150-200 database lines have been changed

2025-02-04 05:01:02 +00:00 · 2025-02-04 05:01:02 +00:00 · 5ccfe2dd6f
commit 5ccfe2dd6f
parent a077e3fdc9
30 changed files with 410 additions and 405 deletions
--- a/admin/registration_receivedforms.php
+++ b/admin/registration_receivedforms.php
@ -77,7 +77,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 						FROM
 							projects,projectcategories,projectdivisions
 						WHERE
-							projects.registrations_id='$reg_id'
+							projects.registrations_id=?
 							AND
 							projects.projectcategories_id=projectcategories.id
 							AND
@ -87,7 +87,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 							AND
 							projectdivisions.year=projects.year
 						");
-				$q->execute();
+				$q->execute([$reg_id]);
 				show_pdo_errors_if_any($pdo);
 				$projectinfo = $q->fetch(PDO::FETCH_OBJ);
@ -116,11 +116,11 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 						FROM
 							students,schools
 						WHERE
-							students.registrations_id='$reg_id'
+							students.registrations_id=?
 							AND
 							students.schools_id=schools.id
 						");
-				$q->execute();
+				$q->execute([$reg_id]);
 				$studnum = 1;
 				while ($studentinfo = $q->fetch(PDO::FETCH_OBJ)) {
@ -193,14 +193,14 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	$checkNumQuery = $pdo->prepare("SELECT projectnumber
 					FROM projects, registrations 
 					WHERE projects.registrations_id = registrations.id 
-						AND num='$regnum'
+						AND num=?
-						AND registrations.year='{$config['FAIRYEAR']}'");
+						AND registrations.year=?");
-	$checkNumQuery->execute();
+	$checkNumQuery->execute([$regnum,$config['FAIRYEAR']]);
 	$checkNumResults = $checkNumQuery->fetch(PDO::FETCH_OBJ);
 	$projectnum = $checkNumResults->projectnumber;
-	$q = $pdo->prepare("SELECT id FROM registrations WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
+	$q = $pdo->prepare("SELECT id FROM registrations WHERE num=? AND year=?");
-	$q->execute();
+	$q->execute([$regnum, $config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$reg_id = $r->id;
@ -218,8 +218,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	if ($_POST['action'] == 'receivedyes') {
 		// actually set it to 'complete'
-		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
+		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$regnum,$config['FAIRYEAR']]);
 		foreach ($recipients AS $recip) {
 			$to = $recip['to'];
 			$subsub = array();
@ -238,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 		echo happy(i18n('Registration of form %1 successfully completed', array($regnum)));
 	} else if ($_POST['action'] == 'receivedyesnocash') {
 		// actually set it to 'paymentpending'
-		$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
+		$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$regnum,$config['FAIRYEAR']]);
 		foreach ($recipients AS $recip) {
 			$to = $recip['to'];
 			$subsub = array();
@ -261,13 +261,13 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	echo notice(i18n('Registration of form %1 cancelled', array($_POST['registration_number'])));
 } else if (get_value_from_array($_GET, 'action') == 'unregister' && get_value_from_array($_GET, 'registration_number')) {
 	$reg_num = intval(trim($_GET['registration_number']));
-	$q = $pdo - prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year='{$config['FAIRYEAR']}' AND registrations.num='$reg_num'");
+	$q = $pdo->prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year=? AND registrations.num=?");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$reg_num]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
-	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id='$r->proj_id' AND year='{$config['FAIRYEAR']}'");
+	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$r->proj_id,$config['FAIRYEAR']]);
-	$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->reg_id' AND year='{$config['FAIRYEAR']}'");
+	$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$r->reg_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Successfully unregistered project'));
 }
@ -305,9 +305,9 @@ if ($showformatbottom) {
 if (get_value_from_array($_POST, 'action') == 'receive_all') {
 	// Grab all projects that don't have project numbers. Status should therefor be open or new but not complete
-	$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =' . $config['FAIRYEAR'] . '');
+	$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =?');
 	// Define arrays to append to later
-	$query_noprojectnumber->execute();
+	$query_noprojectnumber->execute([$config['FAIRYEAR']]);
 	$completed_students = array();
 	$incomplete_students = array();
 	$newstatus_students = array();
@ -315,8 +315,8 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
 	// loop through each project that doesn't have a project number
 	while ($studentproject = $query_noprojectnumber->fetch(PDO::FETCH_ASSOC)) {
 		// Grab registration information about the current project
-		$q = $pdo->prepare("SELECT * FROM registrations WHERE id='" . $studentproject['registrations_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT * FROM registrations WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([$studentproject['registrations_id'],$config['FAIRYEAR']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$reg_id = $r->id;
 		$reg_num = $r->num;
@ -347,18 +347,18 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
 			) {
 				// Generate project number and update it in data base
 				list($projectnumber, $ps, $pns, $pss) = generateProjectNumber($reg_id);
-				$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$projectnumber',
+				$stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,
-							projectsort='$ps',projectnumber_seq='$pns',projectsort_seq='$pss'
+							projectsort=?,projectnumber_seq=?,projectsort_seq=?
-							WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
+							WHERE registrations_id=? AND year=?");
-				$stmt->execute();
+				$stmt->execute([$projectnumber,$ps,$pns,$pss,$reg_id,$config['FAIRYEAR']]);
 				// email stuff
 				// get all students with this registration number
 				// $recipients=getEmailRecipientsForRegistration($reg_id);
 				// Set status to 'complete'
-				$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$reg_num' AND year='{$config['FAIRYEAR']}'");
+				$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
-				$stmt->execute();
+				$stmt->execute([$reg_num,$config['FAIRYEAR']]);
 				/*foreach($recipients AS $recip) {
 					$to=$recip['to'];
 					$subsub=array();
--- a/admin/registration_stats.php
+++ b/admin/registration_stats.php
@ -63,13 +63,13 @@ foreach ($status_str as $s => $str) {
 echo '</select>';
 echo '</form>';
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$cats[$r->id] = $r->category;
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$divs[$r->id] = $r->division;
@ -133,12 +133,12 @@ $q = $pdo->prepare("SELECT  registrations.id AS reg_id,
 				left outer join projects on projects.registrations_id=registrations.id
 			WHERE
 				1
-				AND registrations.year='$year' 
+				AND registrations.year=? 
-				$wherestatus
+				?
 			ORDER BY
-				$ORDERBY
+				?
 			");
-$q->execute();
+$q->execute([$year,$wherestatus,$ORDERBY]);
 show_pdo_errors_if_any($pdo);
 $stats_totalprojects = 0;
@ -188,10 +188,11 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students,schools
 				WHERE
-					students.registrations_id='$r->reg_id'
+					students.registrations_id=?
 					AND
 					students.schools_id=schools.id
 				");
 	$sq->execute([$r->reg_id]);
 	show_pdo_errors_if_any($pdo);
 	$studnum = 1;
--- a/admin/registration_webconsent.php
+++ b/admin/registration_webconsent.php
@ -44,12 +44,12 @@ if (get_value_from_array($_POST, 'changed')) {
 			$webphoto = get_value_from_2d_array($_POST, 'webphoto', $id) == 'yes' ? 'yes' : 'no';
 			$stmt = $pdo->prepare("UPDATE students SET 
-					webfirst='$webfirst',
+					webfirst=?,
-					weblast='$weblast',
+					weblast=?,
-					webphoto='$webphoto'
+					webphoto=?
 					WHERE
-					id='$id'");
+					id=?");
-			$stmt->execute();
+			$stmt->execute([$webfirst,$weblast,$webphoto,$id]);
 		}
 	}
@ -87,12 +87,12 @@ $sq = $pdo->prepare("SELECT students.firstname,
 				students.registrations_id=registrations.id
 			AND\t( registrations.status = 'complete' OR registrations.status='paymentpending' )
 			AND\tprojects.registrations_id=registrations.id
-			AND \tregistrations.year='" . $config['FAIRYEAR'] . "' 
+			AND \tregistrations.year=? 
