst,$weblast,$webphoto,$id]);
 		}
 	}
 
@@ -87,12 +87,12 @@ $sq = $pdo->prepare("SELECT students.firstname,
 				students.registrations_id=registrations.id
 			AND\t( registrations.status = 'complete' OR registrations.status='paymentpending' )
 			AND\tprojects.registrations_id=registrations.id
-			AND \tregistrations.year='" . $config['FAIRYEAR'] . "' 
-			AND \tprojects.year='" . $config['FAIRYEAR'] . "' 
-			AND \tstudents.year='" . $config['FAIRYEAR'] . "' 
+			AND \tregistrations.year=? 
+			AND \tprojects.year=? 
+			AND \tstudents.year=? 
 			ORDER BY projectnumber
 			");
-$sq->execute();
+$sq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 echo '<form method="post" action="registration_webconsent.php">';
diff --git a/admin/reports.inc.php b/admin/reports.inc.php
index 1eef1ef5..e1e5e4e0 100644
--- a/admin/reports.inc.php
+++ b/admin/reports.inc.php
@@ -351,9 +351,9 @@ foreach($report_stock as $n=>$v) {
 
 	/* First delete all existing fields */
 	$stmt = $pdo->prepare("DELETE FROM reports_items 
-			WHERE `reports_id`='{$report['id']}'
-			AND `type`='$type'");
-	$stmt->execute();
+			WHERE `reports_id`=?
+			AND `type`=?");
+	$stmt->execute([$report['id'],$type]);
 	/* Now add new ones */
 
 	if(count($report[$type]) == 0) return;
@@ -385,9 +385,9 @@ foreach($report_stock as $n=>$v) {
 				`field`,`value`,`x`, `y`, `w`, `h`,
 				`lines`, `face`, `align`,`valign`,
 				`fontname`,`fontstyle`,`fontsize`,`on_overflow`) 
-			VALUES $q");
+			VALUES ?");
 
-	$stmt->execute();
+	$stmt->execute([$q]);
 	show_pdo_errors_if_any($pdo);
 	
  }
@@ -404,8 +404,8 @@ foreach($report_stock as $n=>$v) {
 
 	$report = array();
 
-	$q = $pdo->prepare("SELECT * FROM reports WHERE id='$report_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM reports WHERE id=?");
+	$q->execute([$report_id]);
 	$r = $q->fetch(PDO::FETCH_ASSOC);
 	$report['name'] = get_value_from_array($r, 'name');
 	$report['id'] = get_value_from_array($r, 'id');
@@ -430,9 +430,9 @@ foreach($report_stock as $n=>$v) {
 		$allow_fields=array();
 
  	$q = $pdo->prepare("SELECT * FROM reports_items 
-			WHERE reports_id='{$report['id']}' 
+			WHERE reports_id=? 
 			ORDER BY `ord`");
-	$q->execute();
+	$q->execute([$report['id']]);
 	show_pdo_errors_if_any($pdo);
 	
 	if($q->rowCount() == 0) return $report;
@@ -491,8 +491,8 @@ foreach($report_stock as $n=>$v) {
 	} else {
 		/* if the report['id'] is not zero, see if this is a
 		 * systeim report before doing anything. */
-		$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='{$report['id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
+		$q->execute([$report['id']]);
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		if(intval($i['system_report_id']) != 0) {
 			/* This is a system report, the editor (should)
@@ -513,12 +513,12 @@ foreach($report_stock as $n=>$v) {
 */
 
  	$stmt = $pdo->prepare("UPDATE reports SET 
-			`name`='".$report['name']."',
-			`desc`='".$report['desc']."',
-			`creator`='".$report['creator']."',
-			`type`='".$report['type']."'
-			WHERE `id`={$report['id']}");
-	$stmt->execute();
+			`name`=?,
+			`desc`=?,
+			`creator`=?,
+			`type`=?
+			WHERE `id`=?");
+	$stmt->execute([$report['name'],$report['desc'],$report['creator'],$report['type'],$report['id']]);
 
 	report_save_field($report, 'col', get_value_from_array($report, 'loc'));
 	report_save_field($report, 'group', array());
@@ -533,7 +533,7 @@ foreach($report_stock as $n=>$v) {
  {	global $pdo;
  	$ret = array();
  	$q = $pdo->prepare("SELECT * FROM reports ORDER BY `name`");
-
+	$q->execute();
 	while($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$report = array();
 	        $report['name'] = $r['name'];
@@ -551,8 +551,8 @@ foreach($report_stock as $n=>$v) {
  	$r = intval($report_id);
 	/* if the report['id'] is not zero, see if this is a
 	 * systeim report before doing anything. */
-	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='$r'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
+	$q->execute([$r]);
 	$i = $q->fetch(PDO::FETCH_ASSOC);
 	if(intval($i['system_report_id']) != 0) {
 		/* This is a system report, the editor (should)
@@ -563,10 +563,10 @@ foreach($report_stock as $n=>$v) {
 		echo "ERROR: attempt to delete a system report (reports.id=$r)";
 		exit;
 	}
- 	$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=$r");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=$r");
- $stmt->execute();}
+ 	$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=?");
+	$stmt->execute([$r]);
+	$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=?");
+ $stmt->execute([$r]);
 
 
  function report_gen($report) 
diff --git a/admin/reports.php b/admin/reports.php
index 1dd4b7a2..6ae5a17a 100644
--- a/admin/reports.php
+++ b/admin/reports.php
@@ -39,8 +39,8 @@ switch (get_value_from_array($_GET, 'action')) {
 	case 'remove_report':
 		$id = intval($_GET['id']);
 		$stmt = $pdo->prepare("DELETE FROM reports_committee WHERE
-			users_id='{$_SESSION['users_uid']}' AND id='$id'");
-		$stmt->execute();
+			users_id=? AND id=?");
+		$stmt->execute([$_SESSION['users_uid'],$id]);
 		happy_('Report successfully removed');
 		exit;
 	case 'reload':
@@ -64,16 +64,17 @@ switch (get_value_from_array($_GET, 'action')) {
 			$ret['name'] = $report['name'];
 			$ret['category'] = '';
 		} else {
-			$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id='$id'");
+			$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id=?");
+			$q->execute([$id]);
 			$ret = $q->fetch(PDO::FETCH_ASSOC);
 			$ret['type'] = $ret['format'];
 		}
 
 		/* Load available categories */
 		$q = $pdo->prepare("SELECT DISTINCT category FROM reports_committee
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
 			ORDER BY category");
-		$q->execute();
+		$q->execute([$_SESSION['users_uid']]);
 		while ($i = $q->fetch(PDO::FETCH_OBJ))
 			$ret['cat'][] = $i->category;
 		echo json_encode($ret);
@@ -87,8 +88,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		if ($id == -1) {
 			/* New entry */
 			$stmt = $pdo->prepare("INSERT INTO `reports_committee` (`users_id`,`reports_id`) 
-			VALUES('{$_SESSION['users_uid']}','$reports_id');");
-			$stmt->execute();
+			VALUES(?,?);");
+			$stmt->execute([$_SESSION['users_uid'],$reports_id]);
 			show_pdo_errors_if_any($pdo);
 			$id = $pdo->lastInsertId();
 		}
@@ -124,12 +125,12 @@ switch (get_value_from_array($_GET, 'action')) {
 		}
 
