pushing another 100-150 database line changes. 99 more to go

2025-02-05 02:25:53 +00:00 · 2025-02-05 02:25:53 +00:00 · 888d350ddc
commit 888d350ddc
parent 1846545b7a
60 changed files with 717 additions and 712 deletions
--- a/admin/award_awardcreatedivisional.php
+++ b/admin/award_awardcreatedivisional.php
@ -113,11 +113,11 @@ if ($r->num) {
 						?,
 						'1',
 						?-?,
-						'" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "',
+						?,
 						?,
 						?
 					)");
-			$q->execute([$_GET['sponsors_id'],$c_category,$d_division,$ord, $config['FAIRYEAR']]);
+			$q->execute([$_GET['sponsors_id'],$c_category,$d_division,i18n('Best %1 projects in the %2 division', array($c_category, $d_division)),$ord, $config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$award_awards_id = $pdo->lastInsertId();
--- a/admin/award_upload.php
+++ b/admin/award_upload.php
@ -69,7 +69,8 @@ function get_winners($awardid, $fairs_id)
 	if ($awardid == -1) {
 		/* Get all for this fair */
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
 		$q->execute([$fairs_id,$config['FAIRYEAR']]);
 		if ($q->rowCount() == 0) {
 			error_("Can't find award id $awardid");
 			return false;
--- a/admin/cms.php
+++ b/admin/cms.php
@ -207,8 +207,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
 	echo '<tr><th>' . i18n('Filename') . '</th><th>' . i18n('Last Update') . '</th></tr>';
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		echo '<tr><td><a href="cms.php?filename=' . rawurlencode($r->filename) . "\">/web/$r->filename</a></td>";
-		$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename='" . $r->filename . "' ORDER BY dt DESC LIMIT 1");
+		$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename=? ORDER BY dt DESC LIMIT 1");
-
+		$q->execute($r->filename);
 		$r2 = $q2->fetch(PDO::FETCH_OBJ);
 		if ($r2->dt == '0000-00-00 00:00:00')
 			$dt = 'Never';
--- a/admin/communication.php
+++ b/admin/communication.php
@ -668,8 +668,8 @@ case 'dialog_sender':
 	case 'loadaddresses':
 		if ($_GET['query'] && array_key_exists($_GET['query'], $mailqueries)) {
-			$q = $pdo->prepare($mailqueries[$_GET['query']]['query']);
+			$q = $pdo->prepare('?');
-			$q->execute();
+			$q->execute([$mailqueries[$_GET['query']]['query']]);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				if ($r->organization)
 					$s = "($r->organization) ";
--- a/admin/donors.php
+++ b/admin/donors.php
@ -838,10 +838,10 @@ function draw_activityinfo_form()
 	\t  FROM fundraising_donor_logs AS fdl 
 	\t  LEFT JOIN users ON fdl.users_id=users.id 
 	\t  LEFT JOIN fundraising_campaigns ON fdl.fundraising_campaigns_id=fundraising_campaigns.id
-	\t  WHERE sponsors_id=" . $sponsorid . ' ORDER BY dt DESC';
+	\t  WHERE sponsors_id=? ORDER BY dt DESC";
 	// echo "<tr><td colspan=\"3\">" . $query . "</td></tr>";
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$sponsorid ]);
 	show_pdo_errors_if_any($pdo);
 	if ($q->rowCount()) {
 		while ($r = $q->fetch()) {
@ -872,14 +872,14 @@ function save_activityinfo($comment, $donorId, $userId, $type, $campaign_id = nu
 		$cid = 'NULL';
 	$query = "INSERT INTO fundraising_donor_logs (sponsors_id, dt, users_id, log, `type`, fundraising_campaigns_id) 
-		VALUES ($donorId,
+		VALUES (?,
 		NOW(),
-		$userId,
+		?,
-		'" . $comment . "',
+		?,
-		'" . $type . "',
+		?,
-		$cid)";
+		?)";
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$donorId,$userId,$comment,$type,$cid]);
 	show_pdo_errors_if_any($pdo);
 }
--- a/admin/donors_search.php
+++ b/admin/donors_search.php
@ -42,10 +42,10 @@ if (count(get_value_from_array($_POST, 'donortype', []))) {
 	}
 	$sql .= ') ';
 }
-$query = "SELECT * FROM sponsors WHERE 1 $sql ORDER BY organization";
+$query = "SELECT * FROM sponsors WHERE 1 ? ORDER BY organization";
 //		echo "query=$query";
 $q = $pdo->prepare($query);
-$q->execute();
+$q->execute([$sql]);
 get_value_from_array($_POST, 'donortype');
 $thisyear = $config['FISCALYEAR'];
 $lastyear = $config['FISCALYEAR'] - 1;
--- a/admin/fundraising.php
+++ b/admin/fundraising.php
@ -32,8 +32,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 <h3><?= i18n('Fundraising Purposes and Progress Year to Date') ?></h3>
 <?
-    $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY deadline");
+    $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY deadline");
-    $q->execute();
+    $q->execute([$config['FISCALYEAR']]);
 ?>
 <table class="tableview">
 <thead>
@ -48,8 +48,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 <?
    while ($r = $q->fetch(PDO::FETCH_OBJ)) {
        // lookup all donations made towards this goal
-        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
+        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=? AND status='received'");
-        $recq->execute();
+        $recq->execute([$r->goal,$config['FISCALYEAR']]);
        show_pdo_errors_if_any($pdo);
        $recr = $recq->fetch(PDO::FETCH_OBJ);
        $received = $recr->received;
@ -84,15 +84,15 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 </tr>
 </thead>
 <?
-    $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'");
+    $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
-    $q->execute();
+    $q->execute([$config['FISCALYEAR']]);
    while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-        $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'");
+        $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
-        $goalq->execute();
+        $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
        $goalr = $goalq->fetch(PDO::FETCH_OBJ);
-        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
+        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
-        $recq->execute();
+        $recq->execute([$r->id,$config['FISCALYEAR']]);
        show_pdo_errors_if_any($pdo);
        $recr = $recq->fetch(PDO::FETCH_OBJ);
        $received = $recr->received;
@ -133,10 +133,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 \tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth
    FROM fundraising_donations
    WHERE thanked='no' AND status='received'
-    AND fiscalyear='{$config['FISCALYEAR']}' 
+    AND fiscalyear=? 
    ORDER BY datereceived
    ");
-    $q->execute();
+    $q->execute([$config['FISCALYEAR']]);
    show_pdo_errors_if_any($pdo);
    if ($q->rowCount()) {
@ -149,8 +149,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
        echo "</tr></thead>\n";
        while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'");
+            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?");
-            $dq->execute();
+            $dq->execute([$r->sponsors_id]);
            $dr = $dq->fetch(PDO::FETCH_OBJ);
            if ($r->twomonth)
                $s = 'style="background-color: ' . colour_to_percent(0) . ';"';
@ -190,10 +190,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 \tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth
    FROM fundraising_donations
    WHERE (receiptrequired='yes' AND receiptsent='no') AND status='received'
-    AND fiscalyear='{$config['FISCALYEAR']}' 
+    AND fiscalyear=? 
    ORDER BY datereceived
    ");
-    $q->execute();
+    $q->execute([$config['FISCALYEAR']]);
    show_pdo_errors_if_any($pdo);
    if ($q->rowCount()) {
        echo '<table class="tableview">';
@ -204,8 +204,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
        echo "</tr>\n";
        while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'");
+            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?");
-            $dq->execute();
+            $dq->execute([$r->sponsors_id]);
            $dr = $dq->fetch(PDO::FETCH_OBJ);
            if ($r->twomonth)
                $s = 'style="background-color: ' . colour_to_percent(0) . ';"';
@ -280,8 +280,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
    exit;
 } else if (get_value_from_array($_POST, 'thanked')) {
    foreach ($_POST['thanked'] AS $t) {
-        $stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id='$t'");
+        $stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id=?");
-        $stmt->execute();
+        $stmt->execute([$t]);
    }
 }
--- a/admin/fundraising_campaigns.php
+++ b/admin/fundraising_campaigns.php
@ -465,9 +465,9 @@ case 'managelist':
        print_r($_POST);
        if (is_array($_POST['prospectremovefromlist'])) {
            $uidlist = implode(',', $_POST['prospectremovefromlist']);
-            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid' AND users_uid IN ($uidlist)";
+            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN (?)";
            $stmt = $pdo->prepare($query);
-            $stmt->execute();
+            $stmt->execute([$campaignid,$uidlist]);
            show_pdo_errors_if_any($pdo);
        }
        // if theres nobody left in the list we need to reset the filter params as well
@ -523,10 +523,10 @@ function save_campaign_info()
        $startdate = $_POST['startdate'];
    if (!$_GET['id']) {
-        $query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES ('" . stripslashes($_POST['name']) . "','{$config['FISCALYEAR']}')";
+        $query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES (?,?)";
        echo $query;
        $stmt = $pdo->prepare($query);
-        $stmt->execute();
+        $stmt->execute([stripslashes($_POST['name']),$config['FISCALYEAR']]);
        $id = $pdo->lastInsertId();
        happy_('Appeal Created');
    } else {
@ -534,15 +534,15 @@ function save_campaign_info()
        happy_('Appeal Saved');
    }
    $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET 
-       name='" . stripslashes($_POST['name']) . "',
+       name=?,
-       `type`='" . $_POST['type'] . "',
+       `type`=?,
-       startdate='" . $startdate . "',
+       startdate=?,
-       followupdate='" . $_POST['followupdate'] . "',
+       followupdate=?,
-       enddate='" . $_POST['enddate'] . "',
+       enddate=?,
-       target='" . $_POST['target'] . "',
+       target=?,
-       fundraising_goal='" . $_POST['fundraising_goal'] . "'
+       fundraising_goal=?
-       WHERE id='$id'");
+       WHERE id=?");
-    $stmt->execute();
+    $stmt->execute([stripslashes($_POST['name']),$_POST['type'],$startdate,$_POST['followupdate'],$_POST['enddate'],$_POST['target'],$_POST['fundraising_goal'],$id]);
 }
 send_header('Appeal Management',
--- a/admin/fundraising_goals_handler.inc.php
+++ b/admin/fundraising_goals_handler.inc.php
@ -55,8 +55,8 @@ if ($_POST['action'] == 'fundedit') {
 }
 if ($_POST['action'] == 'fundadd') {
 	if ($goal && $type && $name) {
-		$stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES ('$goal','$name','$description','no','$budget','{$config['FISCALYEAR']}')");
+		$stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES (?,?,?,'no',?,?)");
-		$stmt->execute();
+		$stmt->execute([$goal,$name,$description,$budget,$config['FISCALYEAR']]);
 		happy_('Added new fund');
 	} else
 		error_('Required fields were missing, please try again');
--- a/admin/fundraising_main.inc.php
+++ b/admin/fundraising_main.inc.php
@ -1,8 +1,8 @@
 <?
 if ($_GET['action'] == 'fundraisingmain') {
 	// this table is eventually going to be massive, and probably not in a tableview format, it'll show goals as well as all ongoing fund pledges, probabilities, etc as well as over/under, etc, all prettily colour coded.. basically a good overview of the total fundraising status of the fair.
-	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY system DESC,goal");
+	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY system DESC,goal");
-	$q->execute();
+	$q->execute([$config['FISCALYEAR']]);
 	echo '<table class="fundraisingtable">';
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -28,20 +28,20 @@ if ($_GET['action'] == 'fundraisingmain') {
            SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
 	\t FROM fundraising_donations
 	\t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
-	\t  WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql) 
+	\t  WHERE (fundraising_donations.fundraising_goal=? ?) 
-	\t  AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
+	\t  AND fundraising_donations.fiscalyear=?
          UNION
        SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
 	\t FROM fundraising_donations
 	\t JOIN users ON fundraising_donations.users_uid=users.uid
-	\t  WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql) 
+	\t  WHERE (fundraising_donations.fundraising_goal=? ?) 
-	\t  AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
+	\t  AND fundraising_donations.fiscalyear=?
 	\t  ORDER BY status DESC, probability DESC, name
            ");
-		$sq->execute();
+		$sq->execute([$r->goal,$orsql,$config['FISCALYEAR'],$r->goal,$orsql,$config['FISCALYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
 			echo "<tr id=\"sponsorships_$sr->id\" class=\"fundraising{$sr->status}\">";
--- a/admin/fundraising_reports.php
+++ b/admin/fundraising_reports.php
@ -84,8 +84,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
  <select name="goal">
   <option value="">All purposes</option>
   <?
-$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
+$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
-$q->execute();
+$q->execute([$config['FISCALYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
    echo "<option value=\"$r->goal\">$r->name</option>\n";
 }
--- a/admin/fundraising_reports_std.php
+++ b/admin/fundraising_reports_std.php
@ -44,13 +44,13 @@ if ($id && $type) {
 				$rep->newPage();
 				$rep->setFontSize(8);
 			}
-			$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ";
+			$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ";
 			if ($_GET['fundraising_campaigns_id']) {
 				$sql .= " AND id='" . intval($_GET['fundraising_campaigns_id']) . "'";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute();
+			$q->execute([$config['FISCALYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$rep->heading($r->name);
@ -62,8 +62,8 @@ if ($id && $type) {
 				$thisyear = $config['FISCALYEAR'];
 				$lastyear = $config['FISCALYEAR'] - 1;
-				$pq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$r->id'");
+				$pq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
-				$pq->execute();
+				$pq->execute([$r->id]);
 				while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {
 					$u = user_load_by_uid($pr->users_uid);
 					// hopefully this never returns false, but who knows..