-			AND \tprojects.year='" . $config['FAIRYEAR'] . "' 
+			AND \tprojects.year=? 
-			AND \tstudents.year='" . $config['FAIRYEAR'] . "' 
+			AND \tstudents.year=? 
 			ORDER BY projectnumber
 			");
-$sq->execute();
+$sq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 echo '<form method="post" action="registration_webconsent.php">';
--- a/admin/reports.inc.php
+++ b/admin/reports.inc.php
@ -351,9 +351,9 @@ foreach($report_stock as $n=>$v) {
 	/* First delete all existing fields */
 	$stmt = $pdo->prepare("DELETE FROM reports_items 
-			WHERE `reports_id`='{$report['id']}'
+			WHERE `reports_id`=?
-			AND `type`='$type'");
+			AND `type`=?");
-	$stmt->execute();
+	$stmt->execute([$report['id'],$type]);
 	/* Now add new ones */
 	if(count($report[$type]) == 0) return;
@ -385,9 +385,9 @@ foreach($report_stock as $n=>$v) {
 				`field`,`value`,`x`, `y`, `w`, `h`,
 				`lines`, `face`, `align`,`valign`,
 				`fontname`,`fontstyle`,`fontsize`,`on_overflow`) 
-			VALUES $q");
+			VALUES ?");
-	$stmt->execute();
+	$stmt->execute([$q]);
 	show_pdo_errors_if_any($pdo);
 }
@ -404,8 +404,8 @@ foreach($report_stock as $n=>$v) {
 	$report = array();
-	$q = $pdo->prepare("SELECT * FROM reports WHERE id='$report_id'");
+	$q = $pdo->prepare("SELECT * FROM reports WHERE id=?");
-	$q->execute();
+	$q->execute([$report_id]);
 	$r = $q->fetch(PDO::FETCH_ASSOC);
 	$report['name'] = get_value_from_array($r, 'name');
 	$report['id'] = get_value_from_array($r, 'id');
@ -430,9 +430,9 @@ foreach($report_stock as $n=>$v) {
 		$allow_fields=array();
 	$q = $pdo->prepare("SELECT * FROM reports_items 
-			WHERE reports_id='{$report['id']}' 
+			WHERE reports_id=? 
 			ORDER BY `ord`");
-	$q->execute();
+	$q->execute([$report['id']]);
 	show_pdo_errors_if_any($pdo);
 	if($q->rowCount() == 0) return $report;
@ -491,8 +491,8 @@ foreach($report_stock as $n=>$v) {
 	} else {
 		/* if the report['id'] is not zero, see if this is a
 		 * systeim report before doing anything. */
-		$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='{$report['id']}'");
+		$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
-		$q->execute();
+		$q->execute([$report['id']]);
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		if(intval($i['system_report_id']) != 0) {
 			/* This is a system report, the editor (should)
@ -513,12 +513,12 @@ foreach($report_stock as $n=>$v) {
 */
 	$stmt = $pdo->prepare("UPDATE reports SET 
-			`name`='".$report['name']."',
+			`name`=?,
-			`desc`='".$report['desc']."',
+			`desc`=?,
-			`creator`='".$report['creator']."',
+			`creator`=?,
-			`type`='".$report['type']."'
+			`type`=?
-			WHERE `id`={$report['id']}");
+			WHERE `id`=?");
-	$stmt->execute();
+	$stmt->execute([$report['name'],$report['desc'],$report['creator'],$report['type'],$report['id']]);
 	report_save_field($report, 'col', get_value_from_array($report, 'loc'));
 	report_save_field($report, 'group', array());
@ -533,7 +533,7 @@ foreach($report_stock as $n=>$v) {
 {	global $pdo;
 	$ret = array();
 	$q = $pdo->prepare("SELECT * FROM reports ORDER BY `name`");
-
+	$q->execute();
 	while($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$report = array();
 	        $report['name'] = $r['name'];
@ -551,8 +551,8 @@ foreach($report_stock as $n=>$v) {
 	$r = intval($report_id);
 	/* if the report['id'] is not zero, see if this is a
 	 * systeim report before doing anything. */
-	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='$r'");
+	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
-	$q->execute();
+	$q->execute([$r]);
 	$i = $q->fetch(PDO::FETCH_ASSOC);
 	if(intval($i['system_report_id']) != 0) {
 		/* This is a system report, the editor (should)
@ -563,10 +563,10 @@ foreach($report_stock as $n=>$v) {
 		echo "ERROR: attempt to delete a system report (reports.id=$r)";
 		exit;
 	}
- 	$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=$r");
+ 	$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=?");
-	$stmt->execute();
+	$stmt->execute([$r]);
-	$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=$r");
+	$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=?");
- $stmt->execute();}
+ $stmt->execute([$r]);
 function report_gen($report) 
--- a/admin/reports.php
+++ b/admin/reports.php
@ -39,8 +39,8 @@ switch (get_value_from_array($_GET, 'action')) {
 	case 'remove_report':
 		$id = intval($_GET['id']);
 		$stmt = $pdo->prepare("DELETE FROM reports_committee WHERE
-			users_id='{$_SESSION['users_uid']}' AND id='$id'");
+			users_id=? AND id=?");
-		$stmt->execute();
+		$stmt->execute([$_SESSION['users_uid'],$id]);
 		happy_('Report successfully removed');
 		exit;
 	case 'reload':
@ -64,16 +64,17 @@ switch (get_value_from_array($_GET, 'action')) {
 			$ret['name'] = $report['name'];
 			$ret['category'] = '';
 		} else {
-			$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id='$id'");
+			$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id=?");
 			$q->execute([$id]);
 			$ret = $q->fetch(PDO::FETCH_ASSOC);
 			$ret['type'] = $ret['format'];
 		}
 		/* Load available categories */
 		$q = $pdo->prepare("SELECT DISTINCT category FROM reports_committee
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
 			ORDER BY category");
-		$q->execute();
+		$q->execute([$_SESSION['users_uid']]);
 		while ($i = $q->fetch(PDO::FETCH_OBJ))
 			$ret['cat'][] = $i->category;
 		echo json_encode($ret);
@ -87,8 +88,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		if ($id == -1) {
 			/* New entry */
 			$stmt = $pdo->prepare("INSERT INTO `reports_committee` (`users_id`,`reports_id`) 
-			VALUES('{$_SESSION['users_uid']}','$reports_id');");
+			VALUES(?,?);");
-			$stmt->execute();
+			$stmt->execute([$_SESSION['users_uid'],$reports_id]);
 			show_pdo_errors_if_any($pdo);
 			$id = $pdo->lastInsertId();
 		}
@ -124,12 +125,12 @@ switch (get_value_from_array($_GET, 'action')) {
 		}
 		$stmt = $pdo->prepare("UPDATE `reports_committee` SET
-			`category`='$category',
+			`category`=?,
-			`comment`='$comment',
+			`comment`=?,
-			`format`='$type',
+			`format`=?,
-			`stock`='$stock'
+			`stock`=?
-			WHERE id='$id'");
+			WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$category,$comment,$type,$stock,$id]);
 		happy_('Saved');
 		exit;
 }
@ -248,9 +249,9 @@ global $edit_mode;
 $q = $pdo->prepare("SELECT reports_committee.*,reports.name
 \t\t\tFROM reports_committee 
 				LEFT JOIN reports ON reports.id=reports_committee.reports_id
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
 			ORDER BY category,id");
-$q->execute();
+$q->execute([$_SESSION['users_uid']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
 	echo i18n('You have no reports saved');
--- a/admin/reports_acscript.php
+++ b/admin/reports_acscript.php
@ -80,14 +80,14 @@ $q = $pdo->prepare("SELECT
 				award_types,
 				sponsors
 			WHERE 
-					award_awards.year='$foryear'
+					award_awards.year=?
-				AND\taward_types.year='$foryear'
+				AND\taward_types.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND\taward_awards.sponsors_id=sponsors.id
 				AND\taward_awards.excludefromac='0'
-				$awardtype
+				?