 		$stmt = $pdo->prepare("UPDATE `reports_committee` SET
-			`category`='$category',
-			`comment`='$comment',
-			`format`='$type',
-			`stock`='$stock'
-			WHERE id='$id'");
-		$stmt->execute();
+			`category`=?,
+			`comment`=?,
+			`format`=?,
+			`stock`=?
+			WHERE id=?");
+		$stmt->execute([$category,$comment,$type,$stock,$id]);
 		happy_('Saved');
 		exit;
 }
@@ -248,9 +249,9 @@ global $edit_mode;
 $q = $pdo->prepare("SELECT reports_committee.*,reports.name
  \t\t\tFROM reports_committee 
 				LEFT JOIN reports ON reports.id=reports_committee.reports_id
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
 			ORDER BY category,id");
-$q->execute();
+$q->execute([$_SESSION['users_uid']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
 	echo i18n('You have no reports saved');
diff --git a/admin/reports_acscript.php b/admin/reports_acscript.php
index 1b01da27..f12e46e4 100644
--- a/admin/reports_acscript.php
+++ b/admin/reports_acscript.php
@@ -80,14 +80,14 @@ $q = $pdo->prepare("SELECT
 				award_types,
 				sponsors
 			WHERE 
-					award_awards.year='$foryear'
-				AND\taward_types.year='$foryear'
+					award_awards.year=?
+				AND\taward_types.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND\taward_awards.sponsors_id=sponsors.id
 				AND\taward_awards.excludefromac='0'
-				$awardtype
+				?
 			ORDER BY awards_order");
-$q->execute();
+$q->execute([$foryear,$foryear,$awardtype]);
 
 show_pdo_errors_if_any($pdo);
 //	echo "<pre>";
@@ -114,14 +114,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 						LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 						LEFT JOIN projects ON projects.id=winners.projects_id
 					WHERE 
-						award_awards_id='{$r->id}' 
-						AND award_prizes.year='$foryear'
+						award_awards_id=? 
+						AND award_prizes.year=?
 						AND award_prizes.excludefromac='0'
-						AND ($and_categories)
+						AND (?)
 					ORDER BY 
 						`order`,
 						projects.projectnumber");
-	$pq->execute();
+	$pq->execute([$r->id,$foryear,$and_categories]);
 	show_pdo_errors_if_any($pdo);
 
 	$r->winners = array();
@@ -246,10 +246,10 @@ foreach ($awards as $r) {
 									students,
 									schools
 								WHERE
-									students.registrations_id='$pr->reg_id'
+									students.registrations_id=?
 									AND students.schools_id=schools.id
 								");
-				$sq->execute();
+				$sq->execute([$pr->reg_id]);
 
 				$students = '       Students: ';
 				$studnum = 0;
diff --git a/admin/reports_appeal_letters.php b/admin/reports_appeal_letters.php
index ff936674..0984bfdd 100644
--- a/admin/reports_appeal_letters.php
+++ b/admin/reports_appeal_letters.php
@@ -70,15 +70,16 @@ $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
 
 /* Load the users */
 $users = array();
-$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
+$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+$q->execute([$fcid]);
 while ($l = $q->fetch(PDO::FETCH_ASSOC)) {
 	$uid = $l['users_uid'];
 	$users[$uid] = user_load_by_uid($uid);
 }
 
 /* Grab all the emails */
-$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$fcid' AND val='$key'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
+$q->execute([$fcid,$key]);
 
 while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
 	foreach ($users as $uid => &$u) {
diff --git a/admin/reports_ceremony.php b/admin/reports_ceremony.php
index 4f0d2bfe..06ecd0c9 100644
--- a/admin/reports_ceremony.php
+++ b/admin/reports_ceremony.php
@@ -61,8 +61,8 @@ echo "</td></tr>\n";
 echo '<tr>';
 // list award subsets to output
 echo '<td><b>' . i18n('Award Type') . ':</b></td> <td> <select name="awardtype" size=1>';
-$results = $pdo->prepare('SELECT type FROM award_types WHERE year=' . $config['FAIRYEAR'] . ' ORDER BY type');
-$results->execute();
+$results = $pdo->prepare('SELECT type FROM award_types WHERE year=? ORDER BY type');
+$results->execute([$config['FAIRYEAR']]);
 echo '<option value="All">' . i18n('All') . '</option>';
 while ($r = $results->fetch(PDO::FETCH_OBJ)) {
 	echo "<option value=\"$r->type\">" . i18n("$r->type") . '</option>';
@@ -94,8 +94,8 @@ echo '<td><input name="group_by_prize" type="checkbox" /></td></tr>';
 
 echo '<tr><td><b>' . i18n('Include the following age categories') . ':</b></td>';
 echo '<td>';
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo "<input name=\"show_category[{$r->id}]\" type=\"checkbox\" checked=\"checked\" />";
 	echo '' . i18n($r->category) . '<br />';
diff --git a/admin/reports_gen.php b/admin/reports_gen.php
index eaf16dee..51fbf010 100644
--- a/admin/reports_gen.php
+++ b/admin/reports_gen.php
@@ -40,8 +40,8 @@ if ($year < 1000)
 /* If it's a system report, turn that into the actual report id */
 if (array_key_exists('sid', $_GET)) {
 	$sid = intval($_GET['sid']);
-	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id='$sid'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id=?");
+	$q->execute([$sid]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$id = $r['id'];
 }
@@ -91,9 +91,9 @@ switch ($_GET['action']) {
 	<?
 	/* See if the report is in this committee member's list */
 	$q = $pd->prepare("SELECT * FROM reports_committee 
- \t\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
-				AND reports_id='{$report['id']}'");
-	$q->execute();
+ \t\t\t\tWHERE users_id=?
+				AND reports_id=?");
+	$q->execute([$_SESSION['users_uid'],$report['id']]);
 	if ($q->rowCount() > 0) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		?>
@@ -223,9 +223,9 @@ echo "<td>{$report['creator']}</td></tr>";
 echo '<tr><td colspan="2"><hr /></td></tr>';
 /* See if the report is in this committee member's list */
 $q = $pdo->prepare("SELECT * FROM reports_committee 
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
-			AND reports_id='{$report['id']}'");
-$q->execute();
+ \t\t\tWHERE users_id=?
+			AND reports_id=?");
+$q->execute([$_SESSION['users_uid'],$report['id']]);
 echo '<tr><td colspan="2"><h3>' . i18n('My Reports Info') . '</h3></td></tr>';
 if ($q->rowCount() > 0) {
 	/* Yes, it is */
diff --git a/admin/reports_judges.inc.php b/admin/reports_judges.inc.php
index 745bfa65..77826b62 100644
--- a/admin/reports_judges.inc.php
+++ b/admin/reports_judges.inc.php
@@ -48,8 +48,8 @@ function report_judges_load_divs($year)
 	/* Load divisions for this year, only once */
 	if (!array_key_exists($year, $report_judges_divs)) {
 		$report_judges_divs[$year] = array();
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
+		$q->execute([$year]);
 		while (($d = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_divs[$year][$d['id']] = $d;
 		}
@@ -61,8 +61,8 @@ function report_judges_load_cats($year)
 	global $report_judges_cats;
 	global $pdo;
 	if (!array_key_exists($year, $report_judges_cats)) {
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
+		$q->execute([$year]);
 		while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_cats[$year][$c['id']] = $c;
 		}
@@ -142,14 +142,14 @@ function report_judges_custom_question($report, $field, $text)
 	$users_id = $text;
 
