diff --git a/winners.php b/winners.php
index a3f34a69..3c7e89a7 100644
--- a/winners.php
+++ b/winners.php
@@ -33,13 +33,13 @@ if($_POST['edit']) $edit=$_POST['edit'];
 if($_GET['action']) $action=$_GET['action'];
 if($_POST['action']) $action=$_POST['action'];
 
-if($_GET['year'] && $_GET['type'])
-{
+if($_GET['year'] && $_GET['type']) {
 	$show_unawarded_awards="no";
 	$show_unawarded_prizes="no";
+	$year=intval($_GET['year']);
+	$type=mysql_real_escape_string($_GET['type']);
 
-	echo "<h2>".i18n("%1 %2 Award Winners",array($_GET['year'],$_GET['type']))."</h2>";
-	$year=$_GET['year'];
+	echo "<h2>".i18n("%1 ".$type." Award Winners",array($_GET['year']))."</h2>";
 
 	$ok=true;
 	//first, lets make sure someone isnt tryint to see something that they arent allowed to!
@@ -68,7 +68,7 @@ if($_GET['year'] && $_GET['type'])
 				WHERE 
 						award_awards.year='$year'
 					AND	award_awards.award_types_id=award_types.id
-					AND	award_types.type='".$_GET['type']."'
+					AND	award_types.type='$type'
 					AND	award_types.year='$year'
 				ORDER BY 
 					awards_order");