 			ORDER BY awards_order");
-$q->execute();
+$q->execute([$foryear,$foryear,$awardtype]);
 show_pdo_errors_if_any($pdo);
 //	echo "<pre>";
@ -114,14 +114,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 						LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 						LEFT JOIN projects ON projects.id=winners.projects_id
 					WHERE 
-						award_awards_id='{$r->id}' 
+						award_awards_id=? 
-						AND award_prizes.year='$foryear'
+						AND award_prizes.year=?
 						AND award_prizes.excludefromac='0'
-						AND ($and_categories)
+						AND (?)
 					ORDER BY 
 						`order`,
 						projects.projectnumber");
-	$pq->execute();
+	$pq->execute([$r->id,$foryear,$and_categories]);
 	show_pdo_errors_if_any($pdo);
 	$r->winners = array();
@ -246,10 +246,10 @@ foreach ($awards as $r) {
 									students,
 									schools
 								WHERE
-									students.registrations_id='$pr->reg_id'
+									students.registrations_id=?
 									AND students.schools_id=schools.id
 								");
-				$sq->execute();
+				$sq->execute([$pr->reg_id]);
 				$students = '       Students: ';
 				$studnum = 0;
--- a/admin/reports_appeal_letters.php
+++ b/admin/reports_appeal_letters.php
@ -70,15 +70,16 @@ $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
 /* Load the users */
 $users = array();
-$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
+$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
 $q->execute([$fcid]);
 while ($l = $q->fetch(PDO::FETCH_ASSOC)) {
 	$uid = $l['users_uid'];
 	$users[$uid] = user_load_by_uid($uid);
 }
 /* Grab all the emails */
-$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$fcid' AND val='$key'");
+$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
-$q->execute();
+$q->execute([$fcid,$key]);
 while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
 	foreach ($users as $uid => &$u) {
--- a/admin/reports_ceremony.php
+++ b/admin/reports_ceremony.php
@ -61,8 +61,8 @@ echo "</td></tr>\n";
 echo '<tr>';
 // list award subsets to output
 echo '<td><b>' . i18n('Award Type') . ':</b></td> <td> <select name="awardtype" size=1>';
-$results = $pdo->prepare('SELECT type FROM award_types WHERE year=' . $config['FAIRYEAR'] . ' ORDER BY type');
+$results = $pdo->prepare('SELECT type FROM award_types WHERE year=? ORDER BY type');
-$results->execute();
+$results->execute([$config['FAIRYEAR']]);
 echo '<option value="All">' . i18n('All') . '</option>';
 while ($r = $results->fetch(PDO::FETCH_OBJ)) {
 	echo "<option value=\"$r->type\">" . i18n("$r->type") . '</option>';
@ -94,8 +94,8 @@ echo '<td><input name="group_by_prize" type="checkbox" /></td></tr>';
 echo '<tr><td><b>' . i18n('Include the following age categories') . ':</b></td>';
 echo '<td>';
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo "<input name=\"show_category[{$r->id}]\" type=\"checkbox\" checked=\"checked\" />";
 	echo '' . i18n($r->category) . '<br />';
--- a/admin/reports_gen.php
+++ b/admin/reports_gen.php
@ -40,8 +40,8 @@ if ($year < 1000)
 /* If it's a system report, turn that into the actual report id */
 if (array_key_exists('sid', $_GET)) {
 	$sid = intval($_GET['sid']);
-	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id='$sid'");
+	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id=?");
-	$q->execute();
+	$q->execute([$sid]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$id = $r['id'];
 }
@ -91,9 +91,9 @@ switch ($_GET['action']) {
 	<?
 	/* See if the report is in this committee member's list */
 	$q = $pd->prepare("SELECT * FROM reports_committee 
- \t\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\t\tWHERE users_id=?
-				AND reports_id='{$report['id']}'");
+				AND reports_id=?");
-	$q->execute();
+	$q->execute([$_SESSION['users_uid'],$report['id']]);
 	if ($q->rowCount() > 0) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		?>
@ -223,9 +223,9 @@ echo "<td>{$report['creator']}</td></tr>";
 echo '<tr><td colspan="2"><hr /></td></tr>';
 /* See if the report is in this committee member's list */
 $q = $pdo->prepare("SELECT * FROM reports_committee 
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
-			AND reports_id='{$report['id']}'");
+			AND reports_id=?");
-$q->execute();
+$q->execute([$_SESSION['users_uid'],$report['id']]);
 echo '<tr><td colspan="2"><h3>' . i18n('My Reports Info') . '</h3></td></tr>';
 if ($q->rowCount() > 0) {
 	/* Yes, it is */
--- a/admin/reports_judges.inc.php
+++ b/admin/reports_judges.inc.php
@ -48,8 +48,8 @@ function report_judges_load_divs($year)
 	/* Load divisions for this year, only once */
 	if (!array_key_exists($year, $report_judges_divs)) {
 		$report_judges_divs[$year] = array();
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'");
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
-		$q->execute();
+		$q->execute([$year]);
 		while (($d = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_divs[$year][$d['id']] = $d;
 		}
@ -61,8 +61,8 @@ function report_judges_load_cats($year)
 	global $report_judges_cats;
 	global $pdo;
 	if (!array_key_exists($year, $report_judges_cats)) {
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'");
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
-		$q->execute();
+		$q->execute([$year]);
 		while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_cats[$year][$c['id']] = $c;
 		}
@ -142,14 +142,14 @@ function report_judges_custom_question($report, $field, $text)
 	$users_id = $text;
 	/* Find the actual question ID */
-	$q = $pdo->prepare("SELECT * FROM questions WHERE year='$year' AND ord='$q_ord'");
+	$q = $pdo->prepare("SELECT * FROM questions WHERE year=? AND ord=?");
-	$q->execute();
+	$q->execute([$year,$q_ord]);
 	if ($q->rowCount() != 1)
 		return 'Question not specified';
 	$question = $q->fetch(PDO::FETCH_ASSOC);
-	$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='{$question['id']}'");
+	$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?");
-	$q->execute();
+	$q->execute([$users_id,$question['id']]);
 	if ($q->rowCount() != 1)
 		return '';
 	$answer = $q->fetch(PDO::FETCH_ASSOC);
@ -194,9 +194,9 @@ function report_judges_team_members($report, $field, $text)
 	$judges_teams_id = $text;
 	$q = $pdo->prepare("SELECT * FROM judges_teams_link 
 						LEFT JOIN users ON judges_teams_link.users_id=users.id
-						WHERE judges_teams_link.year='$year'
+						WHERE judges_teams_link.year=?
-						AND judges_teams_link.judges_teams_id='$judges_teams_id'");
+						AND judges_teams_link.judges_teams_id=?");
-	$q->execute();
+	$q->execute([$year,$judges_teams_id]);
 	$ret = '';
 	while (($m = $q->fetch(PDO::FETCH_ASSOC))) {
 		$add = false;
@ -239,8 +239,8 @@ function report_judges_load_rounds($year)
 	if (count($report_judges_rounds))
 		return;
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='$year'");
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
-	$q->execute();
+	$q->execute([$year]);
 	/* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$report_judges_rounds[] = $r;
@ -258,8 +258,8 @@ function report_judges_specialaward($report, $field, $text)
 	global $config, $report_judges_rounds, $pdo;
 	$year = $report['year'];
 	$award_id = $text;
-	$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='" . intval($award_id) . "'");
+	$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
-	$q->execute();
+	$q->execute([intval($award_id)]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->name;
 }
@ -284,8 +284,8 @@ function report_judges_time_availability($report, $field, $text)
 			exit;
 	}
-	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='$users_id'");
+	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=?");
-	$q->execute();
+	$q->execute([$users_id]);
 	//	echo mysql_error();
 	while (($r = $q->fetch(PDO::FETCH_ASSOC))) {
 		if ($r['start'] <= $round['starttime'] &&
--- a/admin/reports_judges.php
+++ b/admin/reports_judges.php
@ -77,8 +77,8 @@ foreach ($keys as $qid) {
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $numcats = $q->rowCount();
 $catheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -86,8 +86,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catheadings[] = "$r->category (out of 5)";
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $divheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
@ -102,8 +102,8 @@ $times = array();
 $datetimeheadings = array();
 /* Load the judging rounds */
-$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type");
+$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$found = false;
@ -138,13 +138,13 @@ $q = $pdo->prepare("SELECT
 				JOIN users_judge ON users.id=users_judge.users_id
 			WHERE 
 				users.deleted='no' AND 
-				users.year='" . $config['FAIRYEAR'] . "'
+				users.year=?