@ -75,16 +75,16 @@ if ($id && $type) {
 						// gah i dont know what the heck to do here
 						if ($u['sponsors_id']) {
-							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND fundraising_campaigns_id='$r->id' AND status='received' AND fiscalyear='$thisyear'");
+							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND fundraising_campaigns_id=? AND status='received' AND fiscalyear=?");
-							$cq->execute();
+							$cq->execute([$u['sponsors_id'],$r->id,$thisyear]);
 							$cr = $cq->fetch(PDO::FETCH_OBJ);
 							$thisappeal = $cr->total;
-							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND status='received' AND fiscalyear='$thisyear'");
+							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
-							$cq->execute();
+							$cq->execute([$u['sponsors_id'],$thisyear]);
 							$cr = $cq->fetch(PDO::FETCH_OBJ);
 							$thisyeartotal = $cr->total;
-							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND status='received' AND fiscalyear='$lastyear'");
+							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
-							$cq->execute();
+							$cq->execute([$u['sponsors_id'],$lastyear]);
 							$cr = $cq->fetch(PDO::FETCH_OBJ);
 							$lastyeartotal = $cr->total;
 							if ($lastyeartotal)
@ -126,13 +126,13 @@ if ($id && $type) {
 				$rep->newPage();
 				$rep->setFontSize(8);
 			}
-			$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ";
+			$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear=? ";
 			if ($_GET['goal']) {
 				$sql .= " AND goal='" . $_GET['goal'] . "'";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute();
+			$q->execute([$config['FISCALYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -143,8 +143,8 @@ if ($id && $type) {
 				$table['widths'] = array(1.5, 0.5, 0.5, 0.75, 0.9, 0.9, 0.9, 0.5);
 				$table['dataalign'] = array('left', 'right', 'right', 'center', 'center', 'center', 'center', 'right');
-				$cq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}'");
+				$cq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fundraising_goal=? AND fiscalyear=?");
-				$cq->execute();
+				$cq->execute([$r->goal,$config['FISCALYEAR']]);
 				while ($cr = $cq->fetch(PDO::FETCH_OBJ)) {
 					$table['data'][] = array(
 						$cr->name,
--- a/admin/fundraising_setup.php
+++ b/admin/fundraising_setup.php
@ -28,45 +28,45 @@ require_once ('../user.inc.php');
 user_auth_required('committee', 'admin');
 // first, insert any default fundraising donor levels
-$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='" . $config['FISCALYEAR'] . "'");
+$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=?");
-$q->execute();
+$q->execute([$config['FISCALYEAR']]);
 if (!$q->rowCount()) {
    $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='-1'");
    $q->execute();
    while ($r = $q->fetch(PDO::FETCH_OBJ)) {
        $pdo->prepare("INSERT INTO fundraising_donor_levels (`level`,`min`,`max`,`description`,`fiscalyear`) VALUES (
-            '" . $r->level . "',
+            ?,
-            '" . $r->min . "',
+            ?,
-            '" . $r->max . "',
+            ?,
-            '" . $r->description . "',
+            ?,
-            '" . $config['FISCALYEAR'] . ")')");
+            ?)')");
-        $pdo->execute();
+        $pdo->execute([$r->level,$r->min,$r->max,$r->description,$config['FISCALYEAR']]);
    }
 }
 // first, insert any default fundraising goals
-$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='" . $config['FISCALYEAR'] . "'");
+$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=?");
-$q->execute();
+$q->execute([$config['FISCALYEAR']]);
 if (!$q->rowCount()) {
    $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='-1'");
    $q->execute();
    while ($r = $q->fetch(PDO::FETCH_OBJ)) {
        $stmt = $pdo->prepare("INSERT INTO fundraising_goals (`goal`,`name`,`description`,`system`,`budget`,`fiscalyear`) VALUES (
-            '" . stripslashes($r->goal) . "',
+            ?,
-            '" . stripslashes($r->name) . "',
+            ?,
-            '" . stripslashes($r->description) . "',
+            ?,
-            '" . $r->system . "',
+            ?,
-            '" . $r->budget . "',
+            ?,
-            '" . $config['FISCALYEAR'] . "')");
+            ?)");
-        $stmt->execute();
+        $stmt->execute([stripslashes($r->goal),stripslashes($r->name),stripslashes($r->description),$r->system,$r->budget, $config['FISCALYEAR']]);
    }
 }
 switch (get_value_from_array($_GET, 'gettab')) {
    case 'levels':
-        $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY max");
+        $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY max");
-        $q->execute();
+        $q->execute([$config['FISCALYEAR']]);
        echo "<div id=\"levelaccordion\" style=\"width: 75%;\">\n";
        while ($r = $q->fetch(PDO::FETCH_OBJ)) {
            echo "<h3><a href=\"#\">$r->level (" . format_money($r->min, false) . ' to ' . format_money($r->max, false) . ")</a></h3>\n";
@ -120,8 +120,8 @@ switch (get_value_from_array($_GET, 'gettab')) {
        break;
    case 'goals':
-        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
+        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
-        $q->execute();
+        $q->execute([$config['FISCALYEAR']]);
        echo "<div id=\"goalaccordion\" style=\"width: 75%;\">\n";
        while ($r = $q->fetch(PDO::FETCH_OBJ)) {
            echo "<h3><a href=\"#\">$r->name (" . format_money($r->budget, false) . ') Deadline: ' . format_date($r->deadline) . "</a></h3>\n";
@ -225,30 +225,30 @@ switch (get_value_from_array($_GET, 'action')) {
        if ($id) {
            $stmt = $pdo->prepare("UPDATE fundraising_donor_levels SET
-                    min='" . $_POST['min'] . "',
+                    min=?,
-                    max='" . $_POST['max'] . "',
+                    max=?,
-                    level='" . stripslashes($_POST['level']) . "',
+                    level=?,
-                    description='" . stripslashes($_POST['description']) . "'
+                    description=?
-                    WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
+                    WHERE id=? AND fiscalyear=?
                    ");
-            $stmt->execute();
+            $stmt->execute([$_POST['min'],$_POST['max'],stripslashes($_POST['level']),stripslashes($_POST['description']),$id,$config['FISCALYEAR']]);
            happy_('Level Saved');
        } else {
            $stmt = $pdo->prepare("INSERT INTO fundraising_donor_levels (`level`,`min`,`max`,`description`,`fiscalyear`) VALUES (
-                '" . $_POST['level'] . "',
+                ?,
-                '" . $_POST['min'] . "',
+                ?,
-                '" . $_POST['max'] . "',
+                ?,
-                '" . $_POST['description'] . "',
+                ?,
-                '{$config['FISCALYEAR']}')");
+                ?)");
-            $stmt->execute();
+            $stmt->execute([$_POST['level'],$_POST['min'],$_POST['max'],$_POST['description'],$config['FISCALYEAR']]);
            happy_('Level Created');
        }
        exit;
        break;
    case 'level_delete':
        $id = $_POST['id'];
-        $stmt = $pdo->prepare("DELETE FROM fundraising_donor_levels WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
+        $stmt = $pdo->prepare("DELETE FROM fundraising_donor_levels WHERE id=? AND fiscalyear=?");
-        $stmt->execute();
+        $stmt->execute([$id,$config['FISCALYEAR']]);
        happy_('Level Deleted');
        exit;
        break;
@ -261,20 +261,20 @@ switch (get_value_from_array($_GET, 'action')) {
        }
        if ($id) {
            $stmt = $pdo->prepare("UPDATE fundraising_goals SET
-                    budget='" . $_POST['budget'] . "',
+                    budget=?,
-                    deadline='" . $_POST['deadline'] . "',
+                    deadline=?,
-                    name='" . stripslashes($_POST['name']) . "',
+                    name=?,
-                    description='" . stripslashes($_POST['description']) . "'
+                    description=?
-                    WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
+                    WHERE id=? AND fiscalyear=?
                    ");
-            $stmt->execute();
+            $stmt->execute([$_POST['budget'],$_POST['deadline'],stripslashes($_POST['name']),stripslashes($_POST['description']),$id,$config['FISCALYEAR']]);
            happy_('Purpose Saved');
        } else {
            $goal = strtolower($_POST['name']);
            $goal = preg_replace('[^a-z]', '', $goal);
            echo "SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}'";
-            $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}'");
+            $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
-            $q->execute();
+            $q->execute([$goal,$config['FISCALYEAR']]);
            show_pdo_errors_if_any($pdo);
            if ($q->rowCount()) {
                error_('The automatically generated purpose key (%1) generated from (%2) is not unique.  Please try a different Purpose Name', array($goal, $_POST['name']));
@ -282,13 +282,13 @@ switch (get_value_from_array($_GET, 'action')) {
            }
            $stmt = $pdo->prepare("INSERT INTO fundraising_goals (`goal`,`name`,`budget`,`deadline`,`description`,`fiscalyear`) VALUES (
-                '" . $goal . "',
+                ?,
-                '" . $_POST['name'] . "',
+                ?,
-                '" . $_POST['budget'] . "',
+                ?,
-                '" . $_POST['deadline'] . "',
+                ?,
-                '" . $_POST['description'] . "',
+                ?,
-                '{$config['FISCALYEAR']}')");
+                ?)");
-            $stmt->execute();
+            $stmt->execute([$goal,$_POST['name'],$_POST['budget'],$_POST['deadline'],$_POST['description'],$config['FISCALYEAR']]);
            happy_('Purpose Created');
        }
        exit;
@ -296,8 +296,8 @@ switch (get_value_from_array($_GET, 'action')) {
    case 'goal_delete':
        $id = $_POST['id'];
        // they cant delete system ones
-        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
+        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=? AND fiscalyear=?");
-        $q->execute();
+        $q->execute([$id,$config['FISCALYEAR']]);
        if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
            error_('Invalid goal to delete');
            exit;
@ -306,15 +306,15 @@ switch (get_value_from_array($_GET, 'action')) {
            error_('Fundraising goals created automatically and used by the system cannot be deleted');
            exit;
        }
-        $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}'");
+        $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=?");
-        $q->execute();
+        $q->execute([$r->goal,$config['FISCALYEAR']]);
        if ($q->rowCount()) {
            error_('This goal already has donations assigned to it, it cannot be deleted');
            exit;
        }
-        $stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
+        $stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id=? AND fiscalyear=?");
-        $stmt->execute();
+        $stmt->execute([$id,$config['FISCALYEAR']]);
        happy_('Purpose Deleted');
        exit;
        break;
@ -322,14 +322,14 @@ switch (get_value_from_array($_GET, 'action')) {
    case 'setup_save':
        $fye = sprintf('%02d-%02d', intval($_POST['fiscalendmonth']), intval($_POST['fiscalendday']));
-        $stmt = $pdo->prepare("UPDATE config SET val='$fye' WHERE var='fiscal_yearend' AND year='{$config['FAIRYEAR']}'");
+        $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='fiscal_yearend' AND year=?");
-        $stmt->execute();
+        $stmt->execute([$fye,$config['FAIRYEAR']]);
-        $stmt = $pdo->prepare("UPDATE config SET val='" . $_POST['registeredcharity'] . "' WHERE var='registered_charity' AND year='{$config['FAIRYEAR']}'");
+        $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='registered_charity' AND year=?");
-        $stmt->execute();
+        $stmt->execute([$_POST['registeredcharity'],$config['FAIRYEAR']]);
-        $stmt = $pdo->prepare("UPDATE config SET val='" . $_POST['charitynumber'] . "' WHERE var='charity_number' AND year='{$config['FAIRYEAR']}'");
+        $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='charity_number' AND year=?");
-        $stmt->execute();
+        $stmt->execute([$_POST['charitynumber'],$config['FAIRYEAR']]);
        happy_('Fundraising module setup saved');
        exit;
        break;
--- a/admin/fundraising_sponsorship.php
+++ b/admin/fundraising_sponsorship.php
@ -29,8 +29,8 @@ user_auth_required('committee', 'admin');
 if ($_GET['id']) {
 	$id = intval($_GET['id']);
-	$q = $pdo->prepare("SELECT fundraising_donations.*, sponsors.organization FROM fundraising_donations,sponsors WHERE fundraising_donations.id='$id' AND fundraising_donations.sponsors_id=sponsors.id");
+	$q = $pdo->prepare("SELECT fundraising_donations.*, sponsors.organization FROM fundraising_donations,sponsors WHERE fundraising_donations.id=? AND fundraising_donations.sponsors_id=sponsors.id");
-	$q->execute();
+	$q->execute([$id]);
 	$sponsorship = $q->fetch(PDO::FETCH_OBJ);
 	$formaction = 'sponsorshipedit';
 } else {
--- a/admin/fundraising_sponsorship_handler.inc.php
+++ b/admin/fundraising_sponsorship_handler.inc.php
@ -1,7 +1,7 @@
 <?