 	/* Find the actual question ID */
-	$q = $pdo->prepare("SELECT * FROM questions WHERE year='$year' AND ord='$q_ord'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM questions WHERE year=? AND ord=?");
+	$q->execute([$year,$q_ord]);
 	if ($q->rowCount() != 1)
 		return 'Question not specified';
 	$question = $q->fetch(PDO::FETCH_ASSOC);
 
-	$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='{$question['id']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?");
+	$q->execute([$users_id,$question['id']]);
 	if ($q->rowCount() != 1)
 		return '';
 	$answer = $q->fetch(PDO::FETCH_ASSOC);
@@ -194,9 +194,9 @@ function report_judges_team_members($report, $field, $text)
 	$judges_teams_id = $text;
 	$q = $pdo->prepare("SELECT * FROM judges_teams_link 
 						LEFT JOIN users ON judges_teams_link.users_id=users.id
-						WHERE judges_teams_link.year='$year'
-						AND judges_teams_link.judges_teams_id='$judges_teams_id'");
-	$q->execute();
+						WHERE judges_teams_link.year=?
+						AND judges_teams_link.judges_teams_id=?");
+	$q->execute([$year,$judges_teams_id]);
 	$ret = '';
 	while (($m = $q->fetch(PDO::FETCH_ASSOC))) {
 		$add = false;
@@ -239,8 +239,8 @@ function report_judges_load_rounds($year)
 	if (count($report_judges_rounds))
 		return;
 
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
+	$q->execute([$year]);
 	/* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$report_judges_rounds[] = $r;
@@ -258,8 +258,8 @@ function report_judges_specialaward($report, $field, $text)
 	global $config, $report_judges_rounds, $pdo;
 	$year = $report['year'];
 	$award_id = $text;
-	$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='" . intval($award_id) . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+	$q->execute([intval($award_id)]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->name;
 }
@@ -284,8 +284,8 @@ function report_judges_time_availability($report, $field, $text)
 			exit;
 	}
 
-	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='$users_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=?");
+	$q->execute([$users_id]);
 	//	echo mysql_error();
 	while (($r = $q->fetch(PDO::FETCH_ASSOC))) {
 		if ($r['start'] <= $round['starttime'] &&
diff --git a/admin/reports_judges.php b/admin/reports_judges.php
index 1a34c26e..ab72bbc5 100644
--- a/admin/reports_judges.php
+++ b/admin/reports_judges.php
@@ -77,8 +77,8 @@ foreach ($keys as $qid) {
 }
 
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $numcats = $q->rowCount();
 $catheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -86,8 +86,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catheadings[] = "$r->category (out of 5)";
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $divheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
@@ -102,8 +102,8 @@ $times = array();
 $datetimeheadings = array();
 
 /* Load the judging rounds */
-$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type");
-$q->execute();
+$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type");
+$q->execute([$config['FAIRYEAR']]);
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$found = false;
@@ -138,13 +138,13 @@ $q = $pdo->prepare("SELECT
 				JOIN users_judge ON users.id=users_judge.users_id
 			WHERE 
 				users.deleted='no' AND 
-				users.year='" . $config['FAIRYEAR'] . "'
+				users.year=?
 				AND users.types LIKE '%judge%'
 
 			ORDER BY 
 				lastname,
 				firstname");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$u = user_load($r->id);
@@ -182,8 +182,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$qarray[] = $qans[$qid];
 	}
 
-	$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id="' . $r->id . '" ORDER BY `start`');
-	$tq->execute();
+	$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`');
+	$tq->execute([$r->id]);
 
 	$sel = array();
 	$timedata = array();
diff --git a/admin/reports_judges_allyears.php b/admin/reports_judges_allyears.php
index 1a7e70e3..fc387a56 100644
--- a/admin/reports_judges_allyears.php
+++ b/admin/reports_judges_allyears.php
@@ -78,8 +78,8 @@ foreach ($keys as $qid) {
 }
 
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $numcats = $q->rowCount();
 $catheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -87,8 +87,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catheadings[] = "$r->category (out of 5)";
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $divheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
diff --git a/admin/reports_judges_teams_projects.php b/admin/reports_judges_teams_projects.php
index 03cfddfb..9f2193e7 100644
--- a/admin/reports_judges_teams_projects.php
+++ b/admin/reports_judges_teams_projects.php
@@ -45,8 +45,8 @@ if ($type == 'pdf') {
 
 $teams = getJudgingTeams();
 
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@@ -83,8 +83,8 @@ foreach ($teams AS $team) {
 			$rep->addText(i18n('Criteria') . ': ' . $award['criteria']);
 
 			// get category eligibility
-			$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id='{$award['id']}' AND award_awards_projectcategories.year='{$config['FAIRYEAR']}' AND projectcategories.year='{$config['FAIRYEAR']}' ORDER BY category");
-			$q->execute();
+			$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.year=? AND projectcategories.year=? ORDER BY category");
+			$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$cats = '';
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -96,8 +96,8 @@ foreach ($teams AS $team) {
 			$rep->addText(i18n('Categories') . ": $cats");
 
 			// get division eligibility
-			$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id='{$award['id']}' AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}' AND projectdivisions.year='{$config['FAIRYEAR']}' ORDER BY division_shortform");
-			$q->execute();
+			$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id=? AND award_awards_projectdivisions.year=? AND projectdivisions.year=? ORDER BY division_shortform");
+			$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$divs = '';
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -123,13 +123,13 @@ foreach ($teams AS $team) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$team['id']]);
 	$numslots = $q->rowCount();
 
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -147,14 +147,14 @@ foreach ($teams AS $team) {
 					projects,
 					judges_teams_timeslots_projects_link
 				WHERE
-					judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
-					judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+					judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
+					judges_teams_timeslots_projects_link.judges_teams_id=? AND
 					judges_teams_timeslots_projects_link.projects_id=projects.id AND
-					judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					projectnumber
 				");
-		$projq->execute();
+		$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 
 		while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 			$table['data'][] = array($timeslot, $proj->projectnumber, $proj->title);
diff --git a/admin/reports_mailinglabels_generator.php b/admin/reports_mailinglabels_generator.php
index cff44431..6d776137 100644
--- a/admin/reports_mailinglabels_generator.php
+++ b/admin/reports_mailinglabels_generator.php
@@ -83,11 +83,11 @@ if ($report) {
 						FROM
 							schools
 						WHERE
-							year='{$config['FAIRYEAR']}'
+							year=?
 						ORDER BY
 							school
 						");
-			$q->execute();
+			$q->execute([$config['FAIRYEAR']]);
 			break;
 
 		case 'sponsors':
@@ -129,11 +129,11 @@ if ($report) {
 							judges_years
 						WHERE
 							judges_years.judges_id=judges.id
-							AND judges_years.year='{$config['FAIRYEAR']}'
+							AND judges_years.year=?
 						ORDER BY
 							lastname,firstname
 						");
-			$q->execute();
+			$q->execute([$config['FAIRYEAR']]);
 			break;
 	}
 
diff --git a/admin/reports_program_awards.php b/admin/reports_program_awards.php
index 17e913fa..0f0f9ae9 100644
--- a/admin/reports_program_awards.php
+++ b/admin/reports_program_awards.php
@@ -30,13 +30,13 @@ $q = $pdo->prepare("SELECT
 				award_awards,
 				award_types
 			WHERE 
-					award_awards.year='" . $config['FAIRYEAR'] . "'
-				AND\taward_types.year='" . $config['FAIRYEAR'] . "'
+					award_awards.year=?
+				AND\taward_types.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND\taward_awards.excludefromac='0'
 				AND\t(award_types.type='special' OR award_types.type='grand')
 			ORDER BY awards_order");
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 show_pdo_errors_if_any($pdo);
 