 				AND users.types LIKE '%judge%'
 			ORDER BY 
 				lastname,
 				firstname");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$u = user_load($r->id);
@ -182,8 +182,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$qarray[] = $qans[$qid];
 	}
-	$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id="' . $r->id . '" ORDER BY `start`');
+	$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`');
-	$tq->execute();
+	$tq->execute([$r->id]);
 	$sel = array();
 	$timedata = array();
--- a/admin/reports_judges_allyears.php
+++ b/admin/reports_judges_allyears.php
@ -78,8 +78,8 @@ foreach ($keys as $qid) {
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $numcats = $q->rowCount();
 $catheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -87,8 +87,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catheadings[] = "$r->category (out of 5)";
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $divheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
--- a/admin/reports_judges_teams_projects.php
+++ b/admin/reports_judges_teams_projects.php
@ -45,8 +45,8 @@ if ($type == 'pdf') {
 $teams = getJudgingTeams();
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@ -83,8 +83,8 @@ foreach ($teams AS $team) {
 			$rep->addText(i18n('Criteria') . ': ' . $award['criteria']);
 			// get category eligibility
-			$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id='{$award['id']}' AND award_awards_projectcategories.year='{$config['FAIRYEAR']}' AND projectcategories.year='{$config['FAIRYEAR']}' ORDER BY category");
+			$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.year=? AND projectcategories.year=? ORDER BY category");
-			$q->execute();
+			$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$cats = '';
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -96,8 +96,8 @@ foreach ($teams AS $team) {
 			$rep->addText(i18n('Categories') . ": $cats");
 			// get division eligibility
-			$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id='{$award['id']}' AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}' AND projectdivisions.year='{$config['FAIRYEAR']}' ORDER BY division_shortform");
+			$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id=? AND award_awards_projectdivisions.year=? AND projectdivisions.year=? ORDER BY division_shortform");
-			$q->execute();
+			$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$divs = '';
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -123,13 +123,13 @@ foreach ($teams AS $team) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$team['id']]);
 	$numslots = $q->rowCount();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -147,14 +147,14 @@ foreach ($teams AS $team) {
 					projects,
 					judges_teams_timeslots_projects_link
 				WHERE
-					judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
+					judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
-					judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+					judges_teams_timeslots_projects_link.judges_teams_id=? AND
 					judges_teams_timeslots_projects_link.projects_id=projects.id AND
-					judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					projectnumber
 				");
-		$projq->execute();
+		$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 		while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 			$table['data'][] = array($timeslot, $proj->projectnumber, $proj->title);
--- a/admin/reports_mailinglabels_generator.php
+++ b/admin/reports_mailinglabels_generator.php
@ -83,11 +83,11 @@ if ($report) {
 						FROM
 							schools
 						WHERE
-							year='{$config['FAIRYEAR']}'
+							year=?
 						ORDER BY
 							school
 						");
-			$q->execute();
+			$q->execute([$config['FAIRYEAR']]);
 			break;
 		case 'sponsors':
@ -129,11 +129,11 @@ if ($report) {
 							judges_years
 						WHERE
 							judges_years.judges_id=judges.id
-							AND judges_years.year='{$config['FAIRYEAR']}'
+							AND judges_years.year=?
 						ORDER BY
 							lastname,firstname
 						");
-			$q->execute();
+			$q->execute([$config['FAIRYEAR']]);
 			break;
 	}
--- a/admin/reports_program_awards.php
+++ b/admin/reports_program_awards.php
@ -30,13 +30,13 @@ $q = $pdo->prepare("SELECT
 				award_awards,
 				award_types
 			WHERE 
-					award_awards.year='" . $config['FAIRYEAR'] . "'
+					award_awards.year=?
-				AND\taward_types.year='" . $config['FAIRYEAR'] . "'
+				AND\taward_types.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND\taward_awards.excludefromac='0'
 				AND\t(award_types.type='special' OR award_types.type='grand')
 			ORDER BY awards_order");
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
@ -45,8 +45,8 @@ if ($q->rowCount()) {
 		$rep->heading(i18n($r->name));
 		// get teh age categories
-		$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories  WHERE projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.award_awards_id='$r->id' AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
+		$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories  WHERE projectcategories.year=? AND award_awards_projectcategories.year=? AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
-		$acq->execute();
+		$acq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$r->id]);
 		show_pdo_errors_if_any($pdo);
 		$cats = '';
 		while ($acr = $acq->fetch(PDO::FETCH_OBJ)) {
@ -64,12 +64,12 @@ if ($q->rowCount()) {
 					FROM 
 						award_prizes 
 					WHERE 
-						award_awards_id='$r->id' 
+						award_awards_id=? 
-						AND award_prizes.year='" . $config['FAIRYEAR'] . "'
+						AND award_prizes.year=?
 						AND award_prizes.excludefromac='0'
 					ORDER BY 
 						`order`");
-		$pq->execute();
+		$pq->execute([$r->id,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$prevprizeid = -1;
 		while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {
--- a/admin/reports_projects_details.php
+++ b/admin/reports_projects_details.php
@ -65,14 +65,15 @@ $projq = $pdo->prepare("SELECT
 				LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 			WHERE
-				projects.year='" . $config['FAIRYEAR'] . "' 
+				projects.year=? 
-				AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+				AND projectdivisions.year=?
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				AND projectcategories.year=?
 				AND ( registrations.status='complete'
 			\t OR registrations.status='paymentpending' )
 			ORDER BY
 				projects.projectnumber
 			");
 $projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 $totalprojects = $projq->rowCount();
@ -85,9 +86,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$proj->reg_id'
+					students.registrations_id=?
 				");
-	$sq->execute();
+	$sq->execute([$proj->reg_id]);
 	$students = '';
 	$studnum = 0;
 	while ($studentinfo = $sq->fetch(PDO::FETCH_OBJ)) {
@ -115,8 +116,8 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 	$rep->addTable($table);
 	unset($table);
-	$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $proj->reg_id . "'");
+	$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=?");
-	$q->execute();
+	$q->execute([$proj->reg_id]);
 	$rep->nextline();
 	$rep->heading(i18n('Mentor Information'));
 	$rep->nextline();
--- a/admin/reports_projects_judges_teams.php
+++ b/admin/reports_projects_judges_teams.php
@ -49,8 +49,8 @@ if ($type == 'pdf') {
 $teams = getJudgingTeams();
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@ -73,15 +73,15 @@ $projq = $pdo->prepare("SELECT
 				LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 			WHERE
-				projects.year='" . $config['FAIRYEAR'] . "' 
+				projects.year=? 
-				AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+				AND projectdivisions.year=?
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				AND projectcategories.year=?
 				AND ( registrations.status='complete'
 			\t OR registrations.status='paymentpending' )
 			ORDER BY
 				projects.projectnumber
 			");
-$projq->execute();
+$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@ -92,9 +92,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$proj->reg_id'
+					students.registrations_id=?
 				");
-	$sq->execute();
+	$sq->execute([$proj->reg_id]);
 	$students = '';
 	$studnum = 0;
@ -127,12 +127,12 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 					LEFT JOIN judges_timeslots ON judges_teams_timeslots_projects_link.judges_timeslots_id=judges_timeslots.id
 					LEFT JOIN judges_teams ON judges_teams_timeslots_projects_link.judges_teams_id=judges_teams.id
 				WHERE
-					judges_teams_timeslots_projects_link.projects_id='$proj->id'
+					judges_teams_timeslots_projects_link.projects_id=?