 if ($_POST['action'] == 'sponsorshipdelete') {
-	$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE id='" . intval($_POST['delete']) . "'");
+	$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE id=?");
-	$stmt->execute();
+	$stmt->execute([intval($_POST['delete'])]);
 	if ($pdo->rowCount())
 		happy_('Successfully removed sponsorship');
 	exit;
@ -24,8 +24,8 @@ if ($_POST['action'] == 'sponsorshipedit' || $_POST['action'] == 'sponsorshipadd
 if ($_POST['action'] == 'sponsorshipedit') {
 	if ($fundraising_donations_id && $fundraising_type && $value) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE id='$fundraising_donations_id'");
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE id=?");
-		$q->execute();
+		$q->execute([$fundraising_donations_id]);
 		$current = $q->fetch(PDO::FETCH_OBJ);
 		unset($log);
@ -43,15 +43,15 @@ if ($_POST['action'] == 'sponsorshipedit') {
 			$log[] = "Changed sponsorship probability from $current->probability to $probability";
 		if (count($log)) {
-			$stmt = $pdo->prepare("UPDATE fundraising_donations SET fundraising_type='$fundraising_type', value='$value', status='$status', probability='$probability' WHERE id='$fundraising_donations_id'");
+			$stmt = $pdo->prepare("UPDATE fundraising_donations SET fundraising_type=?, value=?, status=?, probability=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$fundraising_type,$value,$status,$probability,$fundraising_donations_id]);
 			foreach ($log AS $l) {
 				$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
-						'$current->sponsors_id',
+						?,
 						NOW(),
-						'" . $_SESSION['users_id'] . "',
+						?,
-						'" . $l . "')");
+						?)");
-				$stmt->execute();
+				$stmt->execute([$current->sponsors_id,$_SESSION['users_id'],$l]);
 			}
 			if ($pdo->errorInfo())
 				echo error_($pdo->errorInfo());
@ -66,16 +66,16 @@ if ($_POST['action'] == 'sponsorshipedit') {
 }
 if ($_POST['action'] == 'sponsorshipadd') {
 	if ($sponsors_id && $fundraising_type && $value) {
-		$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES ('$sponsors_id','$fundraising_type','$value','$status','$probability','{$config['FISCALYEAR']}')");
+		$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES (?,?,?,?,?,?)");
-		$stmt->execute();
+		$stmt->execute([$sponsors_id,$fundraising_type,$value,$status,$probability,$config['FISCALYEAR']]);
 		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
-		$stmt->execute();
+			?,
 			'$sponsors_id',
 			NOW(),
-			'" . $_SESSION['users_id'] . "',
+			?,
-			'" . "Created sponsorship: type=$fundraising_type, value=\$$value, status=$status, probability=$probability%") . "')";
+			'" . "Created sponsorship: type=?, value=\$?, status=?, probability=?%") . "')";
 		happy_('Added new sponsorship');
 		$stmt->execute([$sponsors_id,$_SESSION['users_id'],$fundraising_type,$value,$status,$probability]);
 	} else
 		error_('Required fields were missing, please try again');
 	if ($pdo->errorInfo())
--- a/admin/fundraising_types.php
+++ b/admin/fundraising_types.php
@ -29,8 +29,8 @@ user_auth_required('committee', 'admin');
 if ($_GET['id']) {
 	$id = intval($_GET['id']);
-	$q = $pdo->prepare("SELECT * FROM fundraising WHERE id='$id'");
+	$q = $pdo->prepare("SELECT * FROM fundraising WHERE id=?");
-	$q->execute();
+	$q->execute([$id]);
 	//	echo "<h2>Edit Fund</h2>";
 	$fund = $q->fetch(PDO::FETCH_OBJ);
 	$formaction = 'fundedit';
--- a/admin/gettranslation.php
+++ b/admin/gettranslation.php
@ -30,8 +30,8 @@ $ret = array();
 foreach ($config['languages'] AS $l => $ln) {
        if ($l == $config['default_language'])
                continue;
-        $q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='" . md5(iconv('ISO-8859-1', 'UTF-8', $_GET['str'])) . "'");
+        $q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
-        $q->execute();
+        $q->execute([$l,md5(iconv('ISO-8859-1', 'UTF-8', $_GET['str']))]);
        if ($r = $q->fetch(PDO::FETCH_OBJ))
                $ret[$l] = iconv('ISO-8859-1', 'UTF-8', $r->val);
        else
--- a/admin/judges_info.php
+++ b/admin/judges_info.php
@ -105,8 +105,8 @@ if ($id < 1) {
 // get their availability
 $availabilityText = '';
 if ($config['judges_availability_enable'] == 'yes') {
-	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=\"{$judgeinfo['id']}\" ORDER BY `start`");
+	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=\"?\" ORDER BY `start`");
-	$q->execute();
+	$q->execute([$judgeinfo['id']]);
 	$sel = array();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$st = substr($r->start, 0, 5);
@ -133,7 +133,7 @@ if ($judgeinfo['special_award_only'] == 'yes') {
 		. ' JOIN award_awards aa ON aa.id = jss.award_awards_id'
 		. ' WHERE users.id=' . $id;
 	$results = $pdo->prepare($query);
-	$results . execute();
+	$results->execute();
 	while ($record = $results . fetch()) {
 		$awardList[] = $record['awardname'];
 	}
@ -143,8 +143,8 @@ if ($judgeinfo['special_award_only'] == 'yes') {
 }
 // get their preference for age category
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}'");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $catPreferenceText = $pdo->errorInfo() . '<ul>';
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@ -188,8 +188,8 @@ $catPreferenceText .= '</ul>';
 <?php
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $divs = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
@ -203,8 +203,8 @@ foreach ($divs as $div) {
 	echo '<td>';
 	$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE 
-				projectdivisions_id='$div' AND year='{$config['FAIRYEAR']}' ORDER BY subdivision");
+				projectdivisions_id=? AND year=? ORDER BY subdivision");
-	$subq->execute();
+	$subq->execute([$div,$config['FAIRYEAR']]);
 	$sd = array();
 	while ($subr = $subq->fetch(PDO::FETCH_OBJ)) {
 		if ($u['div_prefs_sub'][$subr->id] == 1) {
--- a/admin/judges_jdiv.php
+++ b/admin/judges_jdiv.php
@ -56,16 +56,16 @@ function newbuttonclicked(jdivs)
 $div = array();
 $divshort = array();
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divshort[$r->id] = $r->division_shortform;
 	$div[$r->id] = $r->division;
 }
 $cat = array();
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$cat[$r->id] = $r->category;
 }
@ -74,8 +74,8 @@ $dkeys = array_keys($div);
 $ckeys = array_keys($cat);
 if ($config['filterdivisionbycategory'] == 'yes') {
-	$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
+	$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	$divcat = array();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@ -133,13 +133,13 @@ function get_all_divs()
 			 * unassigned anymore
 			 */
 			$stmt = $pdo->prepare('INSERT INTO judges_jdiv (id, jdiv_id, projectdivisions_id, projectcategories_id, lang) '
-				. " VALUES('', 0, '$y', '$x', '$z')");
+				. " VALUES('', 0,?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$y,$x,$z]);
 			$q = $pdo->prepare('SELECT id FROM judges_jdiv WHERE '
-				. " projectdivisions_id='$y' "
+				. " projectdivisions_id=?"
-				. " AND projectcategories_id='$x' "
+				. " AND projectcategories_id=?"
-				. " AND lang='$z' ");
+				. " AND lang=?");
-			$q->execute();
+			$q->execute([$y,$x,$z]);
 			$r = $q->fetch(PDO::FETCH_OBJ);
 			$cdl[$r->id]['id'] = $r->id;
@ -159,13 +159,13 @@ function get_all_divs()
 		$y = $divshort[$cdl[$id]['div']];
 		$z = $div[$cdl[$id]['div']];
 		$q = $pdo->prepare('SELECT count(projects.id) AS cnt FROM projects,registrations WHERE '
-			. " projectdivisions_id='{$cdl[$id]['div']}' "
+			. " projectdivisions_id=?"
-			. " AND projectcategories_id='{$cdl[$id]['cat']}' "
+			. " AND projectcategories_id=?"
-			. " AND language='{$cdl[$id]['lang']}' "
+			. " AND language=?"
-			. " AND registrations.year='{$config['FAIRYEAR']}'"
+			. " AND registrations.year=?"
 			. ' AND projects.registrations_id=registrations.id'
 			. " AND (registrations.status='complete' OR registrations.status='paymentpending')");
-		$q->execute();
+		$q->execute([$cdl[$id]['div'],$cdl[$id]['cat'],$cdl[$id]['lang'],$config['FAIRYEAR']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		show_pdo_errors_if_any($pdo);
@ -180,21 +180,21 @@ function get_all_divs()
 if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'jdiv_id') && count(get_value_from_array($_POST, 'cdllist', [])) > 0) {
 	foreach ($_POST['cdllist'] AS $selectedcdl) {
-		$q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id='{$_POST['jdiv_id']}' WHERE "
+		$q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=? WHERE "
-			. " id='$selectedcdl' ");
+			. " id=?");
-		$q->execute();
+		$q->execute([$_POST['jdiv_id'],$selectedcdl]);
 	}
 	echo happy(i18n('Judging Division(s) successfully added'));
 }
 if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'cdl_id')) {
-	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id='{$_GET['cdl_id']}'");
+	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['cdl_id']]);
 }
 if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'jdiv_id')) {
-	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id='{$_GET['jdiv_id']}' ");
+	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['jdiv_id']]);
 	echo happy(i18n('Emptied all divisions from Judging Division Group %1', array($_GET['jdiv_id'])));
 }
--- a/admin/judges_sa.php
+++ b/admin/judges_sa.php
@ -63,9 +63,9 @@ function set_status($txt)
 {
 	global $pdo;
 	TRACE("Status: $txt\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='judge_scheduler_activity' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$txt]);
 }
 $set_percent_last_percent = -1;
@ -78,9 +78,9 @@ function set_percent($n)
 	if ($p == $set_percent_last_percent)
 		return;
 	TRACE("Progress: $p\%\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='judge_scheduler_percent' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$p]);
 	$set_percent_last_percent = $p;
 }
@ -413,8 +413,8 @@ set_status('Loading Data From Database...');
 TRACE("\n\n");
 $div = array();
 TRACE("Loading Project Divisions...\n");
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divshort[$r->id] = $r->division_shortform;
 	$div[$r->id] = $r->division;
@ -423,8 +423,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 TRACE("Loading Project Age Categories...\n");
 $cat = array();
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$cat[$r->id] = $r->category;
 	TRACE("   {$r->id} - {$r->category}\n");
@ -442,14 +442,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 TRACE("Loading Judging Round time data...\n");
 $round_special_awards = array();
 $round = array();
-$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='{$config['FAIRYEAR']}'");
+$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 /* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
 while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 	TRACE("   id:{$r['id']} type:{$r['type']} name:{$r['name']}\n");
-	$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
+	$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
-	$qq->execute();
+	$qq->execute([$r['id']]);
 	if ($qq->rowCount() == 0) {
 		echo "ERROR: Round type:{$r['type']} name:{$r['name']} has no judging timeslots!  Abort.\n";
 		exit;
@ -497,13 +497,13 @@ foreach ($keys as $jdiv_id) {
 			TRACE("\t- ");
 		TRACE($cat[$d['cat']] . ' ' . $div[$d['div']] . ' - ' . $langr[$d['lang']]);
 		$qp = $pdo->prepare('SELECT projects.* FROM projects, registrations WHERE '
-			. " projects.year='" . $config['FAIRYEAR'] . "' AND "
+			. " projects.year=? AND "
-			. " projectdivisions_id='{$d['div']}' AND "
+			. " projectdivisions_id=? AND "
-			. " projectcategories_id='{$d['cat']}' AND "
+			. " projectcategories_id=? AND "
-			. " language='{$d['lang']}' AND "
+			. " language=? AND "
 			. ' registrations.id = projects.registrations_id '
 			. getJudgingEligibilityCode());
-		$qp->execute();
+		$qp->execute([$config['FAIRYEAR'],$d['div'],$d['cat'],$d['lang']]);
 		$count = 0;
 		while ($rp = $qp->fetch(PDO::FETCH_OBJ)) {
 			$jdiv[$jdiv_id]['projects'][$rp->id] = array(
@ -524,37 +524,37 @@ foreach ($keys as $jdiv_id) {
 /* Clean out the judging teams that were autocreated in a previous run */
 TRACE('Deleting autocreated divisional and special award judging teams:');
-$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}");
+$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$id = $r->id;
 	print (" $id");
 	/* Clean out the judges_teams_link */
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	/* Awards */
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	/* Timeslots */
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	/* Timeslots projects */
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 }
 echo "\n";
 /* Finally, delete all the autocreated judges teams */
-$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}");
+$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year=?");
-$stmt->execute();
+$stmt->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 /*
@ -564,14 +564,14 @@ show_pdo_errors_if_any($pdo);
 $q = $pdo->prepare("SELECT judges_teams_link.id, judges_teams.id AS judges_teams_id 
 			FROM judges_teams_link 
 			LEFT JOIN judges_teams ON judges_teams_link.judges_teams_id=judges_teams.id 
-			WHERE judges_teams_link.year={$config['FAIRYEAR']}");
+			WHERE judges_teams_link.year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $n = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	if (!$r->judges_teams_id) {
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id='$r->id'");
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$r->id]);
 		$n++;
 	}
 }
@ -595,9 +595,9 @@ foreach ($judges as &$j) {
 	}
 	$q = $pdo->prepare("SELECT users_id FROM judges_teams_link WHERE 
-				users_id='{$j['id']}'
+				users_id=?
-				AND year='{$config['FAIRYEAR']}'");
+				AND year=?");
-	$q->execute();
+	$q->execute([$j['id'],$config['FAIRYEAR']]);
 	if ($q->rowCount() != 0) {
 		TRACE("   {$j['name']} is already on a judging team, skipping.\n");
 		unset($judges[$j['id']]);
@ -605,8 +605,8 @@ foreach ($judges as &$j) {
 	}
 	if ($config['judges_availability_enable'] == 'yes') {
 		/* Load the judge time availability */
-		$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='{$j['id']}' ORDER BY `start`");
+		$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
-		$q->execute();
+		$q->execute([$j['id']]);
 		if ($q->rowCount() == 0) {
 			TRACE("   {$j['name']} hasn't selected any time availability, POTENTIAL BUG (they shouldn't be marked as complete).\n");
 			TRACE("      Ignoring this judge.\n");
@ -624,9 +624,9 @@ foreach ($judges as &$j) {
 				judges_specialaward_sel,award_awards 
 				WHERE
 				award_awards.id=judges_specialaward_sel.award_awards_id
-				AND judges_specialaward_sel.users_id='{$j['id']}'
+				AND judges_specialaward_sel.users_id=?
-				AND award_awards.year='{$config['FAIRYEAR']}'");
+				AND award_awards.year=?");
-	$q->execute();
+	$q->execute([$j['id'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	if ($j['special_award_only'] == 'yes') {
@ -676,8 +676,8 @@ if (count($judges) == 0) {
 * Load the numbers for any user-defined judge teams that already exist,
 * these numbers will be off-limits for auto-assigning numbers
 */
-$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year={$config['FAIRYEAR']}");
+$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $used_judges_teams_numbers = array();
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	$used_judges_teams_numbers[] = $i['num'];
@ -727,9 +727,9 @@ function judge_team_add_judge($team_id, $users_id)
 	global $config, $judges;
 	$stmt = $pdo->prepare("INSERT INTO judges_teams_link
 		\t (users_id,judges_teams_id,captain,year) 
-	\t VALUES ('$users_id','$team_id','{$judges[$users_id]['willing_chair']}',
+	\t VALUES (?,?,?,
-				'{$config['FAIRYEAR']}')");
+				?)");
-	$stmt->execute();
+	$stmt->execute([$users_id,$team_id,$judges[$users_id]['willing_chair'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 }
@ -919,20 +919,20 @@ for ($x = 1; $x < count($jteam); $x++) {
 						award_awards_projectcategories,
 						award_awards_projectdivisions
 					WHERE 
-						award_awards.year='{$config['FAIRYEAR']}'
+						award_awards.year=?
 						AND award_awards.id=award_awards_projectcategories.award_awards_id
 						AND award_awards.id=award_awards_projectdivisions.award_awards_id
-						AND award_awards_projectcategories.projectcategories_id='{$cfg['cat']}'
+						AND award_awards_projectcategories.projectcategories_id=?
-						AND award_awards_projectdivisions.projectdivisions_id='{$cfg['div']}'
+						AND award_awards_projectdivisions.projectdivisions_id=?
 						AND award_awards.award_types_id='1'
 					");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$cfg['cat'],$cfg['div']]);
 		if ($q->rowCount() != 1) {
 			echo error(i18n('Cannot find award for %1 - %2', array($cat[$cfg['cat']], $div[$cfg['div']])));
 		} else {
 			$r = $q->fetch(PDO::FETCH_OBJ);
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','{$config['FAIRYEAR']}')");
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]);
 			/* Add the award ID to the jdiv, if it's not already there */
 			if (!in_array($r->id, $jdiv[$t['jdiv_id']]['award_ids'])) {
 				$jdiv[$t['jdiv_id']]['award_ids'][] = $r->id;
@ -1008,8 +1008,8 @@ if ($round_divisional2 == NULL) {
 		/* Assign all the awards in this jdiv */
 		foreach ($jd['award_ids'] as $aid) {
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$aid','$team_id','{$config['FAIRYEAR']}')");
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$aid,$team_id,$config['FAIRYEAR']]);
 		}
 	}
 }
@ -1134,14 +1134,14 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
 	/* Load special awards */
 	$q = "SELECT award_awards.name,award_awards.id FROM award_awards,award_types
 		WHERE 
-			award_awards.year='{$config['FAIRYEAR']}'
+			award_awards.year=?
 			AND award_types.id=award_awards.award_types_id
 			AND award_awards.schedule_judges='yes'
-			AND award_types.year='{$config['FAIRYEAR']}'
+			AND award_types.year=?