@@ -45,8 +45,8 @@ if ($q->rowCount()) {
 		$rep->heading(i18n($r->name));
 
 		// get teh age categories
-		$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories  WHERE projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.award_awards_id='$r->id' AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
-		$acq->execute();
+		$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories  WHERE projectcategories.year=? AND award_awards_projectcategories.year=? AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
+		$acq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$r->id]);
 		show_pdo_errors_if_any($pdo);
 		$cats = '';
 		while ($acr = $acq->fetch(PDO::FETCH_OBJ)) {
@@ -64,12 +64,12 @@ if ($q->rowCount()) {
 					FROM 
 						award_prizes 
 					WHERE 
-						award_awards_id='$r->id' 
-						AND award_prizes.year='" . $config['FAIRYEAR'] . "'
+						award_awards_id=? 
+						AND award_prizes.year=?
 						AND award_prizes.excludefromac='0'
 					ORDER BY 
 						`order`");
-		$pq->execute();
+		$pq->execute([$r->id,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$prevprizeid = -1;
 		while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/reports_projects_details.php b/admin/reports_projects_details.php
index 5578f5cd..added665 100644
--- a/admin/reports_projects_details.php
+++ b/admin/reports_projects_details.php
@@ -65,14 +65,15 @@ $projq = $pdo->prepare("SELECT
 				LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 
 			WHERE
-				projects.year='" . $config['FAIRYEAR'] . "' 
-				AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				projects.year=? 
+				AND projectdivisions.year=?
+				AND projectcategories.year=?
 				AND ( registrations.status='complete'
 			\t OR registrations.status='paymentpending' )
 			ORDER BY
 				projects.projectnumber
 			");
+$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 $totalprojects = $projq->rowCount();
@@ -85,9 +86,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$proj->reg_id'
+					students.registrations_id=?
 				");
-	$sq->execute();
+	$sq->execute([$proj->reg_id]);
 	$students = '';
 	$studnum = 0;
 	while ($studentinfo = $sq->fetch(PDO::FETCH_OBJ)) {
@@ -115,8 +116,8 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 	$rep->addTable($table);
 	unset($table);
 
-	$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $proj->reg_id . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=?");
+	$q->execute([$proj->reg_id]);
 	$rep->nextline();
 	$rep->heading(i18n('Mentor Information'));
 	$rep->nextline();
diff --git a/admin/reports_projects_judges_teams.php b/admin/reports_projects_judges_teams.php
index 8855065a..e1714fe4 100644
--- a/admin/reports_projects_judges_teams.php
+++ b/admin/reports_projects_judges_teams.php
@@ -49,8 +49,8 @@ if ($type == 'pdf') {
 
 $teams = getJudgingTeams();
 
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@@ -73,15 +73,15 @@ $projq = $pdo->prepare("SELECT
 				LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 
 			WHERE
-				projects.year='" . $config['FAIRYEAR'] . "' 
-				AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				projects.year=? 
+				AND projectdivisions.year=?
+				AND projectcategories.year=?
 				AND ( registrations.status='complete'
 			\t OR registrations.status='paymentpending' )
 			ORDER BY
 				projects.projectnumber
 			");
-$projq->execute();
+$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@@ -92,9 +92,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$proj->reg_id'
+					students.registrations_id=?
 				");
-	$sq->execute();
+	$sq->execute([$proj->reg_id]);
 
 	$students = '';
 	$studnum = 0;
@@ -127,12 +127,12 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 					LEFT JOIN judges_timeslots ON judges_teams_timeslots_projects_link.judges_timeslots_id=judges_timeslots.id
 					LEFT JOIN judges_teams ON judges_teams_timeslots_projects_link.judges_teams_id=judges_teams.id
 				WHERE
-					judges_teams_timeslots_projects_link.projects_id='$proj->id'
-					AND judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.projects_id=?
+					AND judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$proj->id,$config['FAIRYEAR']]);
 	$numslots = $q->rowCount();
 
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/reports_students.inc.php b/admin/reports_students.inc.php
index 55398d64..9daab67d 100644
--- a/admin/reports_students.inc.php
+++ b/admin/reports_students.inc.php
@@ -81,9 +81,9 @@ function report_student_safety_question($report, $field, $text)
 			safety.answer
 		FROM safetyquestions
 		JOIN safety ON safetyquestions.id=safety.safetyquestions_id
-		WHERE safety.registrations_id='" . $regid . "' 
-		ORDER BY safetyquestions.ord LIMIT $q_ord,1");
-	$q->execute();
+		WHERE safety.registrations_id=? 
+		ORDER BY safetyquestions.ord LIMIT ?,1");
+	$q->execute([$regid,$q_ord]);
 
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->answer;
@@ -94,9 +94,9 @@ function reports_students_numstudents($report, $field, $text)
 	global $pdo;
 	$year = $report['year'];
 	$q = $pdo->prepare("SELECT students.id FROM students 
-				WHERE students.registrations_id='$text'
-					AND students.year='$year'");
-	$q->execute();
+				WHERE students.registrations_id=?
+					AND students.year=?");
+	$q->execute([$text,$year]);
 	return $q->rowCount();
 }
 
@@ -108,11 +108,11 @@ function reports_students_award_selfnom_num($report, $field, $text, $n)
 				projects 
 				LEFT JOIN project_specialawards_link ON project_specialawards_link.projects_id=projects.id
 				LEFT JOIN award_awards ON award_awards.id=project_specialawards_link.award_awards_id
-				WHERE projects.id='$text'
-					AND projects.year='$year'
-					AND project_specialawards_link.year='$year'
-				LIMIT $n,1");
-	$q->execute();
+				WHERE projects.id=?
+					AND projects.year=?
+					AND project_specialawards_link.year=?
+				LIMIT ?,1");
+	$q->execute([$text,$year,$year,$n]);
 	show_pdo_errors_if_any($pdo);
 	$i = $q->fetch(PDO::FETCH_OBJ);
 	return $i['name'];
@@ -157,8 +157,8 @@ function report_student_regfee_item($report, $field, $text)
 {
 	$year = $report['year'];
 	$id = intval(substr($field, 12));
-	$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id='$text' AND regfee_items_id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id=? AND regfee_items_id=?");
+	$q->execute([$text,$id]);
 	show_pdo_errors_if_any($pdo);
 	if ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		return i18n('Yes');
@@ -167,8 +167,8 @@ function report_student_regfee_item($report, $field, $text)
 	}
 }
 