-					AND judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					AND judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$proj->id,$config['FAIRYEAR']]);
 	$numslots = $q->rowCount();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
--- a/admin/reports_students.inc.php
+++ b/admin/reports_students.inc.php
@ -81,9 +81,9 @@ function report_student_safety_question($report, $field, $text)
 			safety.answer
 		FROM safetyquestions
 		JOIN safety ON safetyquestions.id=safety.safetyquestions_id
-		WHERE safety.registrations_id='" . $regid . "' 
+		WHERE safety.registrations_id=? 
-		ORDER BY safetyquestions.ord LIMIT $q_ord,1");
+		ORDER BY safetyquestions.ord LIMIT ?,1");
-	$q->execute();
+	$q->execute([$regid,$q_ord]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->answer;
@ -94,9 +94,9 @@ function reports_students_numstudents($report, $field, $text)
 	global $pdo;
 	$year = $report['year'];
 	$q = $pdo->prepare("SELECT students.id FROM students 
-				WHERE students.registrations_id='$text'
+				WHERE students.registrations_id=?
-					AND students.year='$year'");
+					AND students.year=?");
-	$q->execute();
+	$q->execute([$text,$year]);
 	return $q->rowCount();
 }
@ -108,11 +108,11 @@ function reports_students_award_selfnom_num($report, $field, $text, $n)
 				projects 
 				LEFT JOIN project_specialawards_link ON project_specialawards_link.projects_id=projects.id
 				LEFT JOIN award_awards ON award_awards.id=project_specialawards_link.award_awards_id
-				WHERE projects.id='$text'
+				WHERE projects.id=?
-					AND projects.year='$year'
+					AND projects.year=?
-					AND project_specialawards_link.year='$year'
+					AND project_specialawards_link.year=?
-				LIMIT $n,1");
+				LIMIT ?,1");
-	$q->execute();
+	$q->execute([$text,$year,$year,$n]);
 	show_pdo_errors_if_any($pdo);
 	$i = $q->fetch(PDO::FETCH_OBJ);
 	return $i['name'];
@ -157,8 +157,8 @@ function report_student_regfee_item($report, $field, $text)
 {
 	$year = $report['year'];
 	$id = intval(substr($field, 12));
-	$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id='$text' AND regfee_items_id='$id'");
+	$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id=? AND regfee_items_id=?");
-	$q->execute();
+	$q->execute([$text,$id]);
 	show_pdo_errors_if_any($pdo);
 	if ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		return i18n('Yes');
@ -167,8 +167,8 @@ function report_student_regfee_item($report, $field, $text)
 	}
 }
-$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'");
+$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $regfeeitems = array();
 $first = true;
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
--- a/admin/rerollprizes.php
+++ b/admin/rerollprizes.php
@ -40,75 +40,76 @@ $newfairyear = 2008;
 // first make sure they have indeed done the rollover...
 if ($config['FAIRYEAR'] == 2008) {
 	// make sure the number of awards are identical (aka they havent added any new ones)
-	$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$newfairyear'");
+	$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
-	$nq1->execute();
+	$nq1->execute([$newfairyear]);
-	$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
+	$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
-	$nq2->execute();
+	$nq2->execute([$currentfairyear]);
 	if ($nq1->rowCount() == $nq2->rowcount()) {
-		$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$newfairyear'");
+		$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year?");
-		$npq1->execute();
+		$npq1->execute([$newfairyear]);
-		$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear'");
+		$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=?");
-		$npq2->execute();
+		$npq2->execute([$currentfairyear]);
 		if ($npq2->rowCount() > 0 && $npq1->rowCount() == 0) {
 			echo '<br />';
 			echo notice(i18n('A BUG WAS IDENTIFIED IN YOUR PREVIOUS YEAR ROLLOVER WHICH CAUSED AWARD PRIZES TO NOT BE ROLLED OVER PROPERLY.  THEY ARE NOW BEING RE-ROLLED OVER WITH THE PROPER PRIZE INFORMATION.  THIS WILL ONLY HAPPEN ONCE.')) . '<br />';
-			$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year='$newfairyear'");
+			$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year=?");
-			$stmt->execute();
+			$stmt->execute([$newfairyear]);
-			$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year='$newfairyear'");
+			$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year=?");
-			$stmt->execute();
+			$stmt->execute([$newfairyear]);
-			$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year='$newfairyear'");
+			$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year=?");
-			$stmt->execute();
+			$stmt->execute([$newfairyear]);
-			$stmt = $pdo->prepare("DELETE FROM award_types WHERE year='$newfairyear'");
+			$stmt = $pdo->prepare("DELETE FROM award_types WHERE year=?");
-			$stmt->execute();
+			$stmt->execute([$newfairyear]);
-			$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year='$newfairyear'");
+			$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year=?");
-			$stmt->execute();
+			$stmt->execute([$newfairyear]);
-			$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year='$newfairyear'");
+			$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year=?");
-			$stmt->execute();
+			$stmt->execute([$newfairyear]);
 			echo i18n('Rolling awards') . '<br />';
 			// awards
-			$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
+			$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
-			$q->execute();
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$stmt = $pdo->prepare("INSERT INTO award_awards (award_sponsors_id,award_types_id,name,criteria,presenter,`order`,year,excludefromac,cwsfaward) VALUES (
-				'" . $r->award_sponsors_id . "',
+				?,
-				'" . $r->award_types_i . "',
+				?,
-				'" . $r->name . "',
+				?,
-				'" . $r->criteria . "',
+				?,
-				'" . $r->presenter . "',
+				?,
-				'" . $r->order . "',
+				?,
-				'" . $newfairyear . "',
+				?,
-				'" . $r->excludefromac . "',
+				?,
-				'" . $r->cwsfaward . "')");
+				?)");
 				$stmt->execute([$r->award_sponsors_id,$r->award_types_i ,$r->name,$r->criteria,$r->presenter,$r->order,$newfairyear,$r->excludefromac,$r->cwsfaward ]);
 				$award_awards_id = $pdo->lastInsertId();
-				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
+				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year=? AND award_awards_id=?");
-				$q2->execute();
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (
-				'" . $award_awards_id . "',
+				?,
-				'" . $r2->projectcategories_id . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-					$stmt->execute();
+					$stmt->execute([$award_awards_id,$r2->projectcategories_id,$newfairyear]);
 				}
-				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
+				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year=? AND award_awards_id=?");
-				$q2->execute();
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (
-				'" . $award_awards_id . "',
+				?,
-				'" . $r2->projectdivisions_id . "',
+				?,
-				'" . $newfairyear . "')");
+				?");
-					$stmt->execute();
+					$stmt->execute([$award_awards_id,$r2->projectdivisions_id,$newfairyear]);
 				}
 				echo i18n('&nbsp; Rolling award prizes') . '<br />';
-				$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
+				$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=? AND award_awards_id=?");
-				$q2->execute();
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,`value`,prize,number,`order`,year,excludefromac) VALUES (
@ -126,8 +127,8 @@ if ($config['FAIRYEAR'] == 2008) {
 			echo i18n('Rolling award contacts') . '<br />';
 			// award contacts
-			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year='$currentfairyear'");
+			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year=?");
-			$q->execute();
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_contacts (award_sponsors_id,salutation,firstname,lastname,position,email,phonehome,phonework,phonecell,fax,notes,year) VALUES (
@ -146,16 +147,16 @@ if ($config['FAIRYEAR'] == 2008) {
 			echo i18n('Rolling award types') . '<br />';
 			// award types
-			$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
+			$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
-			$q->execute();
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
-				'" . $r->id . "',
+				?,
-				'" . $r->type . "',
+				?,
-				'" . $r->order . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
 		}
 	}
 }
--- a/admin/schools.php
+++ b/admin/schools.php
@ -33,8 +33,8 @@ user_auth_required('committee', 'admin');