 			AND award_types.type='Special' 
 		";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	print ($pdo->errorInfo());
 	/* sa_jteam for leftover judges, if any */
 	$sa_jteam = array();
@ -1179,8 +1179,8 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
 		/* Link the award to this team */
 		$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) 
-				VALUES ('{$i->id}','{$sa_jteam[$x]['id']}','{$config['FAIRYEAR']}')");
+				VALUES (?,?,?)");
-		$stmt->execute();
+		$stmt->execute([$i->id,$sa_jteam[$x]['id'],$config['FAIRYEAR']]);
 		TRACE("Created Team: {$i->name}, " . count($projects) . " projects => $min judges needed (db id:{$sa_jteam[$x]['id']}) \n");
 		$x++;
@ -1397,16 +1397,16 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
 			/* Do timeslot and project timeslot assignment */
 			$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link 
 							(judges_teams_id,judges_timeslots_id,year)
-							VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '{$config['FAIRYEAR']}')");
+							VALUES (?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$t['id'],$r['timeslots'][0]['id'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			foreach ($t['projects'] as $proj) {
 				$pid = $proj['id'];
 				$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link 
 								(judges_teams_id,judges_timeslots_id,projects_id,year)
-								VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '$pid', '{$config['FAIRYEAR']}')");
+								VALUES (?,?,?,?)");
-				$stmt->execute();
+				$stmt->execute([$t['id'],$r['timeslots'][0]['id'],$pid,$config['FAIRYEAR']]);
 				show_pdo_errors_if_any($pdo);
 			}
 			$ids = $a->bucket[$x];
@ -1437,11 +1437,11 @@ TRACE("Loading Divisional1 Timeslot Data\n");
 $available_timeslots = array();
 $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE 
-			round_id='{$round_divisional1['id']}' 
+			round_id=? 
-			AND year='{$config['FAIRYEAR']}' 
+			AND year=? 
 			AND type='timeslot'
 			ORDER BY date,starttime");
-$q->execute();
+$q->execute([$round_divisional1['id'],$config['FAIRYEAR']]);
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$available_timeslots[] = array('id' => $r->id,
@ -1622,17 +1622,17 @@ for ($k = 0; $k < $keys_count; $k++) {
 			/* if jteam_id isn't 0, instert it into the db */
 			$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_link '
 				. ' (judges_teams_id,judges_timeslots_id,year)'
-				. " VALUES ('{$jteam[$jteam_id]['team_id']}', "
+				. " VALUES (?, "
-				. " '{$available_timeslots[$y]['id']}', "
+				. " ?, "
-				. " '{$config['FAIRYEAR']}')");
+				. " ?)");
-			$stmt->execute();
+			$stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$config['FAIRYEAR']]);
 			$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_projects_link '
 				. ' (judges_teams_id,judges_timeslots_id,projects_id,year) '
-				. " VALUES ('{$jteam[$jteam_id]['team_id']}', "
+				. " VALUES (?, "
-				. " '{$available_timeslots[$y]['id']}', "
+				. " ?, "
-				. " '$pid', '{$config['FAIRYEAR']}')");
+				. " ?,?)");
-			$stmt->execute();
+			$stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$pid,$config['FAIRYEAR']]);
 		}
 		printf("\n");
 	}
--- a/admin/judges_schedulerconfig_check.inc.php
+++ b/admin/judges_schedulerconfig_check.inc.php
@ -5,13 +5,13 @@ function judges_scheduler_check_timeslots()
 	global $config, $pdo;
 	$q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE '
-		. " year='" . $config['FAIRYEAR'] . "'"
+		. " year=?"
 		. " AND `type`='divisional1'");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$round = $q->fetch(PDO::FETCH_OBJ);
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'");
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'");
-		$q->execute();
+		$q->execute([$round->id]);
 		return $q->rowCount();
 	} else
 		return 0;
@ -23,13 +23,13 @@ function judges_scheduler_check_timeslots_sa()
 	$rows = 0;
 	$q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE '
-		. " year='" . $config['FAIRYEAR'] . "'"
+		. " year=?"
 		. " AND `type`='special'");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		while (($round = $q->fetch(PDO::FETCH_OBJ))) {
-			$rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'");
+			$rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'");
-			$rq->execute();
+			$rq->execute([$round->id]);
 			$rows += $rq->rowCount();
 		}
 	}
@ -40,13 +40,13 @@ function judges_scheduler_check_awards()
 {
 	global $config, $pdo;
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$div[$r->id] = $r->division;
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$cat[$r->id] = $r->category;
@ -54,8 +54,8 @@ function judges_scheduler_check_awards()
 	$ckeys = array_keys($cat);
 	if ($config['filterdivisionbycategory'] == 'yes') {
-		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
+		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR']]);
 		$divcat = array();
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@ -78,16 +78,16 @@ function judges_scheduler_check_awards()
 							award_awards_projectcategories,
 							award_awards_projectdivisions
 						WHERE 
-							award_awards.year='{$config['FAIRYEAR']}'
+							award_awards.year=?
-							AND award_awards_projectcategories.year='{$config['FAIRYEAR']}'
+							AND award_awards_projectcategories.year=?
-							AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}'
+							AND award_awards_projectdivisions.year=?
 							AND award_awards.id=award_awards_projectcategories.award_awards_id
 							AND award_awards.id=award_awards_projectdivisions.award_awards_id
-							AND award_awards_projectcategories.projectcategories_id='$c'
+							AND award_awards_projectcategories.projectcategories_id=?
-							AND award_awards_projectdivisions.projectdivisions_id='$d'
+							AND award_awards_projectdivisions.projectdivisions_id=?
 							AND award_awards.award_types_id='1'
 						");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$c,$d]);
 		show_pdo_errors_if_any($pdo);
 		if ($q->rowCount() != 1) {
 			$missing_awards[] = "{$cat[$c]} - {$div[$d]} (" . i18n('%1 found', array($q->rowCount())) . ')';
@ -128,13 +128,13 @@ function judges_scheduler_check_judges()
 		$l = $r->lang;
 		$qp = $pdo->prepare('SELECT COUNT(projects.id) as cnt FROM projects, registrations WHERE '
-			. " projects.year='" . $config['FAIRYEAR'] . "' AND "
+			. " projects.year=? AND "
-			. " projectdivisions_id='$d' AND "
+			. " projectdivisions_id=? AND "
-			. " projectcategories_id='$c' AND "
+			. " projectcategories_id=? AND "
-			. " language='$l' AND "
+			. " language=? AND "
 			. ' registrations.id = projects.registrations_id '
 			. getJudgingEligibilityCode());
-		$qp->execute();
+		$qp->execute([$config['FAIRYEAR'],$d,$c,$l]);
 		$qr = $qp->fetch(PDO::FETCH_OBJ);
 		// if (get_value_from_3d_array($jdiv, $r->jdiv_id, 'num_projects', 'total') !== null){
--- a/admin/judges_teams_members.php
+++ b/admin/judges_teams_members.php
@ -108,8 +108,8 @@ jQuery(document).ready(function(){
 if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'team_num') && count(get_value_from_array($_POST, 'judgelist', [])) > 0) {
 	// first check if this team exists.
-	$q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num='" . $_POST['team_num'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num=? AND year=?");
-	$q->execute();
+	$q->execute([$_POST['team_num'],$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$team_id = $r->id;
@ -127,14 +127,14 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO
 	foreach ($_POST['judgelist'] AS $selectedjudge) {
 		// before we insert them, we need to make sure they dont already belong to this team.  We can not have the same judge assigned to the same team multiple times.
-		$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id='$selectedjudge' AND judges_teams_id='$team_id'");
+		$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id=? AND judges_teams_id=?");
-		$q->execute();
+		$q->execute([$selectedjudge,$team_id]);
 		if ($q->rowCount()) {
 			echo notice(i18n('Judge (%1) already belongs to judging team: %2', array($selectedjudge, $team_name)));
 		} else {
 			// lets make the first one we add a captain, the rest, non-captains :)
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$selectedjudge','$team_id','$captain','" . $config['FAIRYEAR'] . "')");
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$selectedjudge,$team_id,$captain,$config['FAIRYEAR']]);
 			$added++;
 		}
 		// if this is alreayd no, then who cares, but if its the first one that is going into the new team, then
@ -151,13 +151,13 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO
 }
 if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id') && get_value_from_array($_GET, 'users_id')) {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='" . $_GET['users_id'] . "' AND judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=? AND judges_teams_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['users_id'],$_GET['team_id'],$config['FAIRYEAR']]);
 	echo happy(i18n('Removed judge from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name'])));
 	// if there is still members left in the team, make sure we have a captain still
-	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
-	$q->execute();
+	$q->execute([$_GET['team_id'],$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		// make sure the team still has a captain!
 		// FIXME: this might best come from the "i am willing to be a team captain" question under the judges profile
@ -176,24 +176,24 @@ if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET
 		}
 		if (!$gotcaptain) {
 			// make the first judge the captain
-			$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='$firstjudge' AND year='" . $config['FAIRYEAR'] . "'");
+			$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=? AND year=?");
-			$stmt->execute();
+			$stmt->execute([$_GET['team_id'],$firstjudge,$config['FAIRYEAR']]);
 			echo notice(i18n('Team captain was removed. A new team captain has been automatically assigned'));
 		}
 	}
 }
 if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id')) {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['team_id'],$config['FAIRYEAR']]);
 	echo happy(i18n('Emptied all judges from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name'])));
 }
 if (get_value_from_array($_POST, 'action') == 'saveteamnames') {
 	if (count($_POST['team_names'])) {
 		foreach ($_POST['team_names'] AS $team_id => $team_name) {
-			$stmt = $pdo->prepare("UPDATE judges_teams SET name='" . stripslashes($team_name) . "' WHERE id='$team_id'");
+			$stmt = $pdo->prepare("UPDATE judges_teams SET name=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([stripslashes($team_name),$team_id]);
 		}
 		echo happy(i18n('Team names successfully saved'));
 	}
@ -201,20 +201,20 @@ if (get_value_from_array($_POST, 'action') == 'saveteamnames') {
 if (get_value_from_array($_GET, 'action') == 'addcaptain') {
 	// teams can have as many captains as they want, so just add it.
-	$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'");
+	$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=?");
-	$stmt->execute();
+	$stmt->execute([ $_GET['team_id'],$_GET['judge_id']]);
 	echo happy(i18n('Team captain assigned'));
 }
 if (get_value_from_array($_GET, 'action') == 'removecaptain') {
 	// teams must always have at least one captain, so if we only have one, and we are trying to remove it, dont let them!
-	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id='" . $_GET['team_id'] . "'");
+	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id=?");
-	$q->execute();
+	$q->execute([$_GET['team_id']]);
 	if ($q->rowCount() < 2) {
 		echo error(i18n('A judge team must always have at least one captain'));
 	} else {
-		$pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'");
+		$pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id=? AND users_id=?");
-		$pdo->execute();
+		$pdo->execute([$_GET['team_id'],$_GET['judge_id']]);
 		echo happy(i18n('Team captain removed'));
 	}
 }
@ -225,16 +225,16 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') {
 	/* Load all the teams */
 	$teams = array();
-	$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
+	$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 		$teams[$i['id']] = $i;
 	}
 	/* And the links */
 	$links = array();
-	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'");
+	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 		$judgelist[$i['users_id']]['teams_links'][] = $i;
 	}
@ -254,12 +254,12 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') {
 			foreach ($j['special_award_selected'] AS $awardid) {
 				echo "Looking for a team for award $awardid <br />";
 				// find the award id linked to a team
-				$q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id='{$awardid}' AND year='{$config['FAIRYEAR']}'");
+				$q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id=? AND year=?");
-				$q->execute();
+				$q->execute([$awardid,$config['FAIRYEAR']]);
 				if ($q->rowCount()) {
 					while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-						$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$jid','$r->judges_teams_id','yes','{$config['FAIRYEAR']}')");
+						$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,'yes',?)");
-						$stmt->execute();
+						$stmt->execute([$jid,$r->judges_teams_id,$config['FAIRYEAR']]);
 						echo happy(i18n('%1 %2 to their special award(s) team(s)', array($j['firstname'], $j['lastname'])));
 					}
 				} else {
@ -308,16 +308,16 @@ $judgelist = judges_load_all();
 /* Load all the teams */
 $teams = array();
-$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
+$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	$teams[$i['id']] = $i;
 }
 /* And the links */
 $links = array();
-$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'");
+$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	$judgelist[$i['users_id']]['teams_links'][] = $i;
 }
--- a/config_editor.inc.php
+++ b/config_editor.inc.php
@ -124,16 +124,16 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
 		$v = $r2->fetch(PDO::FETCH_ASSOC);
 		$r3 = $pdo->prepare('INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
-			' . $pdo->quote($v['var']) . ',
+			?,
-			' . $pdo->quote($v['val']) . ',
+			?,
-			' . $pdo->quote($v['category']) . ',
+			?,
-			' . $pdo->quote($v['type']) . ',
+			?,
-			' . $pdo->quote($v['type_values']) . ',
+			?,
-			' . $pdo->quote($v['ord']) . ',
+			?,
-			' . $pdo->quote($v['description']) . ",
+			?,
-			'$fairyear')");
+			?)');
-		$r3->execute();
+		$r3->execute([$pdo->quote($v['var']),$pdo->quote($v['val']),$pdo->quote($v['category']),$pdo->quote($v['type']),$pdo->quote($v['type_values']),$pdo->quote($v['ord']),$pdo->quote($v['description']),$fairyear]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
--- a/db/db.update.118.php
+++ b/db/db.update.118.php
@ -77,14 +77,14 @@ function db_update_118_post()
 		echo "  Linking $user_id to users_sponsor record\n";
 		$stmt = $pdo->prepare("INSERT INTO users_sponsor (`users_id`,`sponsors_id`,`sponsor_complete`,`sponsor_active`,`primary`,`position`,`notes`) VALUES (
-				'" . $user_id . "',
+				?,
-				'" . $r->award_sponsors_id . "',
+				?,
-				'$complete',
+				?,
-				'$active',
+				?,
-				'" . $r->primary . "',
+				?,
-				'" . $r->position . "',
+				?,
-				'" . $r->notes . "')");
+				?)");
-		$stmt->execute();
+		$stmt->execute([$user_id,$r->award_sponsors_id,$complete,$active,$r->primary,$r->position,$r->notes]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
--- a/db/db.update.129.user.inc.php
+++ b/db/db.update.129.user.inc.php
@ -296,9 +296,9 @@ function db129_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@ -372,9 +372,9 @@ function db129_user_save($u)
 	// print_r($u);
 	// echo "</pre>";
 	if ($set != '') {
-		$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$set,$u['id']]);
 		//		echo "query=[$query]";
 		show_pdo_errors_if_any($pdo);
 	}
@ -395,8 +395,8 @@ function db129_user_save($u)
 function db129_user_delete_committee($u)
 {
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
-	$stmt->execute();
+	$stmt->execute([$u['uid']]);
 }
 function db129_user_delete_volunteer($u) {}
@ -405,10 +405,10 @@ function db129_user_delete_judge($u)