-$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 $regfeeitems = array();
 $first = true;
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
diff --git a/admin/rerollprizes.php b/admin/rerollprizes.php
index 9586ac45..7b3ddf1a 100644
--- a/admin/rerollprizes.php
+++ b/admin/rerollprizes.php
@@ -40,75 +40,76 @@ $newfairyear = 2008;
 // first make sure they have indeed done the rollover...
 if ($config['FAIRYEAR'] == 2008) {
 	// make sure the number of awards are identical (aka they havent added any new ones)
-	$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$newfairyear'");
-	$nq1->execute();
-	$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
-	$nq2->execute();
+	$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+	$nq1->execute([$newfairyear]);
+	$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+	$nq2->execute([$currentfairyear]);
 	if ($nq1->rowCount() == $nq2->rowcount()) {
-		$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$newfairyear'");
-		$npq1->execute();
-		$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear'");
-		$npq2->execute();
+		$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year?");
+		$npq1->execute([$newfairyear]);
+		$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=?");
+		$npq2->execute([$currentfairyear]);
 
 		if ($npq2->rowCount() > 0 && $npq1->rowCount() == 0) {
 			echo '<br />';
 			echo notice(i18n('A BUG WAS IDENTIFIED IN YOUR PREVIOUS YEAR ROLLOVER WHICH CAUSED AWARD PRIZES TO NOT BE ROLLED OVER PROPERLY.  THEY ARE NOW BEING RE-ROLLED OVER WITH THE PROPER PRIZE INFORMATION.  THIS WILL ONLY HAPPEN ONCE.')) . '<br />';
-			$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_types WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year='$newfairyear'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_types WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year=?");
+			$stmt->execute([$newfairyear]);
 
 			echo i18n('Rolling awards') . '<br />';
 			// awards
-			$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$stmt = $pdo->prepare("INSERT INTO award_awards (award_sponsors_id,award_types_id,name,criteria,presenter,`order`,year,excludefromac,cwsfaward) VALUES (
-				'" . $r->award_sponsors_id . "',
-				'" . $r->award_types_i . "',
-				'" . $r->name . "',
-				'" . $r->criteria . "',
-				'" . $r->presenter . "',
-				'" . $r->order . "',
-				'" . $newfairyear . "',
-				'" . $r->excludefromac . "',
-				'" . $r->cwsfaward . "')");
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)");
+				$stmt->execute([$r->award_sponsors_id,$r->award_types_i ,$r->name,$r->criteria,$r->presenter,$r->order,$newfairyear,$r->excludefromac,$r->cwsfaward ]);
 				$award_awards_id = $pdo->lastInsertId();
 
-				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year=? AND award_awards_id=?");
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (
-				'" . $award_awards_id . "',
-				'" . $r2->projectcategories_id . "',
-				'" . $newfairyear . "')");
-					$stmt->execute();
+				?,
+				?,
+				?)");
+					$stmt->execute([$award_awards_id,$r2->projectcategories_id,$newfairyear]);
 				}
 
-				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year=? AND award_awards_id=?");
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (
-				'" . $award_awards_id . "',
-				'" . $r2->projectdivisions_id . "',
-				'" . $newfairyear . "')");
-					$stmt->execute();
+				?,
+				?,
+				?");
+					$stmt->execute([$award_awards_id,$r2->projectdivisions_id,$newfairyear]);
 				}
 
 				echo i18n('&nbsp; Rolling award prizes') . '<br />';
-				$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=? AND award_awards_id=?");
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,`value`,prize,number,`order`,year,excludefromac) VALUES (
@@ -126,8 +127,8 @@ if ($config['FAIRYEAR'] == 2008) {
 
 			echo i18n('Rolling award contacts') . '<br />';
 			// award contacts
-			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year='$currentfairyear'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year=?");
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_contacts (award_sponsors_id,salutation,firstname,lastname,position,email,phonehome,phonework,phonecell,fax,notes,year) VALUES (
@@ -146,16 +147,16 @@ if ($config['FAIRYEAR'] == 2008) {
 
 			echo i18n('Rolling award types') . '<br />';
 			// award types
-			$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
-				'" . $r->id . "',
-				'" . $r->type . "',
-				'" . $r->order . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
 		}
 	}
 }
diff --git a/admin/schools.php b/admin/schools.php
index 93df26f0..ac43c77e 100644
--- a/admin/schools.php
+++ b/admin/schools.php
@@ -33,8 +33,8 @@ user_auth_required('committee', 'admin');
 
 if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POST, 'save') == 'add') {
 	if (get_value_from_array($_POST, 'save') == 'add') {
-		$q = $pdo->prepare("INSERT INTO schools (year) VALUES ('" . $config['FAIRYEAR'] . "')");
-		$q->execute();
+		$q = $pdo->prepare("INSERT INTO schools (year) VALUES (?)");
+		$q->execute([$config['FAIRYEAR']]);
 		$id = $pdo->lastInsertId();
 	} else
 		$id = intval(get_value_from_array($_POST, 'id'));
@@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 	 */
 
 	/* Get the uids for principal/science head */
-	$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id=?");
+	$q->execute([$id]);
 	$i = $q->fetch(PDO::FETCH_ASSOC);
 
 	$principal_update = '';
@@ -187,24 +187,24 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 }
 
 if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete', '')) {
-	$stmt = $pdo->prepare("DELETE FROM schools WHERE id='" . $_GET['delete'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM schools WHERE id=?");
+	$stmt->execute([$_GET['delete']]);
 	$notice = 'deleted';
 }
 
 if (get_value_from_array($_GET, 'action') == 'clearaccesscodes') {
-	$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year='{$config['FAIRYEAR']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year=?");
+	$stmt->execute([$config['FAIRYEAR']]);
 	$notice = 'clearaccess';
 }
 
 if (get_value_from_array($_GET, 'action') == 'makeaccesscodes') {
-	$q = $pdo->prepare("SELECT id FROM schools WHERE year='{$config['FAIRYEAR']}' AND (accesscode IS NULL OR accesscode='')");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM schools WHERE year=? AND (accesscode IS NULL OR accesscode='')");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$ac = generatePassword(5);
-		$stmt = $pdo->prepare("UPDATE schools SET accesscode='$ac' WHERE id='$r->id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE schools SET accesscode=? WHERE id=? AND year=?");
+		$stmt->execute([$ac,$r->id,$config['FAIRYEAR']]);
 	}
 	$notice = 'makeaccess';
 }
@@ -217,8 +217,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 		'schools_management');
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		$buttontext = 'Save School';
-		$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . get_value_from_array($_GET, 'edit', '') . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM schools WHERE id=?");
+		$q->execute([get_value_from_array($_GET, 'edit', '')]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	} else if (get_value_from_array($_GET, 'action') == 'add') {
 		$buttontext = 'Add School';
@@ -371,8 +371,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <th>' . i18n('Action') . '</th>';
 	echo "</tr></thead>\n";
 
-	$q = $pdo->prepare("SELECT * FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE year=? ORDER BY school");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo "<tr>\n";
 		echo " <td>$r->school</td>\n";
diff --git a/admin/schoolsimport.php b/admin/schoolsimport.php
index 7c76c5b9..143c5ab2 100644
--- a/admin/schoolsimport.php
+++ b/admin/schoolsimport.php
@@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'action') == 'import') {
 			// okay it looks like we have something.. lets dump the current stuff
 			if ($_POST['emptycurrent'] == 1) {
 				echo happy(i18n('Old school data erased'));
-				$stmt = $pdo->prepare("DELETE FROM schools WHERE year='" . $config['FAIRYEAR'] . "'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("DELETE FROM schools WHERE year=?");
+				$stmt->execute([$config['FAIRYEAR']]);
 			}
 