 if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POST, 'save') == 'add') {
 	if (get_value_from_array($_POST, 'save') == 'add') {
-		$q = $pdo->prepare("INSERT INTO schools (year) VALUES ('" . $config['FAIRYEAR'] . "')");
+		$q = $pdo->prepare("INSERT INTO schools (year) VALUES (?)");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR']]);
 		$id = $pdo->lastInsertId();
 	} else
 		$id = intval(get_value_from_array($_POST, 'id'));
@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 	 */
 	/* Get the uids for principal/science head */
-	$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id='$id'");
+	$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id=?");
-	$q->execute();
+	$q->execute([$id]);
 	$i = $q->fetch(PDO::FETCH_ASSOC);
 	$principal_update = '';
@ -187,24 +187,24 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 }
 if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete', '')) {
-	$stmt = $pdo->prepare("DELETE FROM schools WHERE id='" . $_GET['delete'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM schools WHERE id=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['delete']]);
 	$notice = 'deleted';
 }
 if (get_value_from_array($_GET, 'action') == 'clearaccesscodes') {
-	$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year='{$config['FAIRYEAR']}'");
+	$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year=?");
-	$stmt->execute();
+	$stmt->execute([$config['FAIRYEAR']]);
 	$notice = 'clearaccess';
 }
 if (get_value_from_array($_GET, 'action') == 'makeaccesscodes') {
-	$q = $pdo->prepare("SELECT id FROM schools WHERE year='{$config['FAIRYEAR']}' AND (accesscode IS NULL OR accesscode='')");
+	$q = $pdo->prepare("SELECT id FROM schools WHERE year=? AND (accesscode IS NULL OR accesscode='')");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$ac = generatePassword(5);
-		$stmt = $pdo->prepare("UPDATE schools SET accesscode='$ac' WHERE id='$r->id' AND year='{$config['FAIRYEAR']}'");
+		$stmt = $pdo->prepare("UPDATE schools SET accesscode=? WHERE id=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$ac,$r->id,$config['FAIRYEAR']]);
 	}
 	$notice = 'makeaccess';
 }
@ -217,8 +217,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 		'schools_management');
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		$buttontext = 'Save School';
-		$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . get_value_from_array($_GET, 'edit', '') . "'");
+		$q = $pdo->prepare("SELECT * FROM schools WHERE id=?");
-		$q->execute();
+		$q->execute([get_value_from_array($_GET, 'edit', '')]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	} else if (get_value_from_array($_GET, 'action') == 'add') {
 		$buttontext = 'Add School';
@ -371,8 +371,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <th>' . i18n('Action') . '</th>';
 	echo "</tr></thead>\n";
-	$q = $pdo->prepare("SELECT * FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
+	$q = $pdo->prepare("SELECT * FROM schools WHERE year=? ORDER BY school");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo "<tr>\n";
 		echo " <td>$r->school</td>\n";
--- a/admin/schoolsimport.php
+++ b/admin/schoolsimport.php
@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'action') == 'import') {
 			// okay it looks like we have something.. lets dump the current stuff
 			if ($_POST['emptycurrent'] == 1) {
 				echo happy(i18n('Old school data erased'));
-				$stmt = $pdo->prepare("DELETE FROM schools WHERE year='" . $config['FAIRYEAR'] . "'");
+				$stmt = $pdo->prepare("DELETE FROM schools WHERE year=?");
-				$stmt->execute();
+				$stmt->execute([$config['FAIRYEAR']]);
 			}
 			$loaded = 0;
--- a/admin/send_emailqueue.php
+++ b/admin/send_emailqueue.php
@ -44,8 +44,8 @@ if (!$config['emailqueue_lock']) {
 		$q->execute();
 		if ($q->rowCount()) {
 			$r = $q->fetch(PDO::FETCH_OBJ);
-			$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id='$r->emailqueue_id'");
+			$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id=?");
-			$eq->execute();
+			$eq->execute([$r->emailqueue_id]);
 			$email = $eq->fetch(PDO::FETCH_OBJ);
 			$blank = array();
@ -73,31 +73,31 @@ if (!$config['emailqueue_lock']) {
 			$result = email_send_new($to, $email->from, $email->subject, $body, $bodyhtml);
 			if ($result) {
-				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id='$r->id'");
+				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$r->id]);
 				show_pdo_errors_if_any($pdo);
 				$newnumsent = $email->numsent + 1;
-				$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=$newnumsent WHERE id='$email->id'");
+				$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=? WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$newnumsent,$email->id]);
 				show_pdo_errors_if_any($pdo);
 				echo "ok\n";
 			} else {
-				$stmt = Spdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id='$r->id'");
+				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$r->id]);
 				show_pdo_errors_if_any($pdo);
 				$newnumfailed = $email->numfailed + 1;
-				$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=$newnumfailed WHERE id='$email->id'");
+				$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=? WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$newnumfailed,$email->id]);
 				show_pdo_errors_if_any($pdo);
 				echo "failed\n";
 			}
 			// now check if we're done yet
-			$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id='$email->id'");
+			$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id=?");
-			$rq->execute();
+			$rq->execute([$email->id]);
 			$rr = $rq->fetch(PDO::FETCH_OBJ);
 			if ($rr->num == 0) {
-				$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='$email->id'");
+				$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$email->id]);
 			}
 			usleep(rand($sleepmin, $sleepmax));
 		} else
--- a/admin/settranslation.php
+++ b/admin/settranslation.php
@ -38,19 +38,19 @@ foreach ($config['languages'] AS $l => $ln) {
    $m = md5($_POST['translate_str_hidden']);
    if ($_POST['translate_' . $l]) {
-        $q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='$m'");
+        $q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
-        $q->execute();
+        $q->execute([$l,$m]);
        if ($q->rowCount()) {
-            $stmt = $pdo->prepare("UPDATE translations SET val='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "' WHERE lang='$l' AND strmd5='$m'");
+            $stmt = $pdo->prepare("UPDATE translations SET val=? WHERE lang=? AND strmd5=?");
-            $stmt->execute();
+            $stmt->execute([iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])),$l,$m]);
        } else {
-            $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES ('$l','$m','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])) . "','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "')");
+            $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES (?,?,?,?)");
-            $stmt->execute();
+            $stmt->execute([$l,$m,iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])),iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l]))]);
        }
    } else {
-        $stmt = $pdo->prepare("DELETE FROM translations WHERE lang='$l' AND strmd5='$m'");
+        $stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
-        $stmt->execute();
+        $stmt->execute([$l,$m]);
    }
 }
 echo 'ok';
--- a/admin/sponsor_contacts.php
+++ b/admin/sponsor_contacts.php
@ -73,11 +73,11 @@ if ($sponsors_id) {
 							FROM users_sponsor, users 
 							WHERE
 							users_sponsor.users_id=users.id
-							AND sponsors_id='$sponsors_id'
+							AND sponsors_id=?
 							AND `primary`='yes'
-							AND year='" . $config['FAIRYEAR'] . "'
+							AND year=?
-							AND users_id!='$id'");
+							AND users_id!=?");
-			$q->execute();
+			$q->execute([$sponsors_id,$config['FAIRYEAR'],$id]);
 			if ($q->rowCount() == 0) {
 				/* This must be the primary */
 				$p = 'yes';
@ -85,8 +85,8 @@ if ($sponsors_id) {
 		} else {
 			/* Unset all other primaries */
 			$stmt = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
-						WHERE  sponsors_id='$sponsors_id'");
+						WHERE  sponsors_id=?");
-			$stmt->execute();
+			$stmt->execute([$sponsors_id]);
 		}
 		$u['primary'] = $p;
@ -162,11 +162,11 @@ if ($sponsors_id) {
 		echo '<br />';
 		$q = $pdo->prepare("SELECT * FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
-				\t WHERE year='" . $config['FAIRYEAR'] . "' 
+				\t WHERE year=? 
-				\t AND sponsors_id='$sponsors_id' 
+				\t AND sponsors_id=? 