 {
 	global $config;
 	$id = $u['id'];
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
-	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
 }
 function db129_user_delete_fair($u) {}
@ -442,8 +442,8 @@ function db129_user_delete($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_delete = true;
 		}
@ -455,8 +455,8 @@ function db129_user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$u['id']]);
 	}
 }
@ -491,8 +491,8 @@ function db129_user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@ -503,21 +503,21 @@ function db129_user_purge($u, $type = false)
 		 */
 		call_user_func("db129_user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
+		$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
-		$stmt->execute();
+		$stmt->execute([$type,$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("db129_user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
+			$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
-			$stmt->execute();
+			$stmt->execute([$t,$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$u['id']]);
 	}
 }
@ -526,8 +526,8 @@ function db129_user_dupe_row($db, $key, $val, $newval)
 {
 	global $config;
 	$nullfields = array('deleteddatetime');  /* Fields that can be null */
-	$q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'");
+	$q = $pdo->prepare("SELECT * FROM ? WHERE ?=?");
-	$q->execute();
+	$q->execute([$db,$key,$val]);
 	if ($q->rowCount() != 1) {
 		echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
 		exit;
@ -547,10 +547,10 @@ function db129_user_dupe_row($db, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
-	$q = "INSERT INTO $db ($keys) VALUES ($vals)";
+	$q = "INSERT INTO ? (?) VALUES (?)";
 	//	echo "Dupe Query: [$q]";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$db,$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 	$id = $pdo->lastInsertId();
@ -570,9 +570,9 @@ function db129_user_dupe($u, $new_year)
 	 */
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
@ -584,8 +584,8 @@ function db129_user_dupe($u, $new_year)
 	}
 	$id = db129_user_dupe_row('users', 'id', $u['id'], NULL);
-	$q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'");
+	$q = $pdo->prepare("UPDATE users SET year=? WHERE id=?");
-	$q->execute();
+	$q->execute([$new_year,$id]);
 	/* Load the new user */
 	$u2 = db129_user_load($id);
@ -630,12 +630,12 @@ function db129_user_create($type, $username, $u = NULL)
 	global $config;
 	if (!is_array($u)) {
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) 
-			VALUES ('$type', '$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')");
+			VALUES (?,?,'0000-00-00', NOW(),?)");
-		$stmt->execute();
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$uid,$uid]);
 		db129_user_set_password($uid, NULL);
 	} else {
 		/*
@ -649,34 +649,34 @@ function db129_user_create($type, $username, $u = NULL)
 			exit;
 		}
 		$new_types = implode(',', $u['types']) . ',' . $type;
-		$stmt = $pdo->prepare("UPDATE users SET types='$new_types' WHERE id='$uid'");
+		$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$new_types,$uid]);
 	}
 	switch ($type) {
 		case 'volunteer':
-			$stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`, `volunteer_active`) VALUES ('$uid', 'yes')");
+			$stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`, `volunteer_active`) VALUES (?, 'yes')");
-			$stmt->execute();
+			$stmt->execute([$uid]);
 			break;
 		case 'student':
-			//		$stmt = $pdo->prepare("INSERT INTO users_student(`users_id`, `student_active`) VALUES ('$uid', 'yes')");
+			$stmt = $pdo->prepare("INSERT INTO users_student(`users_id`, `student_active`) VALUES (?, 'yes')");
-			$stmt->execute();
+			$stmt->execute([$uid]);
 			break;
 		case 'judge':
-			$stmt = $pdo->prepare("INSERT INTO users_judge(`users_id`, `judge_active`) VALUES ('$uid', 'yes')");
+			$stmt = $pdo->prepare("INSERT INTO users_judge(`users_id`, `judge_active`) VALUES (?, 'yes')");
-			$stmt->execute();
+			$stmt->execute([$uid]);
 			break;
 		case 'fair':
-			$stmt = $pdo->prepare("INSERT INTO users_fair(`users_id`, `fair_active`) VALUES ('$uid', 'yes')");
+			$stmt = $pdo->prepare("INSERT INTO users_fair(`users_id`, `fair_active`) VALUES (?, 'yes')");
-			$stmt->execute();
+			$stmt->execute([$uid]);
 			break;
 		case 'committee':
-			$stmt = $pdo->prepare("INSERT INTO users_committee(`users_id`, `committee_active`) VALUES ('$uid', 'yes')");
+			$stmt = $pdo->prepare("INSERT INTO users_committee(`users_id`, `committee_active`) VALUES (?, 'yes')");
-			$stmt->execute();
+			$stmt->execute([$uid]);
 			break;
 		case 'sponsor':
-			$stmt = $pdo->prepare("INSERT INTO users_sponsor(`users_id`) VALUES ('$uid')");
+			$stmt = $pdo->prepare("INSERT INTO users_sponsor(`users_id`) VALUES (?)");
-			$stmt->execute();
+			$stmt->execute([$uid]);
 			break;
 	}
 	return db129_user_load($uid);
--- a/db/db.update.131.php
+++ b/db/db.update.131.php
@ -12,11 +12,11 @@ function db_update_131_pre()
    $q->execute();
    while ($r = $q->fetch(PDO::FETCH_OBJ)) {
        $total = 0;
-        $awardq = $pdo->prepare("SELECT * FROM award_awards WHERE sponsors_id='$r->id' AND year='$year'");
+        $awardq = $pdo->prepare("SELECT * FROM award_awards WHERE sponsors_id=? AND year=?");
-        $awardq->execute();
+        $awardq->execute([$r->id,$year]);
        while ($awardr = $awardq->fetch(PDO::FETCH_OBJ)) {
-            $prizeq = $pdo->prepare("SELECT cash,scholarship,value,number FROM award_prizes WHERE award_awards_id='$awardr->id'");
+            $prizeq = $pdo->prepare("SELECT cash,scholarship,value,number FROM award_prizes WHERE award_awards_id=?");
-            $prizeq->execute();
+            $prizeq->execute([$awardr->id]);
            while ($prizer = $prizeq->fetch(PDO::FETCH_OBJ)) {
                // some people never set the value for some reason, i dunno why..
                $realvalue = max($prizer->cash + $prizer->scholarship, $prizer->value);
@ -26,15 +26,15 @@ function db_update_131_pre()
        }
        echo "Creating sponsorship for ID: $r->id value: $total\n";
        $pdo->prepare("INSERT INTO sponsorships (sponsors_id,fundraising_type,value,status,probability,year) VALUES (
-            '$r->id',
+            ?,
            'sfawards',
-            '$total',
+            ?,
            'pending',
            '25',
-            '$year')");
+            ?)");
-        $pdo->execute();
+        $pdo->execute([$r->id,$total,$year]);
-        $stmt = $pdo->prepare("INSERT INTO sponsors_logs (sponsors_id,dt,users_id,log) VALUES ('$r->id',NOW(),0,'Automatically created sponsorship from existing sponsor. type=award, value=\$$total, status=pending, probability=25%')");
+        $stmt = $pdo->prepare("INSERT INTO sponsors_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),0,'Automatically created sponsorship from existing sponsor. type=award, value=\$?, status=pending, probability=25%')");
-        $stmt->execute();
+        $stmt->execute([$r->id,$total]);
    }
 }
--- a/db/db.update.136.php
+++ b/db/db.update.136.php
@ -9,12 +9,12 @@ function db_update_136_pre()
 				`enable_stats` = 'yes',
 				`enable_awards` = 'yes',
 				`enable_winners` = 'yes',
-				`username` = '{$config['ysf_region_id']}',
+				`username` =?,
-				`password` = '{$config['ysf_region_password']}'
+				`password` =?
 			WHERE 
 				`url`='https://secure.ysf-fsj.ca/awarddownloader/index.php'");
-	$stmt->execute();
+	$stmt->execute([$config['ysf_region_id'],$config['ysf_region_password']]);
 	$stmt = $pdo->prepare("UPDATE fairs SET `abbrv` = 'STO',
 				`website` = 'http://www.scitechontario.org/awarddownloader/help.php',
--- a/db/db.update.142.php
+++ b/db/db.update.142.php
@ -15,8 +15,8 @@ function db_update_142_post()
 			$fiscalyearsuggest = date('Y') + 1;
 		else
 			$fiscalyearsuggest = date('Y');
-		$stmt = $pdo->prepare("INSERT INTO `config` ( `var` , `val` , `category` , `type` , `type_values` , `ord` , `description` , `year`) VALUES ( 'FISCALYEAR', '$fiscalyearsuggest', 'Special', '', '', '0', 'The current fiscal year that the fundraising module is using', '0')");
+		$stmt = $pdo->prepare("INSERT INTO `config` ( `var` , `val` , `category` , `type` , `type_values` , `ord` , `description` , `year`) VALUES ( 'FISCALYEAR',?, 'Special', '', '', '0', 'The current fiscal year that the fundraising module is using', '0')");
-		$stmt->execute();
+		$stmt->execute([$fiscalyearsuggest]);
 	}
 }
--- a/db/db.update.146.php
+++ b/db/db.update.146.php
@ -38,8 +38,8 @@ function db_update_146_handle($name, $email, $phone, $type)
 function db_update_146_post()
 {
 	global $config, $pdo;
-	$q = $pdo->prepare("SELECT * FROM schools WHERE year='{$config['FAIRYEAR']}'");
+	$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($s = $q->fetch(PDO::FETCH_ASSOC)) {
 		/* Science head */
 		if (trim($s['sciencehead']) != '') {
@ -48,8 +48,8 @@ function db_update_146_post()
 				$s['scienceheadphone'],
 				'teacher');
 			if ($u != false) {
-				$stmt = $pdo->prepare("UPDATE schools SET sciencehead_uid='{$u['uid']}' WHERE id='{$s['id']}'");
+				$stmt = $pdo->prepare("UPDATE schools SET sciencehead_uid=? WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$u['uid'],$s['id']]);
 			}
 		}
@ -60,8 +60,8 @@ function db_update_146_post()
 				$s['phone'],
 				'principal');
 			if ($u != false) {
-				$stmt = $pdo->prepare("UPDATE schools SET principal_uid='{$u['uid']}' WHERE id='{$s['id']}'");
+				$stmt = $pdo->prepare("UPDATE schools SET principal_uid=? WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([$u['uid'],$s['id']]);
 			}
 		}
 	}
--- a/db/db.update.146.user.inc.php
+++ b/db/db.update.146.user.inc.php
@ -141,8 +141,8 @@ function db146_user_load_sponsor(&$u)
 	$u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no';
 	$u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no';
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
+		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
-		$q->execute(0);
+		$q->execute([0,$u['sponsors_id']]);
 		$u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC);
 	}
 	return true;
@ -279,8 +279,8 @@ function db146_user_load_by_email($email)
 {
 	/* Find the most recent uid for the email, regardless of deleted status */
 	$e = $email;
-	$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
+	$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$e,$e]);
 	if ($q->rowCount() == 1) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
@ -291,8 +291,8 @@ function db146_user_load_by_email($email)
 function db146_user_load_by_uid_year($uid, $year)
 {
-	$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
+	$q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <=?");
-	$q->execute();
+	$q->execute([$uid,$year]);
 	if (!$q->rowCount())
 		return false;
 	$i = $q->fetch(PDO::FETCH_ASSOC);
@ -304,8 +304,8 @@ function db146_user_set_password($id, $password = NULL)
 	/* pass $u by reference so we can update it */
 	$save_old = false;
 	if ($password == NULL) {
-		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
+		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
-		$q->execute();
+		$q->execute([$id]);
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		/* Generate a new password */
 		$password = db146_user_generate_password(12);
@ -324,9 +324,9 @@ function db146_user_set_password($id, $password = NULL)
 	$set = ($save_old == true) ? 'oldpassword=password, ' : '';
 	$set .= "password='$p', passwordset=$save_set ";
-	$query = "UPDATE users SET $set WHERE id='$id'";
+	$query = "UPDATE users SET ? WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$set,$id]);
 	show_pdo_errors_if_any($pdo);
 	return $password;
@ -360,9 +360,9 @@ function db146_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@ -430,8 +430,8 @@ function db146_user_save(&$u)
 			exit;
 		}
 		// give em a record, the primary key on the table takes care of uniqueness
-		$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')");
+		$q = $pdo->prepare("INSERT INTO users_? (users_id) VALUES (?)");
-		$q->execute();
+		$q->execute([$t,$u['id']]);
 	}
 	$fields = array('salutation', 'firstname', 'lastname', 'username',
@ -459,9 +459,9 @@ function db146_user_save(&$u)
 	//	print_r($u);
 	//	echo "</pre>";
 	if ($set != '') {
-		$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$set,$u['id']]);
 		//		echo "query=[$query]";
 		show_pdo_errors_if_any($pdo);
 	}
@ -491,8 +491,8 @@ function db146_user_save(&$u)
 function db146_user_delete_committee($u)
 {
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
-	$stmt->execute();
+	$stmt->execute([$u['uid']]);
 }
 function db146_user_delete_volunteer($u) {}
@ -501,10 +501,10 @@ function db146_user_delete_judge($u)
 {
 	global $config;
 	$id = $u['id'];
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
-	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
 }
 function db146_user_delete_fair($u) {}
@ -548,8 +548,8 @@ function db146_user_delete($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_delete = true;
 		}
@ -563,8 +563,8 @@ function db146_user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$u['id']]);
 	}
 }
@ -599,8 +599,8 @@ function db146_user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@ -611,21 +611,21 @@ function db146_user_purge($u, $type = false)
 		 */
 		call_user_func("db146_user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
+		$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
-		$stmt->execute();
+		$stmt->execute([$type,$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("db146_user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
+			$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
-			$stmt->execute();
+			$stmt->execute([$t,$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$u['id']]);
 	}
 }
@ -634,8 +634,8 @@ function db146_user_dupe_row($db, $key, $val, $newval)
 {
 	global $config;
 	$nullfields = array('deleteddatetime');  /* Fields that can be null */
-	$q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'");
+	$q = $pdo->prepare("SELECT * FROM ? WHERE ?=?");
-	$q->execute();
+	$q->execute([$db,$key,$val]);
 	if ($q->rowCount() != 1) {
 		echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
 		exit;
@ -655,10 +655,10 @@ function db146_user_dupe_row($db, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
-	$q = "INSERT INTO $db ($keys) VALUES ($vals)";
+	$q = "INSERT INTO ? (?) VALUES (?)";
 	//	echo "Dupe Query: [$q]";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$db,$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 	$id = $pdo->lastInsertId();
@ -678,9 +678,9 @@ function db146_user_dupe($u, $new_year)
 	 */
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
@ -692,9 +692,9 @@ function db146_user_dupe($u, $new_year)
 	}
 	$id = db146_user_dupe_row('users', 'id', $u['id'], NULL);
-	$q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'");
+	$q = $pdo->prepare("UPDATE users SET year=? WHERE id=?");
-	$q->execute();
+	$q->execute([$new_year,$id]);
 	/* Load the new user */
 	$u2 = db146_user_load($id);
@ -743,17 +743,17 @@ function db146_user_create($type, $username, $u = NULL)
 	global $config;
 	if (!is_array($u)) {
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) 
-			VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')");
+			VALUES (?,?,'0000-00-00', NOW(),?)");
-		$stmt->execute();
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
 		if (db146_user_valid_email($username)) {
-			$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
+			$stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$username,$uid]);
 		}
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$uid,$uid]);
 		show_pdo_errors_if_any($pdo);
 		db146_user_set_password($uid, NULL);
@ -761,8 +761,8 @@ function db146_user_create($type, $username, $u = NULL)
 		 * Since the user already has a type, user_save won't create this
 		 * entry for us, so do it here
 		 */
-		$stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')");
+		$stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)");
-		$stmt->execute();
+		$stmt->execute([$type,$uid]);
 		show_pdo_errors_if_any($pdo);
 		/* Load the complete user */
 		$u = db146_user_load($uid);
--- a/db/db.update.149.user.inc.php
+++ b/db/db.update.149.user.inc.php
@ -141,8 +141,8 @@ function db149_user_load_sponsor(&$u)
 	$u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no';