 			$loaded = 0;
diff --git a/admin/send_emailqueue.php b/admin/send_emailqueue.php
index 2f022089..c02e7ad5 100644
--- a/admin/send_emailqueue.php
+++ b/admin/send_emailqueue.php
@@ -44,8 +44,8 @@ if (!$config['emailqueue_lock']) {
 		$q->execute();
 		if ($q->rowCount()) {
 			$r = $q->fetch(PDO::FETCH_OBJ);
-			$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id='$r->emailqueue_id'");
-			$eq->execute();
+			$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id=?");
+			$eq->execute([$r->emailqueue_id]);
 			$email = $eq->fetch(PDO::FETCH_OBJ);
 
 			$blank = array();
@@ -73,31 +73,31 @@ if (!$config['emailqueue_lock']) {
 			$result = email_send_new($to, $email->from, $email->subject, $body, $bodyhtml);
 
 			if ($result) {
-				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id='$r->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id=?");
+				$stmt->execute([$r->id]);
 				show_pdo_errors_if_any($pdo);
 				$newnumsent = $email->numsent + 1;
-				$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=$newnumsent WHERE id='$email->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=? WHERE id=?");
+				$stmt->execute([$newnumsent,$email->id]);
 				show_pdo_errors_if_any($pdo);
 				echo "ok\n";
 			} else {
-				$stmt = Spdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id='$r->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id=?");
+				$stmt->execute([$r->id]);
 				show_pdo_errors_if_any($pdo);
 				$newnumfailed = $email->numfailed + 1;
-				$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=$newnumfailed WHERE id='$email->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=? WHERE id=?");
+				$stmt->execute([$newnumfailed,$email->id]);
 				show_pdo_errors_if_any($pdo);
 				echo "failed\n";
 			}
 			// now check if we're done yet
-			$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id='$email->id'");
-			$rq->execute();
+			$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id=?");
+			$rq->execute([$email->id]);
 			$rr = $rq->fetch(PDO::FETCH_OBJ);
 			if ($rr->num == 0) {
-				$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='$email->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
+				$stmt->execute([$email->id]);
 			}
 			usleep(rand($sleepmin, $sleepmax));
 		} else
diff --git a/admin/settranslation.php b/admin/settranslation.php
index 74ab2f2f..0494b490 100644
--- a/admin/settranslation.php
+++ b/admin/settranslation.php
@@ -38,19 +38,19 @@ foreach ($config['languages'] AS $l => $ln) {
     $m = md5($_POST['translate_str_hidden']);
 
     if ($_POST['translate_' . $l]) {
-        $q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='$m'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
+        $q->execute([$l,$m]);
 
         if ($q->rowCount()) {
-            $stmt = $pdo->prepare("UPDATE translations SET val='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "' WHERE lang='$l' AND strmd5='$m'");
-            $stmt->execute();
+            $stmt = $pdo->prepare("UPDATE translations SET val=? WHERE lang=? AND strmd5=?");
+            $stmt->execute([iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])),$l,$m]);
         } else {
-            $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES ('$l','$m','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])) . "','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "')");
-            $stmt->execute();
+            $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES (?,?,?,?)");
+            $stmt->execute([$l,$m,iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])),iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l]))]);
         }
     } else {
-        $stmt = $pdo->prepare("DELETE FROM translations WHERE lang='$l' AND strmd5='$m'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
+        $stmt->execute([$l,$m]);
     }
 }
 echo 'ok';
diff --git a/admin/sponsor_contacts.php b/admin/sponsor_contacts.php
index b92a94bf..8af6e8c3 100644
--- a/admin/sponsor_contacts.php
+++ b/admin/sponsor_contacts.php
@@ -73,11 +73,11 @@ if ($sponsors_id) {
 							FROM users_sponsor, users 
 							WHERE
 							users_sponsor.users_id=users.id
-							AND sponsors_id='$sponsors_id'
+							AND sponsors_id=?
 							AND `primary`='yes'
-							AND year='" . $config['FAIRYEAR'] . "'
-							AND users_id!='$id'");
-			$q->execute();
+							AND year=?
+							AND users_id!=?");
+			$q->execute([$sponsors_id,$config['FAIRYEAR'],$id]);
 			if ($q->rowCount() == 0) {
 				/* This must be the primary */
 				$p = 'yes';
@@ -85,8 +85,8 @@ if ($sponsors_id) {
 		} else {
 			/* Unset all other primaries */
 			$stmt = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
-						WHERE  sponsors_id='$sponsors_id'");
-			$stmt->execute();
+						WHERE  sponsors_id=?");
+			$stmt->execute([$sponsors_id]);
 		}
 
 		$u['primary'] = $p;
@@ -162,11 +162,11 @@ if ($sponsors_id) {
 		echo '<br />';
 
 		$q = $pdo->prepare("SELECT * FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
-				\t WHERE year='" . $config['FAIRYEAR'] . "' 
-				\t AND sponsors_id='$sponsors_id' 
+				\t WHERE year=? 
+				\t AND sponsors_id=? 
 				\t AND deleted='no' 
 				\t ORDER BY lastname,firstname");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$sponsors_id]);
 		show_pdo_errors_if_any($pdo);
 
 		if ($q->rowCount()) {
diff --git a/admin/student_editor.php b/admin/student_editor.php
index 014f9ffd..94f51a73 100644
--- a/admin/student_editor.php
+++ b/admin/student_editor.php
@@ -44,10 +44,10 @@ if ($auth_type == 'fair') {
 		/* Make sure they have permission to laod this student, check
 		the master copy of the fairs_id in the project */
 		$q = $pdo->prepare("SELECT * FROM projects WHERE 
-				registrations_id='$registrations_id' 
-				AND year='{$config['FAIRYEAR']}'
-				AND fairs_id=$fairs_id");
-		$q->execute();
+				registrations_id=? 
+				AND year=?
+				AND fairs_id=?");
+		$q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
 		if ($q->rowCount() != 1) {
 			echo 'permission denied.';
 			exit;
@@ -75,8 +75,8 @@ switch ($action) {
 
 	case 'student_remove':
 		$remove_id = intval($_GET['students_id']);
-		$q = $pdo->prepare("SELECT id FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM students WHERE id=? AND registrations_id=?");
+		$q->execute([$remove_id,$registrations_id]);
 		if ($q->rowCount() != 1) {
 			error_('Invalid student to remove');
 			exit;
@@ -86,42 +86,42 @@ switch ($action) {
 			exit;
 		}
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+		$stmt->execute([$remove_id,$registrations_id]);
 
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		if ($q->rowCount() != 1) {
 			error_('Invalid student to remove');
 			exit;
 		}
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+		$stmt->execute([$remove_id,$registrations_id]);
 
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+		$stmt->execute([$remove_id,$registrations_id]);
 
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		happy_('Student successfully removed');
 		exit;
 