 				\t AND deleted='no' 
 				\t ORDER BY lastname,firstname");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$sponsors_id]);
 		show_pdo_errors_if_any($pdo);
 		if ($q->rowCount()) {
--- a/admin/student_editor.php
+++ b/admin/student_editor.php
@ -44,10 +44,10 @@ if ($auth_type == 'fair') {
 		/* Make sure they have permission to laod this student, check
 		the master copy of the fairs_id in the project */
 		$q = $pdo->prepare("SELECT * FROM projects WHERE 
-				registrations_id='$registrations_id' 
+				registrations_id=? 
-				AND year='{$config['FAIRYEAR']}'
+				AND year=?
-				AND fairs_id=$fairs_id");
+				AND fairs_id=?");
-		$q->execute();
+		$q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
 		if ($q->rowCount() != 1) {
 			echo 'permission denied.';
 			exit;
@ -75,8 +75,8 @@ switch ($action) {
 	case 'student_remove':
 		$remove_id = intval($_GET['students_id']);
-		$q = $pdo->prepare("SELECT id FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
+		$q = $pdo->prepare("SELECT id FROM students WHERE id=? AND registrations_id=?");
-		$q->execute();
+		$q->execute([$remove_id,$registrations_id]);
 		if ($q->rowCount() != 1) {
 			error_('Invalid student to remove');
 			exit;
@ -86,42 +86,42 @@ switch ($action) {
 			exit;
 		}
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
-		$stmt->execute();
+		$stmt->execute([$remove_id,$registrations_id]);
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
-		$q->execute();
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		if ($q->rowCount() != 1) {
 			error_('Invalid student to remove');
 			exit;
 		}
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
-		$stmt->execute();
+		$stmt->execute([$remove_id,$registrations_id]);
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
-		$q->execute();
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
-		$stmt->execute();
+		$stmt->execute([$remove_id,$registrations_id]);
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
-		$q->execute();
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		happy_('Student successfully removed');
 		exit;
@ -141,8 +141,8 @@ function students_save()
 		if ($_POST['id'][$x] == 0) {
 			// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record.  for anything else they can choose the school on their own.
 			if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
-				$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'");
+				$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id=? AND YEAR=?");
-				$q->execute();
+				$q->execute([$registrations_id,$config['FAIRYEAR']]);
 				$r = $q->fetch(PDO::FETCH_OBJ);
 				$schools_id = $r->schools_id;
 				$schoolvalue = "'$schools_id', ";
@ -216,9 +216,9 @@ function students_load()
 	// now query and display
 	$q = $pdo->prepare("SELECT * FROM students WHERE
-				registrations_id='$registrations_id' 
+				registrations_id=? 
-				AND year='{$config['FAIRYEAR']}'");
+				AND year=?");
-	$q->execute();
+	$q->execute([$registrations_id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$numfound = $q->rowCount();
@ -405,8 +405,8 @@ function students_load()
 		echo "<tr>\n";
 		echo ' <td>' . i18n('School') . '</td><td colspan="3">';
 		if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
-			$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
+			$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school");
-			$schoolq->execute();
+			$schoolq->execute([$config['FAIRYEAR']]);
 			echo "<select name=\"schools_id[$x]\">\n";
 			echo '<option value="">' . i18n('Choose School') . "</option>\n";
 			while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
@ -418,8 +418,8 @@ function students_load()
 			}
 			echo '</select>' . REQUIREDFIELD;
 		} else {
-			$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'");
+			$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?");
-			$schoolq->execute();
+			$schoolq->execute([$config['FAIRYEAR'],$studentinfo->schools_id]);
 			$r = $schoolq->fetch(PDO::FETCH_OBJ);
 			echo $r->school;
 		}
@ -471,23 +471,23 @@ function registration_load()
 		/* Find a reg num */
 		do {
 			$regnum = rand(100000, 999999);
-			$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year={$config['FAIRYEAR']}");
+			$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
-			$q->execute();
+			$q->execute([$regnum,$config['FAIRYEAR']]);
 		} while ($q->rowCount() > 0);
 		$r['num'] = $regnum;
 		echo notice(i18n('New registration number generated.'));
 		echo notice(i18n('This new registration will added when the "Save Registration Information" button is pressed below.  At that time the other tabs will become available.'));
 	} else {
-		$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'");
+		$q = $pdo->prepare("SELECT * FROM registrations WHERE id=?");
-		$q->execute();
+		$q->execute([$registrations_id]);
 		if ($q->rowCount() != 1)
 			$r = array();
 		else {
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			/* Get the fair from the project */
-			$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id='$registrations_id'");
+			$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id=?");
-			$q->execute();
+			$q->execute([$registrations_id]);
 			if ($q->rowCount() == 1) {
 				$p = $q->fetch(PDO::FETCH_ASSOC);
 				$r['fairs_id'] = $p['fairs_id'];
@ -569,30 +569,30 @@ function registration_save()
 	if ($registrations_id == -1) {
 		$stmt = $pdo->prepare("INSERT INTO registrations (start,schools_id,year) VALUES (
-					NOW(), NULL, '{$config['FAIRYEAR']}')");
+					NOW(), NULL,?)");
-		$stmt->execute();
+		$stmt->execute([$config['FAIRYEAR']]);
 		$registrations_id = $pdo->lastInsertId();
 		/* Create one student and a project */
 		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES (
-					$registrations_id, '$registration_email', '{$config['FAIRYEAR']}')");
+					?,?,?)");
-		$stmt->execute();
+		$stmt->execute([$registrations_id,$registration_email,$config['FAIRYEAR']]);
 		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,year) VALUES (
-					$registrations_id, '{$config['FAIRYEAR']}')");
+					?,?)");
-		$stmt->execute();
+		$stmt->execute([$registrations_id,$config['FAIRYEAR']]);
 		happy_('Created student and project record');
 	}
 	/* Update registration */
 	$stmt = $pdo->prepare("UPDATE registrations SET 
-					num='$registration_num',
+					num=?,
-					status='$registration_status',
+					status=?,
-					email='$registration_email'
+					email=?
 				WHERE 
-					id='$registrations_id'");
+					id=?");
-	$stmt->execute();
+	$stmt->execute([$registration_num,$registration_status,$registration_email,$registrations_id]);
 	show_pdo_errors_if_any($pdo);
 	/*
@ -602,10 +602,10 @@ function registration_save()
 	if ($auth_type == 'fair')
 		$fairs_id = $_SESSION['fairs_id'];
 	$stmt = $pdo->prepare("UPDATE projects SET 
-					fairs_id='$fairs_id'
+					fairs_id=?
 				WHERE 
-					registrations_id='$registrations_id'");
+					registrations_id=?");
-	$stmt->execute();
+	$stmt->execute([$fairs_id,$registrations_id]);
 	show_pdo_errors_if_any($pdo);
 	happy_('Information Saved');
 	echo '<script language="javascript" type="text/javascript">';
--- a/admin/tours_assignments.php
+++ b/admin/tours_assignments.php
@ -33,9 +33,9 @@ user_auth_required('committee', 'admin');
 /* Load Tours */
 $query = "SELECT * FROM tours WHERE 
-		year='{$config['FAIRYEAR']}'";
+		year=?";
 $r = $pdo->prepare($query);
-$r->execute();
+$r->execute([$config['FAIRYEAR']]);
 $tours = array();
 while ($i = $r->fetch(PDO::FETCH_OBJ)) {
 	$tours[$i->id]['name'] = $i->name;
@ -45,20 +45,20 @@ while ($i = $r->fetch(PDO::FETCH_OBJ)) {
 if (get_value_from_array($_GET, 'action') == 'info') {
 	$sid = intval($_GET['id']);
-	$query = "SELECT * FROM students WHERE id='$sid'
+	$query = "SELECT * FROM students WHERE id=?
-			AND year='{$config['FAIRYEAR']}'";
+			AND year=?";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$sid,$config['FAIRYEAR']]);
 	$i = $r->fetch(PDO::FETCH_OBJ);
 	send_popup_header(i18n('Student Tour Rank Information - %1 %2',
 		array($i->firstname, $i->lastname)));
 	$query = "SELECT * FROM tours_choice
-				WHERE students_id='$sid'
+				WHERE students_id=?
-				AND year='{$config['FAIRYEAR']}'
+				AND year=?