 	$u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no';
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
+		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
-		$q->execute();
+		$q->execute([$u['sponsors_id']]);
 		$u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC);
 	}
 	return true;
@ -194,13 +194,13 @@ function db149_user_load($user, $uid = false)
 			WHERE ';
 	if ($uid != false) {
 		$uid = intval($uid);
-		$query .= "`users`.`uid`='$uid' ORDER BY `users`.`year` DESC LIMIT 1";
+		$query .= "`users`.`uid`=? ORDER BY `users`.`year` DESC LIMIT 1";
 	} else {
 		$id = intval($user);
-		$query .= "	`users`.`id`='$id'";
+		$query .= "	`users`.`id`=?";
 	}
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$uid,$id]);
 	if ($q->rowCount() != 1) {
 		//		echo "Query [$query] returned ".$q->rowCount()." rows\n";
 		//		echo "<pre>";
@ -278,8 +278,8 @@ function db149_user_load_by_email($email)
 {
 	/* Find the most recent uid for the email, regardless of deleted status */
 	$e = $email;
-	$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
+	$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$e,$e]);
 	if ($q->rowCount() == 1) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
@ -290,8 +290,8 @@ function db149_user_load_by_email($email)
 function db149_user_load_by_uid_year($uid, $year)
 {
-	$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
+	$q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <=?");
-	$q->execute();
+	$q->execute([$uid,$year]);
 	if (!$q->rowCount())
 		return false;
 	$i = $q->fetch(PDO::FETCH_ASSOC);
@ -303,8 +303,8 @@ function db149_user_set_password($id, $password = NULL)
 	/* pass $u by reference so we can update it */
 	$save_old = false;
 	if ($password == NULL) {
-		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
+		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
-		$q->execute();
+		$q->execute([$id]);
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		/* Generate a new password */
 		$password = db149_user_generate_password(12);
@ -323,9 +323,9 @@ function db149_user_set_password($id, $password = NULL)
 	$set = ($save_old == true) ? 'oldpassword=password, ' : '';
 	$set .= "password='$p', passwordset=$save_set ";
-	$query = "UPDATE users SET $set WHERE id='$id'";
+	$query = "UPDATE users SET ? WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$set,$id]);
 	show_pdo_errors_if_any($pdo);
 	return $password;
@ -359,9 +359,9 @@ function db149_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@ -429,8 +429,8 @@ function db149_user_save(&$u)
 			exit;
 		}
 		// give em a record, the primary key on the table takes care of uniqueness
-		$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')");
+		$q = $pdo->prepare("INSERT INTO users_? (users_id) VALUES (?)");
-		$q->execute();
+		$q->execute([$t,$u['id']]);
 	}
 	$fields = array('salutation', 'firstname', 'lastname', 'username',
@ -458,9 +458,9 @@ function db149_user_save(&$u)
 	//	print_r($u);
 	//	echo "</pre>";
 	if ($set != '') {
-		$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$set,$u['id']]);
 		//		echo "query=[$query]";
 		show_pdo_errors_if_any($pdo);
 	}
@ -490,8 +490,8 @@ function db149_user_save(&$u)
 function db149_user_delete_committee($u)
 {
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
-	$stmt->execute();
+	$stmt->execute([$u['uid']]);
 }
 function db149_user_delete_volunteer($u) {}
@ -500,10 +500,10 @@ function db149_user_delete_judge($u)
 {
 	global $config;
 	$id = $u['id'];
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
-	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
 }
 function db149_user_delete_fair($u) {}
@ -547,8 +547,8 @@ function db149_user_delete($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_delete = true;
 		}
@ -562,8 +562,8 @@ function db149_user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$u['id']]);
 	}
 }
@ -598,8 +598,8 @@ function db149_user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@ -610,21 +610,21 @@ function db149_user_purge($u, $type = false)
 		 */
 		call_user_func("db149_user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
+		$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
-		$stmt->execute();
+		$stmt->execute([$type,$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("db149_user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
+			$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
-			$stmt->execute();
+			$stmt->execute([$t,$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$u['id']]);
 	}
 }
@ -633,8 +633,8 @@ function db149_user_dupe_row($db, $key, $val, $newval)
 {
 	global $config;
 	$nullfields = array('deleteddatetime');  /* Fields that can be null */
-	$q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'");
+	$q = $pdo->prepare("SELECT * FROM ? WHERE ?=?");
-	$q->exectue();
+	$q->exectue([$db,$key,$val]);
 	if ($q->rowCount() != 1) {
 		echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
 		exit;
@ -654,10 +654,10 @@ function db149_user_dupe_row($db, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
-	$q = "INSERT INTO $db ($keys) VALUES ($vals)";
+	$q = "INSERT INTO ? (?) VALUES (?)";
 	//	echo "Dupe Query: [$q]";
 	$r = $pdo->prepare($q);
-	$r->execute(0);
+	$r->execute([0,$db,$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 	$id = $pdo->lastInsertId();
@ -677,9 +677,9 @@ function db149_user_dupe($u, $new_year)
 	 */
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
@ -691,8 +691,8 @@ function db149_user_dupe($u, $new_year)
 	}
 	$id = db149_user_dupe_row('users', 'id', $u['id'], NULL);
-	$q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'");
+	$q = $pdo->prepare("UPDATE users SET year=? WHERE id=?");
-	$q->execute();
+	$q->execute([$new_year,$id]);
 	/* Load the new user */
 	$u2 = db149_user_load($id);
@ -743,16 +743,16 @@ function db149_user_create($type, $username, $u = NULL)
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) 
-			VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')");
+			VALUES (?,?,'0000-00-00', NOW(),?)");
-		$stmt->execute();
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
 		if (db149_user_valid_email($username)) {
-			$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
+			$stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?");
 		}
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
-		$stmt->execute();
+		$stmt->execute([$username,$uid,$uid,$uid]);
 		show_pdo_errors_if_any($pdo);
@ -762,8 +762,8 @@ function db149_user_create($type, $username, $u = NULL)
 		 * Since the user already has a type, user_save won't create this
 		 * entry for us, so do it here
 		 */
-		$stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')");
+		$stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)");
-		$stmt->execute();
+		$stmt->execute([$type,$uid]);
 		show_pdo_errors_if_any($pdo);
--- a/db/db.update.155.php
+++ b/db/db.update.155.php
@ -9,11 +9,11 @@ function db_update_155_post()
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo "Updating email id $r->id\n";
 		$stmt = $pdo->prepare("UPDATE emails SET
-		body='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->body) . "' ,
+		body=?,
-		bodyhtml='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->bodyhtml) . "' ,
+		bodyhtml=?,
-		subject='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->subject) . "'
+		subject=?
 		WHERE id='$r->id'");
-		$stmt->execute();
+		$stmt->execute([iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->body),iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->bodyhtml),iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->subject)]);
 	}
 }
--- a/db/db.update.174.php
+++ b/db/db.update.174.php
@ -5,9 +5,9 @@ function db_update_174_post()
 	$q = $pdo->prepare("SELECT * FROM users WHERE deleted = 'yes'");
 	while ($row = $q->fetch(PDO::FETCH_ASSOC)) {
-		echo 'Flagging user records prior to ' . $row['year'] . ' for user ' . $row['uid'] . ' as deleted - ';
+		echo 'Flagging user records prior to ? for user ? as deleted - ';
-		$stmt = $pdo->prepare("UPDATE users SET deleted = 'yes' WHERE uid = " . $row['uid'] . ' AND year < ' . $row['year']);
+		$stmt = $pdo->prepare("UPDATE users SET deleted = 'yes' WHERE uid = ? AND year < ?");
-		$stmt->execute();
+		$stmt->execute([$row['year'],$row['uid'],$row['uid'],$row['year']]);
 		echo $pdo->rowCount() . " rows affected.\n";
 	}
 }
--- a/db/db.update.75.php
+++ b/db/db.update.75.php
@ -18,8 +18,8 @@ function db_update_75_post()
 		foreach ($sid as $s) {
 			if ($s > 0) {
 				$qq = $pdo->prepare("SELECT id FROM reports WHERE 
-						system_report_id='$s'");
+						system_report_id=?");
-				$qq->execute();
+				$qq->execute([$s]);
 				$ii = $qq->fetch(PDO::FETCH_OBJ);
 				$rid[$x] = $ii->id;
 			} else {
@ -30,31 +30,32 @@ function db_update_75_post()
 		/* Find all committee members */
 		$qq = "INSERT INTO `reports_committee` (`id`, `users_id`, `reports_id`, `category`, `comment`, `format`, `stock`) VALUES
-		(NULL, $uid, {$rid[0]}, '1. Fair Day', 'Checkin Lists for the Front Desk', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '1. Fair Day', 'Checkin Lists for the Front Desk', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[1]}, '2. Old Custom Reports', 'School Access Codes and Passwords', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'School Access Codes and Passwords', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[2]}, '2. Old Custom Reports', 'Mailing Label Generator', '', ''),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Mailing Label Generator', '', ''),
-		(NULL, $uid, {$rid[3]}, '2. Old Custom Reports', 'Project Summary Details', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Summary Details', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[4]}, '2. Old Custom Reports', 'Student emergency contact names and numbers', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Student emergency contact names and numbers', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[5]}, '2. Old Custom Reports', 'Students/Projects From Each School', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Students/Projects From Each School', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[6]}, '2. Old Custom Reports', 'Project Logistical Requirements (tables, electricity)', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Logistical Requirements (tables, electricity)', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[7]}, '2. Old Custom Reports', 'Project Table Labels', 'label', 'fullpage_landscape'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Table Labels', 'label', 'fullpage_landscape'),
-		(NULL, $uid, {$rid[8]}, '2. Old Custom Reports', 'Student Nametags', 'label', 'nametag'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Student Nametags', 'label', 'nametag'),
-		(NULL, $uid, {$rid[9]}, '2. Old Custom Reports', 'Judge Nametags', 'label', 'nametag'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judge Nametags', 'label', 'nametag'),
-		(NULL, $uid, {$rid[10]}, '2. Old Custom Reports', 'Committee Member Nametags', 'label', 'nametag'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Committee Member Nametags', 'label', 'nametag'),
-		(NULL, $uid, {$rid[11]}, '2. Old Custom Reports', 'Judges List', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judges List', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[12]}, '2. Old Custom Reports', 'Judging Teams', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judging Teams', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[13]}, '2. Old Custom Reports', 'Awards each Judging Team will judge for', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Awards each Judging Team will judge for', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[14]}, '2. Old Custom Reports', 'Judging Teams Project Assignments', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judging Teams Project Assignments', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[15]}, '2. Old Custom Reports', 'Projects Judging Team Assignments', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Projects Judging Team Assignments', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[16]}, '2. Old Custom Reports', 'Project Identification Labels (for judging sheets)', 'label', '5961'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Identification Labels (for judging sheets)', 'label', '5961'),
-		(NULL, $uid, {$rid[17]}, '2. Old Custom Reports', 'Award List for Award Ceremony Program', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Award List for Award Ceremony Program', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[18]}, '2. Old Custom Reports', 'Winners for each award', 'pdf', 'fullpage');";
+		(NULL, ?, ?, '2. Old Custom Reports', 'Winners for each award', 'pdf', 'fullpage');";
 		echo $qq;
 		echo "\n\n";
 		$stmt = $pdo->prepare($qq);
-		$stmt->execute();
+		$stmt->execute([$uid,$rid[0],$uid,$rid[1],$uid,$rid[2],$uid,$rid[3],$uid,$rid[4],$uid,$rid[5],$uid,$rid[6],$uid,$rid[7],$uid,$rid[8],$uid,$rid[9],$uid,$rid[10],$uid,$rid[11],$uid,$rid[12],$uid,$rid[13],$uid,$rid[14],$uid,$rid[15],$uid,$rid[16],$uid,$rid[17],$uid,$rid[18]]);
 	}
 }
--- a/db/db.update.76.php
+++ b/db/db.update.76.php
@ -15,8 +15,8 @@ function db_update_76_pre()
 		if ($user == '')
 			continue;
-		$qq = $pdo->prepare("SELECT * FROM users WHERE username='$user'");
+		$qq = $pdo->prepare("SELECT * FROM users WHERE username=?");
-		$qq->execute();
+		$qq->execute([$user]);
 		if ($qq->rowCount() <= 1)
 			continue;
@ -60,16 +60,16 @@ function db_update_76_pre()
 			}
 		}
-		$query = "UPDATE users SET $query WHERE id='$cid'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		echo "$query\n";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$query,$cid]);
 		/* Now fix the volunteers links */
-		$query = "UPDATE volunteer_positions_signup SET users_id='$cid' WHERE users_id='$vid'";
+		$query = "UPDATE volunteer_positions_signup SET users_id=? WHERE users_id=?";
 		echo "$query\n";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$cid,$vid]);
 		/*
 		 * The user_volunteer table is empty, we should just delete it,
@ -77,10 +77,10 @@ function db_update_76_pre()
 		 */
 		/* Delete the old user */
-		$query = "DELETE FROM users WHERE id='$vid'";
+		$query = "DELETE FROM users WHERE id=?";
 		echo "$query\n";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$vid]);
 	}
 }
--- a/fair_stats.php
+++ b/fair_stats.php
@ -61,8 +61,8 @@ switch (get_value_from_array($_GET, 'action')) {
 			':fairs_id' => $u['fairs_id'],
 			':year' => $year
 		]);
-		$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)");
+		$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,?) VALUES ('',?)");
-		$stmt->execute();
+		$stmt->execute([$keys,$vals]);
 		happy_('Fair Information Saved.');
 		exit;
--- a/judge.inc.php
+++ b/judge.inc.php
@ -85,7 +85,7 @@ function judge_status_questions($u)
 	 */
 	global $config, $pdo;
 	// get the questions we're looking for
-	$q = $pdo->prepare('SELECT id FROM questions WHERE year=?'"AND required='yes'");
+	$q = $pdo->prepare('SELECT id FROM questions WHERE year=? AND required=yes');
 	$q->execute([$config['FAIRYEAR']]);
 	$idList = array();
 	while ($row = $q->fetch(PDO::FETCH_ASSOC))
@ -149,7 +149,8 @@ function judge_status_availability(&$u)
 		return 'complete';
 	$q = $pdo->prepare("SELECT id FROM judges_availability 
-			WHERE users_id=\"{$u['id']}\"");
+			WHERE users_id=\"?\"");
 	$q->execute([$u['id']]);
 	if ($q->rowCount() > 0)
 		return 'complete';
--- a/judge_availability.php
+++ b/judge_availability.php
@ -81,10 +81,10 @@ switch (get_value_from_array($_GET, 'action')) {
 					continue;
 				$stmt = $pdo->prepare("INSERT INTO judges_availability (users_id, `date`,`start`,`end`) 
-					VALUES ('{$u['id']}',
+					VALUES (?,
-					'{$times[$x]['date']}',
+					?,
-					'{$times[$x]['starttime']}','{$times[$x]['endtime']}')");
+					?,?)");
-				$stmt->execute();
+				$stmt->execute([$u['id'],$times[$x]['date'],$times[$x]['starttime'],$times[$x]['endtime']]);
 			}
 		}
 		happy_('Time Availability preferences successfully saved');
--- a/questions.inc.php
+++ b/questions.inc.php
@ -185,8 +185,8 @@ function questions_update_question($qs)
 			`db_heading`=?,
 			`required`=?,
 			`ord`=?