@@ -141,8 +141,8 @@ function students_save()
 		if ($_POST['id'][$x] == 0) {
 			// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record.  for anything else they can choose the school on their own.
 			if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
-				$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'");
-				$q->execute();
+				$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id=? AND YEAR=?");
+				$q->execute([$registrations_id,$config['FAIRYEAR']]);
 				$r = $q->fetch(PDO::FETCH_OBJ);
 				$schools_id = $r->schools_id;
 				$schoolvalue = "'$schools_id', ";
@@ -216,9 +216,9 @@ function students_load()
 
 	// now query and display
 	$q = $pdo->prepare("SELECT * FROM students WHERE
-				registrations_id='$registrations_id' 
-				AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+				registrations_id=? 
+				AND year=?");
+	$q->execute([$registrations_id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	$numfound = $q->rowCount();
@@ -405,8 +405,8 @@ function students_load()
 		echo "<tr>\n";
 		echo ' <td>' . i18n('School') . '</td><td colspan="3">';
 		if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
-			$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
-			$schoolq->execute();
+			$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school");
+			$schoolq->execute([$config['FAIRYEAR']]);
 			echo "<select name=\"schools_id[$x]\">\n";
 			echo '<option value="">' . i18n('Choose School') . "</option>\n";
 			while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
@@ -418,8 +418,8 @@ function students_load()
 			}
 			echo '</select>' . REQUIREDFIELD;
 		} else {
-			$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'");
-			$schoolq->execute();
+			$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?");
+			$schoolq->execute([$config['FAIRYEAR'],$studentinfo->schools_id]);
 			$r = $schoolq->fetch(PDO::FETCH_OBJ);
 			echo $r->school;
 		}
@@ -471,23 +471,23 @@ function registration_load()
 		/* Find a reg num */
 		do {
 			$regnum = rand(100000, 999999);
-			$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year={$config['FAIRYEAR']}");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
+			$q->execute([$regnum,$config['FAIRYEAR']]);
 		} while ($q->rowCount() > 0);
 
 		$r['num'] = $regnum;
 		echo notice(i18n('New registration number generated.'));
 		echo notice(i18n('This new registration will added when the "Save Registration Information" button is pressed below.  At that time the other tabs will become available.'));
 	} else {
-		$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM registrations WHERE id=?");
+		$q->execute([$registrations_id]);
 		if ($q->rowCount() != 1)
 			$r = array();
 		else {
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			/* Get the fair from the project */
-			$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id='$registrations_id'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id=?");
+			$q->execute([$registrations_id]);
 			if ($q->rowCount() == 1) {
 				$p = $q->fetch(PDO::FETCH_ASSOC);
 				$r['fairs_id'] = $p['fairs_id'];
@@ -569,30 +569,30 @@ function registration_save()
 
 	if ($registrations_id == -1) {
 		$stmt = $pdo->prepare("INSERT INTO registrations (start,schools_id,year) VALUES (
-					NOW(), NULL, '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+					NOW(), NULL,?)");
+		$stmt->execute([$config['FAIRYEAR']]);
 		$registrations_id = $pdo->lastInsertId();
 
 		/* Create one student and a project */
 		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES (
 		
-					$registrations_id, '$registration_email', '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+					?,?,?)");
+		$stmt->execute([$registrations_id,$registration_email,$config['FAIRYEAR']]);
 		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,year) VALUES (
 		
-					$registrations_id, '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+					?,?)");
+		$stmt->execute([$registrations_id,$config['FAIRYEAR']]);
 		happy_('Created student and project record');
 	}
 
 	/* Update registration */
 	$stmt = $pdo->prepare("UPDATE registrations SET 
-					num='$registration_num',
-					status='$registration_status',
-					email='$registration_email'
+					num=?,
+					status=?,
+					email=?
 				WHERE 
-					id='$registrations_id'");
-	$stmt->execute();
+					id=?");
+	$stmt->execute([$registration_num,$registration_status,$registration_email,$registrations_id]);
 	show_pdo_errors_if_any($pdo);
 
 	/*
@@ -602,10 +602,10 @@ function registration_save()
 	if ($auth_type == 'fair')
 		$fairs_id = $_SESSION['fairs_id'];
 	$stmt = $pdo->prepare("UPDATE projects SET 
-					fairs_id='$fairs_id'
+					fairs_id=?
 				WHERE 
-					registrations_id='$registrations_id'");
-	$stmt->execute();
+					registrations_id=?");
+	$stmt->execute([$fairs_id,$registrations_id]);
 	show_pdo_errors_if_any($pdo);
 	happy_('Information Saved');
 	echo '<script language="javascript" type="text/javascript">';
diff --git a/admin/tours_assignments.php b/admin/tours_assignments.php
index 8a30970e..683f9a45 100644
--- a/admin/tours_assignments.php
+++ b/admin/tours_assignments.php
@@ -33,9 +33,9 @@ user_auth_required('committee', 'admin');
 
 /* Load Tours */
 $query = "SELECT * FROM tours WHERE 
-		year='{$config['FAIRYEAR']}'";
+		year=?";
 $r = $pdo->prepare($query);
-$r->execute();
+$r->execute([$config['FAIRYEAR']]);
 $tours = array();
 while ($i = $r->fetch(PDO::FETCH_OBJ)) {
 	$tours[$i->id]['name'] = $i->name;
@@ -45,20 +45,20 @@ while ($i = $r->fetch(PDO::FETCH_OBJ)) {
 if (get_value_from_array($_GET, 'action') == 'info') {
 	$sid = intval($_GET['id']);
 
-	$query = "SELECT * FROM students WHERE id='$sid'
-			AND year='{$config['FAIRYEAR']}'";
+	$query = "SELECT * FROM students WHERE id=?
+			AND year=?";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$sid,$config['FAIRYEAR']]);
 	$i = $r->fetch(PDO::FETCH_OBJ);
 
 	send_popup_header(i18n('Student Tour Rank Information - %1 %2',
 		array($i->firstname, $i->lastname)));
 	$query = "SELECT * FROM tours_choice
-				WHERE students_id='$sid'
-				AND year='{$config['FAIRYEAR']}'
+				WHERE students_id=?
+				AND year=?
 				ORDER BY rank";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$sid,$config['FAIRYEAR']]);
 	echo '<table>';
 	$count = $r->rowwCount();
 	while ($i = $r->fetch(PDO::FETCH_OBJ)) {
@@ -157,25 +157,25 @@ if (get_value_from_array($_POST, 'action') == 'add' && $tours_id != 0 && count($
 		$sid = intval($sid);
 
 		$q = $pdo->prepare("SELECT registrations_id FROM students 
-					WHERE id='$sid'");
-		$q->execute();
+					WHERE id=?");
+		$q->execute([$sid]);
 		$i = $q->fetch(PDO::FETCH_OBJ);
 		$rid = $i->registrations_id;
 