 				ORDER BY rank";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$sid,$config['FAIRYEAR']]);
 	echo '<table>';
 	$count = $r->rowwCount();
 	while ($i = $r->fetch(PDO::FETCH_OBJ)) {
@ -157,25 +157,25 @@ if (get_value_from_array($_POST, 'action') == 'add' && $tours_id != 0 && count($
 		$sid = intval($sid);
 		$q = $pdo->prepare("SELECT registrations_id FROM students 
-					WHERE id='$sid'");
+					WHERE id=?");
-		$q->execute();
+		$q->execute([$sid]);
 		$i = $q->fetch(PDO::FETCH_OBJ);
 		$rid = $i->registrations_id;
 		/* Delete any old linking */
 		$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE
-					students_id='$sid' AND
+					students_id=? AND
-					year='{$config['FAIRYEAR']}' AND
+					year=? AND
 					rank='0'");
-		$stmt->execute();
+		$stmt->execute([$sid,$config['FAIRYEAR']]);
 		/* Connect this student to this tour */
 		$stmt = $pdo->prepare("INSERT INTO tours_choice 
 					(`students_id`,`registrations_id`,
 						`tour_id`,`year`,`rank`)
 					VALUES (
-					'$sid', '$rid', '$tours_id',
+					?,?,?,
-					'{$config['FAIRYEAR']}','0')");
+					?,'0')");
-		$stmt->execute();
+		$stmt->execute([$sid,$rid,$tours_id,$config['FAIRYEAR']]);
 		$added++;
 	}
 	if ($added == 1)
@ -193,20 +193,20 @@ $students_id = intval(get_value_from_array($_GET, 'students_id'));
 if (get_value_from_array($_GET, 'action') == 'del' && $tours_id > 0 && $students_id > 0) {
 	$stmt = $pdo->prepare("DELETE FROM tours_choice 
-				WHERE students_id='$students_id' 
+				WHERE students_id=? 
-				AND year='{$config['FAIRYEAR']}'
+				AND year=?
 				AND rank='0'");
-	$stmt->execute();
+	$stmt->execute([$students_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Removed student from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
 }
 if (get_value_from_array($_GET, 'action') == 'empty' && $tours_id > 0) {
 	$stmt = $po->prepare("DELETE FROM tours_choice WHERE 
-				tour_id='$tours_id'
+				tour_id=?
-				AND year='{$config['FAIRYEAR']}'
+				AND year=?
 				AND rank='0'");
-	$stmt->execute();
+	$stmt->execute([$tours_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Emptied all students from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
 }
@ -243,8 +243,8 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
 				LEFT JOIN tours_choice ON (tours_choice.students_id=students.id AND tours_choice.rank=0)
 				LEFT JOIN registrations ON registrations.id=students.registrations_id
 			WHERE 
-				students.year='{$config['FAIRYEAR']}' AND
+				students.year=? AND
-				(tours_choice.year='{$config['FAIRYEAR']}' OR
+				(tours_choice.year=? OR
 			\t tours_choice.year IS NULL) AND
 				registrations.status='complete'
 			ORDER BY 
@ -253,7 +253,7 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
 				tours_choice.rank";
 $q = $pdo->prepare($querystr);
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
--- a/admin/tours_manager.php
+++ b/admin/tours_manager.php
@ -39,12 +39,12 @@ send_header('Tour Management',
 		'Tours' => 'admin/tours.php'));
 if ($_GET['action'] == 'renumber') {
-	$q = $pdo->prepare("SELECT id FROM tours WHERE year='{$config['FAIRYEAR']}'");
+	$q = $pdo->prepare("SELECT id FROM tours WHERE year=?");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	$x = 1;
 	while ($i = $q->fetch(PDP::FETCH_OBJ)) {
-		$stmt = $pdo->prepare("UPDATE tours SET num='$x' WHERE id='{$i->id}'");
+		$stmt = $pdo->prepare("UPDATE tours SET num=? WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$x,$i->id]);
 		$x++;
 	}
 	echo happy(i18n('Tours successfully renumbered'));
--- a/admin/tours_sa.php
+++ b/admin/tours_sa.php
@ -53,9 +53,9 @@ TRACE('<pre>');
 function set_status($txt)
 {
 	TRACE("Status: $txt\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='tours_assigner_activity' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$txt]);
 }
 $set_percent_last_percent = -1;
@ -68,9 +68,9 @@ function set_percent($n)
 		return;
 	TRACE("Progress: $p\%\n");
 	$set_percent_last_percent = $p;
-	$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='tours_assigner_percent' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$p]);
 }
 set_status('Initializing...');
@ -205,16 +205,16 @@ function tour_cost_function($annealer, $bucket_id, $ids)
 set_status('Cleaning existing tour assignments...');
 TRACE("\n\n");
 $q = $pdo->prepare("DELETE FROM tours_choice 
-		WHERE year='{$config['FAIRYEAR']}'
+		WHERE year=?
 		AND rank='0'");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 set_status('Loading Data From Database...');
 TRACE("\n\n");
 TRACE("Tours...\n");
 $tours = array();
-$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
+$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
-$q-- > execute();
+$q-> execute([$config['FAIRYEAR']]);
 $x = 0;
 /*
@ -240,13 +240,13 @@ $q = $pdo->prepare("SELECT students.id,students.grade,
 		FROM students
 			LEFT JOIN registrations ON registrations.id=students.registrations_id
 		WHERE
-			students.year='{$config['FAIRYEAR']}'
+			students.year=?
 			AND ( registrations.status='complete'
 				OR registrations.status='paymentpending' )
 		ORDER BY
 			students.id
 			");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $last_sid = -1;
 TRACE($pdo->errorInfo());
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -262,9 +262,9 @@ TRACE('   ' . (count($student_ids)) . " students loaded\n");
 TRACE("Loading Tour Selection Preferences...\n");
 $q = $pdo->prepare("SELECT * FROM tours_choice WHERE
-			tours_choice.year='{$config['FAIRYEAR']}' 
+			tours_choice.year=? 
 			ORDER BY rank ");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 TRACE($pdo->errorInfo());
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
--- a/admin/tours_sa_config.php
+++ b/admin/tours_sa_config.php
@ -58,8 +58,8 @@ function tours_check_tours()
 {
 	global $config;
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
+	$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	return $q->rowCount();
 }
@ -72,13 +72,13 @@ function tours_check_students()
 			LEFT JOIN tours_choice ON (tours_choice.students_id=students.id)
 			LEFT JOIN registrations ON (registrations.id=students.registrations_id)
 		WHERE
-			students.year='{$config['FAIRYEAR']}'
+			students.year=?
-			AND tours_choice.year='{$config['FAIRYEAR']}'
+			AND tours_choice.year=?
 			AND registrations.status='complete'
 		ORDER BY
 			students.id, tours_choice.rank
 			");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	return $q->rowCount();
 }
--- a/admin/translations.php
+++ b/admin/translations.php
@ -57,8 +57,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
    // first, delete anything thats supposed to eb deleted
    if (count(get_value_from_array($_POST, 'delete', []))) {
        foreach ($_POST['delete'] AS $del) {
-            $stmt = $pdo->prepare("DELETE FROM translations WHERE lang='" . $_SESSION['translang'] . "' AND strmd5='" . $del . "'");
+            $stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
-            $stmt->execute();
+            $stmt->execute([$_SESSION['translang'],$del]);
        }
        echo happy(i18n('Translation(s) deleted'));
    }
@ -113,8 +113,8 @@ if ($show == 'missing')
 else
    $showquery = '';
-$q = $pdo->prepare("SELECT * FROM translations WHERE lang='" . get_value_from_array($_SESSION, 'translang') . "' $showquery ORDER BY str");
+$q = $pdo->prepare("SELECT * FROM translations WHERE lang=? ? ORDER BY str");
-$q->execute();
+$q->execute([get_value_from_array($_SESSION, 'translang'),$showquery]);
 $num = $q->rowCount();
 echo i18n('Showing %1 translation strings', array($num), array('number of strings'));