-			WHERE id=?"));
+			WHERE id=?");
-	$stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord'], $qs['id']]);
+	$stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord']), $qs['id']]);
 	show_pdo_errors_if_any($pdo);
 }
@ -195,14 +195,14 @@ function questions_save_new_question($qs, $year)
 	global $pdo;
 	$stmt = $pdo->prepare('INSERT INTO questions '
 		. '(question,type,section,db_heading,required,ord,year) VALUES ('
-		. "'" . $qs['question'] . "',"
+		?,"
-		. "'" . $qs['type'] . "',"
+		?,"
-		. "'" . $qs['section'] . "',"
+		?,"
-		. "'" . $qs['db_heading'] . "',"
+		?,"
-		. "'" . $qs['required'] . "',"
+		?,"
-		. "'" . $qs['ord'] . "',"
+		?,"
-		. "'$year' )");
+		?")");
-	$stmt->execute();
+	$stmt->execute([$qs['question'],$qs['type'],$qs['section'],$qs['db_heading'],$qs['required'],$year]);
 	show_pdo_errors_if_any($pdo);
 }
@ -274,14 +274,14 @@ function questions_editor($section, $year, $array_name, $self)
 			$x++;
 			$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord)
 								VALUES (
-                                '', '$year',
+                                '',?,
-                                '" . $r->section . "',
+                                '" ?,
-                                '" . $r->db_heading . "',
+                                '" ?,
-                                '" . $r->question . "',
+                                '" ?,
-                                '" . $r->type . "',
+                                '" ?,
-                                '" . $r->required . "',
+                                '" ?,
-                                '" . $r->ord) . "')";
+                                '" ?))";
-			$stmt->execute();
+			$stmt->execute([$year,$r->section,$r->question,$r->type,$r->required,$r->ord]);
 		}
 		echo happy(i18n('%1 question(s) successfully imported',
--- a/register_participants.php
+++ b/register_participants.php
@ -33,14 +33,14 @@ $q = $pdo->query("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()<
 $datecheck = $q->fetch(PDO::FETCH_OBJ);
 if (get_value_from_array($_POST, 'action') == 'new') {
-	$q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email='" . $_SESSION['email'] . "' AND num='" . $_POST['regnum'] . "' AND year=" . $config['FAIRYEAR']);
+	$q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?");
-	$q->execute();
+	$q->execute([$_SESSION['email'],$_POST['regnum'],$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$_SESSION['registration_number'] = $r->num;
 		$_SESSION['registration_id'] = $r->id;
-		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES ('$r->id','" . $_SESSION['email'] . "','" . $r->schools_id . "','" . $config['FAIRYEAR'] . "')");
+		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)");
-		$stmt->execute();
+		$stmt->execute([$r->id,$_SESSION['email'],$r->schools_id,$config['FAIRYEAR']]);
 		$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?");
 		$stmt->execute([$r->id]);
--- a/register_participants_emergencycontact.php
+++ b/register_participants_emergencycontact.php
@ -40,12 +40,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?"
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
 $q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
@ -100,16 +101,16 @@ if ($_POST['action'] == 'save') {
 				}
 				$stmt = $pdo->prepare('UPDATE emergencycontact SET '
-					. "firstname='" . stripslashes($_POST['firstname'][$id]) . "', "
+					. "firstname=?, "
-					. "lastname='" . stripslashes($_POST['lastname'][$id]) . "', "
+					. "lastname=?, "
-					. "relation='" . stripslashes($_POST['relation'][$id]) . "', "
+					. "relation=?, "
-					. "phone1='" . stripslashes($_POST['phone1'][$id]) . "', "
+					. "phone1=?, "
-					. "phone2='" . stripslashes($_POST['phone2'][$id]) . "', "
+					. "phone2=?, "
-					. "phone3='" . stripslashes($_POST['phone3'][$id]) . "', "
+					. "phone3=?, "
-					. "phone4='" . stripslashes($_POST['phone4'][$id]) . "', "
+					. "phone4=?, "
-					. "email='" . stripslashes($_POST['email'][$id]) . "' "
+					. "email=? "
-					. "WHERE id='$id'");
+					. "WHERE id=?");
-				$stmt->execute();
+				$stmt->execute([stripslashes($_POST['firstname'][$id]),stripslashes($_POST['lastname'][$id]),stripslashes($_POST['relation'][$id]),stripslashes($_POST['phone1'][$id]),stripslashes($_POST['phone2'][$id]),stripslashes($_POST['phone3'][$id]),stripslashes($_POST['phone4'][$id]),stripslashes($_POST['email'][$id]),$id]);
 				show_pdo_errors_if_any($pdo);
 				echo notice(i18n('Emergency contact information successfully updated'));
 			} else {
--- a/register_participants_isefforms.php
+++ b/register_participants_isefforms.php
@ -39,13 +39,13 @@
 }
 $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ".
- 	"WHERE students.email='".$_SESSION['email']."' ".
+ 	"WHERE students.email=?"
-	"AND registrations.num='".$_SESSION['registration_number']."' ". 
+	"AND registrations.num=?" 
-	"AND registrations.id='".$_SESSION['registration_id']."' ".
+	"AND registrations.id=?"
 	"AND students.registrations_id=registrations.id ".
-	"AND registrations.year=".$config['FAIRYEAR']." ".
+	"AND registrations.year=?"
-	"AND students.year=".$config['FAIRYEAR']);
+	"AND students.year=?");
-$q->execute([]);
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if($q->rowCount()==0)
@ -80,13 +80,13 @@ show_pdo_errors_if_any($pdo);
 				{
 					$stmt = $pdo->prepare("INSERT INTO TC_ProjectForms (`FormID`,`ProjectID`,`uploaded`,`dt`,`year`) VALUES (
-						'$k',
+						?,
-						'$r->id',
+						?,
 						'0',
 						NOW(),
-						'$CURRENT_FAIRYEAR'
+						?
 					)");
-					$stmt->execute();
+					$stmt->execute([$k,$r->id,$CURRENT_FAIRYEAR]);
 				}
--- a/register_participants_namecheck.php
+++ b/register_participants_namecheck.php
@ -39,7 +39,8 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
-$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='{$_SESSION['registration_id']}'");
+$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=?");
 $q->execute([$_SESSION['registration_id']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
--- a/register_participants_project.php
+++ b/register_participants_project.php
@ -150,8 +150,8 @@ $q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?")
 $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 // check if it exists, if we didnt find any record, lets insert one
 if ($q->rowCount() == 0) {
-	$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $_SESSION['registration_id'] . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')");
+	$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES (?,?,?)");
-	$stmt->execute();
+	$stmt->execute([$_SESSION['registration_id'],$projectcategories_id,$config['FAIRYEAR']]);
 	// now query the one we just inserted
 	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
--- a/register_participants_safety.php
+++ b/register_participants_safety.php
@ -73,8 +73,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 		if (is_array($_POST['safety'])) {
 			$safetyids = array_keys($_POST['safety']);
 			foreach ($safetyids AS $key => $val) {
-				$stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (' . $pdo->quote($_SESSION['registration_id']) . ', ' . $pdo->quote($val) . ', ' . $pdo->quote($config['FAIRYEAR']) . ', ' . $pdo->quote(stripslashes($_POST['safety'][$val]))) . ')';
+				$stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (?,?,?,?) ');
-				$stmt->execute([]);
+				$stmt->execute([$pdo->quote($_SESSION['registration_id']),$pdo->quote($val),$pdo->quote($config['FAIRYEAR']),$pdo->quote(stripslashes($_POST['safety'][$val]))]);
 				show_pdo_errors_if_any($pdo);
 			}
 		}
--- a/register_participants_signature.php
+++ b/register_participants_signature.php
@ -106,12 +106,12 @@ if ($_GET['sample']) {
                 FROM projects
                 JOIN projectdivisions ON projects.projectdivisions_id=projectdivisions.id
                 JOIN projectcategories ON projects.projectcategories_id=projectcategories.id
-                 WHERE registrations_id='" . $_SESSION['registration_id'] . "' 
+                 WHERE registrations_id=? 
-                        AND projects.year='" . $config['FAIRYEAR'] . "'
+                        AND projects.year=?
-                        AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+                        AND projectdivisions.year=?
-                        AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+                        AND projectcategories.year=?
                        ");
-	$q->execute();
+	$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 	$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
--- a/register_participants_signature_tcpdf.php
+++ b/register_participants_signature_tcpdf.php
@ -91,12 +91,12 @@ if ($_GET['sample']) {
                 FROM projects
                 JOIN projectdivisions ON projects.projectdivisions_id=projectdivisions.id
                 JOIN projectcategories ON projects.projectcategories_id=projectcategories.id
-                 WHERE registrations_id='" . $_SESSION['registration_id'] . "' 
+                 WHERE registrations_id=? 
-                        AND projects.year='" . $config['FAIRYEAR'] . "'
+                        AND projects.year=?
-                        AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+                        AND projectdivisions.year=?
-                        AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+                        AND projectcategories.year=?
                        ");
-	$q->execute();
+	$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 	$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
--- a/register_participants_spawards.php
+++ b/register_participants_spawards.php
@ -40,13 +40,13 @@ if (!$_SESSION['registration_number']) {
 }
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?"
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
-$q->execute();
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
--- a/register_participants_students.php
+++ b/register_participants_students.php
@ -437,8 +437,8 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 	echo "<tr>\n";
 	echo ' <td>' . i18n('School') . '</td><td colspan="3">';
 	if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
-		$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
+		$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school");
-		$schoolq->execute([]);
+		$schoolq->execute([$config['FAIRYEAR']]);
 		echo "<select name=\"schools_id[$x]\">\n";
 		echo '<option value="">' . i18n('Choose School') . "</option>\n";
 		while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
--- a/remote.php
+++ b/remote.php
@ -275,17 +275,17 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 		// actually insert it
 		$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES ('
-			. "'$regnum','$regnum',NOW(),'open',NULL,'$year')");
+			?,?,NOW(),'open',NULL,?')');
-		$stmt->execute();
+		$stmt->execute([$regnum,$regnum,$year]);
 		$registrations_id = $pdo->lastInsertId();
 		/* We'll fill in the email address later */
 		/* Add the project */
 		$stmt = $pdo->prepare("INSERT INTO projects (`registrations_id`,`projectnumber`,`year`,`fairs_id`)
-				VALUES('$registrations_id',
+				VALUES(?,
-					'" . $project['projectnumber'] . "',
+					?,
-					'$year', '{$fair['id']}');");
+					?,?);");
-		$stmt->execute();
+		$stmt->execute([$registrations_id,$project['projectnumber'],$year,$fair['id']]);
 		$pid = $pdo->lastInsertId();
 		$reg_email_needs_update = true;
 		$new_reg = true;
@ -304,8 +304,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 	/* Record the winner */
 	$stmt = $pdo->prepare("INSERT INTO winners(`awards_prizes_id`,`projects_id`,`year`,`fairs_id`)
-			VALUES('{$prize['id']}','$pid','$year','{$fair['id']}')");
+			VALUES(?,?,?,?)");
-	$stmt->execute();
+	$stmt->execute([$prize['id'],$pid,$year,$fair['id']]);
 	/* Delete the students attached to this project */
 	$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?");
 	$stmt->execute([$registrations_id]);
@ -321,9 +321,9 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 		foreach ($student_fields as $k => $v)
 			$values .= ",'" . $student[$k] . "'";
 		/* Note lack of comma before $keys, we added it above for both keys and values */
-		$stmt = $pdo->prepare("INSERT INTO students (`registrations_id`,`fairs_id`, `schools_id`,`year` $keys)
+		$stmt = $pdo->prepare("INSERT INTO students (`registrations_id`,`fairs_id`, `schools_id`,`year` ?)
-				VALUES('$registrations_id','{$fair['id']}','$schools_id','$year' $values )");
+				VALUES(?,?,?,? ? )");
-		$stmt->execute();
+		$stmt->execute([$keys,$registrations_id,$fair['id'],$schools_id,$year,$values]);
 		/* Update the registration email */
 		if ($reg_email_needs_update) {
--- a/schoolaccess.php
+++ b/schoolaccess.php
@ -68,16 +68,16 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
 			}
 			$stmt = $pdo->prepare("UPDATE schools SET
-				school='" . stripslashes($_POST['school']) . "',
+				school=?,
-				address='" . stripslashes($_POST['address']) . "',
+				address=?,
-				city='" . stripslashes($_POST['city']) . "',
+				city=?,
-				province_code='" . stripslashes($_POST['province_code']) . "',
+				province_code=?,
-				postalcode='" . stripslashes($_POST['postalcode']) . "',
+				postalcode=?,
-				phone='" . stripslashes($_POST['phone']) . "',
+				phone=?,
-				$sciencehead_update
+				?
-				fax='" . stripslashes($_POST['fax']) . "'
+				fax=?
-				WHERE id='$school->id'");
+				WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([stripslashes($_POST['school']),stripslashes($_POST['address']),stripslashes($_POST['city']), stripslashes($_POST['province_code']),stripslashes($_POST['postalcode']),stripslashes($_POST['phone']),stripslashes($_POST['fax']),$sciencehead_update,$school->id]);
 			show_pdo_errors_if_any($pdo);
 			if (check_for_pdo_errors($pdo))
--- a/schoolinvite.php
+++ b/schoolinvite.php
@ -103,14 +103,14 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 						students,
 						registrations 
 					WHERE 
-						students.schools_id='" . $school->id . "' 
+						students.schools_id=? 