 		/* Delete any old linking */
 		$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE
-					students_id='$sid' AND
-					year='{$config['FAIRYEAR']}' AND
+					students_id=? AND
+					year=? AND
 					rank='0'");
-		$stmt->execute();
+		$stmt->execute([$sid,$config['FAIRYEAR']]);
 		/* Connect this student to this tour */
 		$stmt = $pdo->prepare("INSERT INTO tours_choice 
 					(`students_id`,`registrations_id`,
 						`tour_id`,`year`,`rank`)
 					VALUES (
-					'$sid', '$rid', '$tours_id',
-					'{$config['FAIRYEAR']}','0')");
-		$stmt->execute();
+					?,?,?,
+					?,'0')");
+		$stmt->execute([$sid,$rid,$tours_id,$config['FAIRYEAR']]);
 		$added++;
 	}
 	if ($added == 1)
@@ -193,20 +193,20 @@ $students_id = intval(get_value_from_array($_GET, 'students_id'));
 
 if (get_value_from_array($_GET, 'action') == 'del' && $tours_id > 0 && $students_id > 0) {
 	$stmt = $pdo->prepare("DELETE FROM tours_choice 
-				WHERE students_id='$students_id' 
-				AND year='{$config['FAIRYEAR']}'
+				WHERE students_id=? 
+				AND year=?
 				AND rank='0'");
-	$stmt->execute();
+	$stmt->execute([$students_id,$config['FAIRYEAR']]);
 
 	echo happy(i18n('Removed student from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
 }
 
 if (get_value_from_array($_GET, 'action') == 'empty' && $tours_id > 0) {
 	$stmt = $po->prepare("DELETE FROM tours_choice WHERE 
-				tour_id='$tours_id'
-				AND year='{$config['FAIRYEAR']}'
+				tour_id=?
+				AND year=?
 				AND rank='0'");
-	$stmt->execute();
+	$stmt->execute([$tours_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Emptied all students from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
 }
 
@@ -243,8 +243,8 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
 				LEFT JOIN tours_choice ON (tours_choice.students_id=students.id AND tours_choice.rank=0)
 				LEFT JOIN registrations ON registrations.id=students.registrations_id
 			WHERE 
-				students.year='{$config['FAIRYEAR']}' AND
-				(tours_choice.year='{$config['FAIRYEAR']}' OR
+				students.year=? AND
+				(tours_choice.year=? OR
 			\t tours_choice.year IS NULL) AND
 				registrations.status='complete'
 			ORDER BY 
@@ -253,7 +253,7 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
 				tours_choice.rank";
 
 $q = $pdo->prepare($querystr);
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 show_pdo_errors_if_any($pdo);
 
diff --git a/admin/tours_manager.php b/admin/tours_manager.php
index 3e9c9ade..6c1da4e7 100644
--- a/admin/tours_manager.php
+++ b/admin/tours_manager.php
@@ -39,12 +39,12 @@ send_header('Tour Management',
 		'Tours' => 'admin/tours.php'));
 
 if ($_GET['action'] == 'renumber') {
-	$q = $pdo->prepare("SELECT id FROM tours WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM tours WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	$x = 1;
 	while ($i = $q->fetch(PDP::FETCH_OBJ)) {
-		$stmt = $pdo->prepare("UPDATE tours SET num='$x' WHERE id='{$i->id}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE tours SET num=? WHERE id=?");
+		$stmt->execute([$x,$i->id]);
 		$x++;
 	}
 	echo happy(i18n('Tours successfully renumbered'));
diff --git a/admin/tours_sa.php b/admin/tours_sa.php
index 84cfaa1c..71ef4cdf 100644
--- a/admin/tours_sa.php
+++ b/admin/tours_sa.php
@@ -53,9 +53,9 @@ TRACE('<pre>');
 function set_status($txt)
 {
 	TRACE("Status: $txt\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='tours_assigner_activity' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$txt]);
 }
 
 $set_percent_last_percent = -1;
@@ -68,9 +68,9 @@ function set_percent($n)
 		return;
 	TRACE("Progress: $p\%\n");
 	$set_percent_last_percent = $p;
-	$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='tours_assigner_percent' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$p]);
 }
 
 set_status('Initializing...');
@@ -205,16 +205,16 @@ function tour_cost_function($annealer, $bucket_id, $ids)
 set_status('Cleaning existing tour assignments...');
 TRACE("\n\n");
 $q = $pdo->prepare("DELETE FROM tours_choice 
-		WHERE year='{$config['FAIRYEAR']}'
+		WHERE year=?
 		AND rank='0'");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 
 set_status('Loading Data From Database...');
 TRACE("\n\n");
 TRACE("Tours...\n");
 $tours = array();
-$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
-$q-- > execute();
+$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
+$q-> execute([$config['FAIRYEAR']]);
 $x = 0;
 
 /*
@@ -240,13 +240,13 @@ $q = $pdo->prepare("SELECT students.id,students.grade,
 		FROM students
 			LEFT JOIN registrations ON registrations.id=students.registrations_id
 		WHERE
-			students.year='{$config['FAIRYEAR']}'
+			students.year=?
 			AND ( registrations.status='complete'
 				OR registrations.status='paymentpending' )
 		ORDER BY
 			students.id
 			");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $last_sid = -1;
 TRACE($pdo->errorInfo());
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -262,9 +262,9 @@ TRACE('   ' . (count($student_ids)) . " students loaded\n");
 
 TRACE("Loading Tour Selection Preferences...\n");
 $q = $pdo->prepare("SELECT * FROM tours_choice WHERE
-			tours_choice.year='{$config['FAIRYEAR']}' 
+			tours_choice.year=? 
 			ORDER BY rank ");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 TRACE($pdo->errorInfo());
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/tours_sa_config.php b/admin/tours_sa_config.php
index bbf291e4..ac4fc264 100644
--- a/admin/tours_sa_config.php
+++ b/admin/tours_sa_config.php
@@ -58,8 +58,8 @@ function tours_check_tours()
 {
 	global $config;
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	return $q->rowCount();
 }
 
@@ -72,13 +72,13 @@ function tours_check_students()
 			LEFT JOIN tours_choice ON (tours_choice.students_id=students.id)
 			LEFT JOIN registrations ON (registrations.id=students.registrations_id)
 		WHERE
-			students.year='{$config['FAIRYEAR']}'
-			AND tours_choice.year='{$config['FAIRYEAR']}'
+			students.year=?
+			AND tours_choice.year=?
 			AND registrations.status='complete'
 		ORDER BY
 			students.id, tours_choice.rank
 			");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	return $q->rowCount();
 }
 
diff --git a/admin/translations.php b/admin/translations.php
index 80df5737..940e58df 100644
--- a/admin/translations.php
+++ b/admin/translations.php
@@ -57,8 +57,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
     // first, delete anything thats supposed to eb deleted
     if (count(get_value_from_array($_POST, 'delete', []))) {
         foreach ($_POST['delete'] AS $del) {
-            $stmt = $pdo->prepare("DELETE FROM translations WHERE lang='" . $_SESSION['translang'] . "' AND strmd5='" . $del . "'");
-            $stmt->execute();
+            $stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
+            $stmt->execute([$_SESSION['translang'],$del]);
         }
         echo happy(i18n('Translation(s) deleted'));
     }
@@ -113,8 +113,8 @@ if ($show == 'missing')
 else
     $showquery = '';
 
-$q = $pdo->prepare("SELECT * FROM translations WHERE lang='" . get_value_from_array($_SESSION, 'translang') . "' $showquery ORDER BY str");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM translations WHERE lang=? ? ORDER BY str");
+$q->execute([get_value_from_array($_SESSION, 'translang'),$showquery]);
 $num = $q->rowCount();
 echo i18n('Showing %1 translation strings', array($num), array('number of strings'));