-						AND students.year='" . $config['FAIRYEAR'] . "' 
+						AND students.year=? 
 						AND students.registrations_id=registrations.id 
 					GROUP BY registrations.num
 					ORDER BY 
 						lastname,
 						firstname");
-			$q->execute();
+			$q->execute([$school->id,$config['FAIRYEAR']]);
 			$currentinvited = $q->rowCount();
 			if ($datecheck != 0) {
@ -143,14 +143,14 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 										students,
 										registrations 
 									WHERE 
-										students.schools_id='" . $school->id . "' 
+										students.schools_id=? 
-										AND students.grade>='$catr->mingrade'
+										AND students.grade>=?
-										AND students.grade<='$catr->maxgrade'
+										AND students.grade<=?
-										AND students.year='" . $config['FAIRYEAR'] . "' 
+										AND students.year=? 
 										AND students.registrations_id=registrations.id 
 										GROUP BY registrations.num
 									");
-							$q2->execute();
+							$q2->execute([$school->id,$catr->mingrade,$catr->maxgrade,$config['FAIRYEAR']]);
 							show_pdo_errors_if_any($pdo);
 							$r2 = $q2->fetch(PDO::FETCH_OBJ);
 							$currentinvited = $r2->num;
--- a/scripts/assignprojectnumbers.php
+++ b/scripts/assignprojectnumbers.php
@ -36,8 +36,8 @@ $projq = $pdo->prepare("SELECT id FROM registrations WHERE status='complete' OR
 $projq->execute();
 while ($projr = $projq->fetch(PDO::FETCH_OBJ)) {
 	$reg_id = $projr->id;
-	$q = $pdo->prepare("SELECT projects.projectcategories_id, projects.projectdivisions_id FROM projects WHERE registrations_id='$reg_id'");
+	$q = $pdo->prepare("SELECT projects.projectcategories_id, projects.projectdivisions_id FROM projects WHERE registrations_id=?");
-	$q->execute();
+	$q->execute([$reg_id]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$projectnumber = $config['project_num_format'];
@ -47,8 +47,8 @@ while ($projr = $projq->fetch(PDO::FETCH_OBJ)) {
 	// now change the N to a % so we can use it as a wildcard
 	$querynum = str_replace('N', '%', $projectnumber);
-	$searchq = $pdo->prepare("SELECT projectnumber FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber LIKE '$querynum'");
+	$searchq = $pdo->prepare("SELECT projectnumber FROM projects WHERE year=? AND projectnumber LIKE ?");
-	$searchq->execute();
+	$searchq->execute([$config['FAIRYEAR'],$querynum]);
 	print ("SELECT projectnumber FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber LIKE '$querynum'\n");
 	$searchnum = $searchq->rowCount();
 	echo "searchnum=$searchnum \n";
@ -77,8 +77,8 @@ while ($projr = $projq->fetch(PDO::FETCH_OBJ)) {
 	}
 	$projectnumber = str_replace('N', $Nnum, $projectnumber);
-	$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$projectnumber' WHERE registrations_id='$reg_id' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=? WHERE registrations_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$projectnumber,$reg_id,$config['FAIRYEAR']]);
 	if ($projectnumber) {
 		echo "Assigned new project number $projectnumber\n";
 	} else {
--- a/scripts/assigntourrankings.php
+++ b/scripts/assigntourrankings.php
@ -50,9 +50,9 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$rank = 1;
 	while ($tr = $tq->fetch(PDO::FETCH_OBJ)) {
 		$stmt = $pdo->prepare("INSERT INTO tours_choice (students_id,registrations_id,tour_id,year,rank) VALUES (
-				'$r->students_id','$r->registrations_id','$tr->id','2008','$rank'
+				?,?,?,'2008',?
 			)");
-		$stmt->execute();
+		$stmt->execute([$r->students_id,$r->registrations_id,$tr->id,$rank]);
 		$rank++;
 	}
 	echo "Assigned student $r->students_id\n";
--- a/scripts/judges_fake.php
+++ b/scripts/judges_fake.php
@ -127,8 +127,8 @@ for ($x = 0; $x < $numjudges; $x++) {
 	else
 		$complete = 'yes';
-	$q = $pdo->prepare("INSERT INTO judges (firstname,lastname,email,years_school,years_regional,years_national,willing_chair,complete) VALUES ('$firstname','$lastname','$email','$years_school','$years_regional','$years_national','$willing_chair','$complete')");
+	$q = $pdo->prepare("INSERT INTO judges (firstname,lastname,email,years_school,years_regional,years_national,willing_chair,complete) VALUES (?,?,?,?,?,?,?,?)");
-	$q->execute();
+	$q->execute([$firstname,$lastname,$email,$years_school,$years_regional,$years_national,$willing_chair,$complete]);
 	$id = $pdo->lastInsertId();
 	// for both these, the annealer expects -2 to 2 , but since expertise was done waaaaaay before as 1-5 we'll add it as 1-5 and the annealer will subtract 3
@ -137,36 +137,36 @@ for ($x = 0; $x < $numjudges; $x++) {
 	// preference is ranked -2 to 2
 	for ($a = 1; $a <= 3; $a++) {
 		$catrank = rand(-2, 2);
-		$stmt = $pdo->prepare("INSERT INTO judges_catpref (judges_id,projectcategories_id,rank,year) VALUES ('$id','$a','$catrank','2007')");
+		$stmt = $pdo->prepare("INSERT INTO judges_catpref (judges_id,projectcategories_id,rank,year) VALUES (?,?,?,'2007')");
-		$stmt->execute();
+		$stmt->execute([$id,$a,$catrank]);
 	}
 	// expertise is ranked 1-5
 	for ($a = 1; $a <= 6; $a++) {
 		$divrank = rand(1, 5);
-		$stmt = $pdo->prepare("INSERT INTO judges_expertise (judges_id,projectdivisions_id,val,year) VALUES ('$id','$a','$divrank','2007')");
+		$stmt = $pdo->prepare("INSERT INTO judges_expertise (judges_id,projectdivisions_id,val,year) VALUES (?,?,?,'2007')");
-		$stmt->execute();
+		$stmt->execute([$id,$a,$divrank]);
 	}
 	// and add the record to the judges_years table so they will be 'active' for this year
-	$stmt = $pdo->prepare("INSERT INTO judges_years (judges_id,year) VALUES ('$id','2007')");
+	$stmt = $pdo->prepare("INSERT INTO judges_years (judges_id,year) VALUES (?,'2007')");
-	$stmt->execute();
+	$stmt->execute([$id]);
 	// 60% chance they only speak english
 	// 20% chance they only speak french
 	// 20% chance they are bilingual
 	$num = rand(0, 100);
 	if ($num < 60) {
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','en')");
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'en')");
-		$stmt->execute();
+		$stmt->execute([$id]);
 	} else if ($num < 80) {
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','fr')");
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'fr')");
-		$stmt->execute();
+		$stmt->execute([$id]);
 	} else {
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','en')");
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'en')");
-		$stmt->execute();
+		$stmt->execute([$id]);
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','fr')");
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'fr')");
-		$stmt->execute();
+		$stmt->execute([$id]);
 	}
 }
--- a/scripts/populate_fake.php
+++ b/scripts/populate_fake.php
@ -72,8 +72,8 @@ for ($x = 0; $x < $numprojects; $x++) {
 	else
 		$status = 'complete';
-	$q = $pdo->prepare("INSERT INTO registrations (num,email,start,status,year) VALUES ('$regnum','$email',NOW(),'$status',2011)");
+	$q = $pdo->prepare("INSERT INTO registrations (num,email,start,status,year) VALUES (?,?,NOW(),?,2011)");
-	$q->execute();
+	$q->execute([$regnum,$email,$status]);
 	if ($id = $pdo->lastInsertId()) {
 		$peeps = rand(1, $prob_dual);
 		if ($peeps == 1)
@ -104,8 +104,8 @@ for ($x = 0; $x < $numprojects; $x++) {
 			$firstname = getrand($firstnames);
 			$email = strtolower($firstname) . '@' . getrand($domains);
-			$stmt = $pdo->prepare("INSERT INTO students (registrations_id,firstname,lastname,email,sex,grade,year,schools_id) VALUES ('$id','$firstname','" . getrand($lastnames) . "','$email','$sex','$grade','2011','$schools_id')");
+			$stmt = $pdo->prepare("INSERT INTO students (registrations_id,firstname,lastname,email,sex,grade,year,schools_id) VALUES (?,?,?,?,?,?,'2011',?)");
-			$stmt->execute();
+			$stmt->execute([$id,$firstname,getrand($lastnames),$email,$sex,$grade,$schools_id]);
 		}
 		$div = rand(1, 6);
@ -129,8 +129,8 @@ for ($x = 0; $x < $numprojects; $x++) {
 		else
 			$lang = 'en';
-		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,projectdivisions_id,title,year,req_electricity,req_table,language) VALUES ('$id','$cat','$div','$title $lang',2011,'$req_e','$req_t','$lang')");
+		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,projectdivisions_id,title,year,req_electricity,req_table,language) VALUES (?,?,?,? ?,2011,?,?,?)");
-		$stmt->execute();
+		$stmt->execute([$id,$cat,$div,$title,$lang,$req_e,$req_t,$lang]);
 	}
 }
--- a/scripts/rolloverschools.php
+++ b/scripts/rolloverschools.php
@ -34,8 +34,8 @@ require_once ('../config_editor.inc.php');
 function roll($currentfairyear, $newfairyear, $table, $fields)
 {
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear'");
+	$q = $pdo->prepare("SELECT * FROM ? WHERE year=?");
-	$q->execute();
+	$q->execute([$table,$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
@ -44,8 +44,8 @@ function roll($currentfairyear, $newfairyear, $table, $fields)
 			$vals .= ",'" . $r[$f] . "'";
 		}
-		$stmt = $pdo->prepare("INSERT INTO $table(`year`,$names) VALUES ('$newfairyear'$vals)");
+		$stmt = $pdo->prepare("INSERT INTO ?(`year`,?) VALUES (??)");
-		$stmt->execute();
+		$stmt->execute([$table,$names,$newfairyear,$vals]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
@ -55,8 +55,8 @@ $newfairyear = 2010;
 echo i18n('Rolling schools') . '<br />';
 // award types
-$q = $pdo->prepare("SELECT * FROM schools WHERE year='$currentfairyear'");
+$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
-$q->execute();
+$q->execute([$currentfairyear]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$puid = ($r->principal_uid == null) ? 'NULL' : ("'" . intval($r->principal_uid) . "'");
--- a/tableeditor.class.php
+++ b/tableeditor.class.php
@ -368,8 +368,8 @@ class TableEditor
 		$inputsize = 0;
 		// figure out what kind of input this should be
-		$q = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'");
+		$q = $pdo->prepare("SHOW COLUMNS FROM ? LIKE ?");
-		$q->execute([]);
+		$q->execute([$this->table,$f]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		if (preg_match('([a-z]*)\(([0-9,]*)\)', $r->Type, $regs)) {
@ -461,15 +461,15 @@ class TableEditor
 	function defaultLoad()
 	{
 		global $pdo;
-		$query = "SELECT {$this->primaryKey}";
+		$query = "SELECT ?";
 		foreach ($this->editfields AS $f => $n)
-			$query .= ", `$f`";
+			$query .= ", ?";
-		$query .= " FROM `{$this->table}`";
+		$query .= " FROM ?";
-		$query .= " WHERE {$this->primaryKey}='{$_GET['edit']}'";
+		$query .= " WHERE ?=?";
 		if ($this->DEBUG)
 			echo $query;
 		$editquery = $pdo->prepare($query);
-		$editquery->execute();
+		$editquery->execute([$this->primaryKey,$f,$this->table,$this->primaryKey,$_GET['edit']]);
 		$editdata = $editquery->fetch(PDO::FETCH_ASSOC);
 		return $editdata;
 	}
@ -504,20 +504,20 @@ class TableEditor
 		if ($insert_mode) {
 			$query .= ')';
 		} else {
-			$query .= " WHERE {$this->primaryKey}='{$keyval}'";
+			$query .= " WHERE ?=?";
 		}
 		if ($this->DEBUG)
 			echo $query;
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$this->primaryKey,$keyval]);
 	}
 	function defaultDelete($keyval)
 	{
 		global $pdo;
-		$stmt = $pdo->prepare("DELETE FROM {$this->table} WHERE {$this->primaryKey}='{$keyval}'");
+		$stmt = $pdo->prepare("DELETE FROM ? WHERE ?=?");
-		$stmt->execute();
+		$stmt->execute([$this->table,$this->primaryKey,$keyval]);
 		echo happy(i18n('Successfully deleted %1', array($this->recordType)));
 	}
@ -991,7 +991,7 @@ class TableEditor
 			// just to make sure nothing funky is goin on.
 			if ($offset < 0)
 				$offset = 0;
-			$query .= " LIMIT $offset,$this->rowsPerPage";
+			$query .= " LIMIT ?,?";
 		}
 		if ($this->allowAdding) {
@ -1003,7 +1003,7 @@ class TableEditor
 		echo $query;
 		$q = $pdo->prepare($query);
-		$q->execute();
+		$q->execute([$offset,$this->rowsPerPage]);
 		if ($q == false) {
 			echo "Sorry, DB query failed: <pre>$query</pre><br />";
@ -1104,7 +1104,7 @@ class TableEditor
 				foreach ($this->listfields AS $f => $n) {
 					// figure out what kind of input this should be
 					$typeq = $pdo->prepare("SHOW COLUMNS FROM ? LIKE ?");
-					$typeq->execute([$this->table,$f]);
+					$typeq->execute([$this->table,$config['FAIRYEAR']]);
 					$typer = $typeq->fetCh(PDO::FETCH_OBJ);
 					if ($typer->Type == 'time')
 						echo '<td valign="top">' . $this->format_time($r->$f) . '</td>';
--- a/tours.class.php
+++ b/tours.class.php
@ -114,7 +114,7 @@ class tours
 		if ($this->id == false) {
 			$query = "INSERT INTO tours (id) VALUES ('')";
 			$stmt = $pdo->prepare($query);
-			$stmt->execute([]);
+			$stmt->execute();
 			$this->id = $pdo->lastInsertId();
 		}
@ -130,11 +130,11 @@ class tours
 		// rip off the last comma
 		$query = substr($query, 0, -1);
-		$query .= " WHERE id='{$this->id}'";
+		$query .= " WHERE id=?";
 		//	echo $query;
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$this->id]);
 	}
 	function tableEditorDelete()
--- a/user.inc.php
+++ b/user.inc.php
@ -716,9 +716,9 @@ function user_dupe_row($table, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
-	$q = "INSERT INTO $table ($keys) VALUES ($vals)";
+	$q = "INSERT INTO $table (?) VALUES (?)";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 	$id = $pdo->lastInsertId();