all database lines have been adjusted across all files

2025-02-05 06:06:13 +00:00 · 2025-02-05 06:06:13 +00:00 · a5739a3d90
commit a5739a3d90
parent 888d350ddc
37 changed files with 881 additions and 718 deletions
--- a/admin/award_awardcreatedivisional.php
+++ b/admin/award_awardcreatedivisional.php
@ -130,23 +130,25 @@ if ($r->num) {
 			echo '&nbsp;&nbsp;' . i18n('Prizes: ');
 			foreach ($prizes AS $prize) {
-				$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,value,prize,number,`order`,excludefromac,trophystudentkeeper,trophystudentreturn,trophyschoolkeeper,trophyschoolreturn,year) VALUES (
+				$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id, cash, scholarship, value, prize, number, `order`, excludefromac, trophystudentkeeper, trophystudentreturn, trophyschoolkeeper, trophyschoolreturn, year) 
-							'$award_awards_id',
+					VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
-							'{$prize['cash']}',
+
-							'{$prize['scholarship']}',
+				$q->execute([
-							'{$prize['value']}',
+					$award_awards_id,
-							'{$prize['prize']}',
+					$prize['cash'],
-							'{$prize['number']}',
+					$prize['scholarship'],
-							'{$prize['order']}',
+					$prize['value'],
-							'{$prize['excludefromac']}',
+					$prize['prize'],
-							'{$prize['trophystudentkeeper']}',
+					$prize['number'],
-							'{$prize['trophystudentreturn']}',
+					$prize['order'],
-							'{$prize['trophyschoolkeeper']}',
+					$prize['excludefromac'],
-							'{$prize['trophyschoolreturn']}',
+					$prize['trophystudentkeeper'],
-							'{$config['FAIRYEAR']}'
+					$prize['trophystudentreturn'],
-							)");
+					$prize['trophyschoolkeeper'],
 					$prize['trophyschoolreturn'],
 					$config['FAIRYEAR']
 				]);
 				$q->execute();
 				echo $prize['prize'] . ',';
 			}
--- a/admin/award_download.php
+++ b/admin/award_download.php
@ -159,21 +159,33 @@ switch (get_value_from_array($_GET, 'action')) {
 			$self_nominate = ($award['self_nominate'] == 'yes') ? 'yes' : 'no';
 			$schedule_judges = ($award['schedule_judges'] == 'yes') ? 'yes' : 'no';
-			$q = $pdo->prepare("UPDATE award_awards SET
+			$q = $pdo->prepare("UPDATE award_awards SET 
-				sponsors_id='$sponsor_id',
+				sponsors_id = ?, 
-				name='" . $award['name_en'] . "',
+				name = ?, 
-				criteria='" . $award['criteria_en'] . "',
+				criteria = ?, 
-				external_postback='" . $postback . "',
+				external_postback = ?, 
-				external_register_winners='" . (($award['external_register_winners'] == 1) ? 1 : 0) . "',
+				external_register_winners = ?, 
-				external_additional_materials='" . (($award['external_additional_materials'] == 1) ? 1 : 0) . "',
+				external_additional_materials = ?, 
-				self_nominate='$self_nominate',
+				self_nominate = ?, 
-				schedule_judges='$schedule_judges'
+				schedule_judges = ? 
-			WHERE 
+				WHERE id = ? 
-				id='$award_id' 
+				AND external_identifier = ? 
-				AND external_identifier='" . $identifier . "' 
+				AND year = ?");
-				AND year='$year'
+
-		");
+			$q->execute([
-			$q->execute();
+				$sponsor_id,
 				$award['name_en'],
 				$award['criteria_en'],
 				$postback,
 				($award['external_register_winners'] == 1) ? 1 : 0,
 				($award['external_additional_materials'] == 1) ? 1 : 0,
 				$self_nominate,
 				$schedule_judges,
 				$award_id,
 				$identifier,
 				$year
 			]);
 			show_pdo_errors_if_any($pdo);
 			// update the prizes
@ -218,22 +230,35 @@ switch (get_value_from_array($_GET, 'action')) {
 				if (!array_key_exists('identifier', $prize))
 					$prize['identifier'] = $prize['prize_en'];
-				$q = $pdo->prepare("UPDATE award_prizes SET 
+					$q = $pdo->prepare("UPDATE award_prizes SET 
-					cash='" . intval($prize['cash']) . "',
+						cash = ?, 
-					scholarship='" . intval($prize['scholarship']) . "',
+						scholarship = ?, 
-					value='" . intval($prize['value']) . "',
+						value = ?, 
-					prize='" . $prize['prize_en'] . "',
+						prize = ?, 
-					number='" . intval($prize['number']) . "',
+						number = ?, 
-					`order`='" . intval($prize['ord']) . "',
+						`order` = ?, 
-					external_identifier='" . stripslashes($prize['identifier']) . "',
+						external_identifier = ?, 
-					trophystudentkeeper='" . intval($prize['trophystudentkeeper']) . "',
+						trophystudentkeeper = ?, 
-					trophystudentreturn='" . intval($prize['trophystudentreturn']) . "',
+						trophystudentreturn = ?, 
-					trophyschoolkeeper='" . intval($prize['trophyschoolkeeper ']) . "',
+						trophyschoolkeeper = ?, 
-					trophyschoolreturn='" . intval($prize['trophyschoolreturn']) . "'
+						trophyschoolreturn = ? 
-				WHERE
+						WHERE id = ?");
-					id='$prize_id'");
+				
-
+					$q->execute([
-				$q->execute([]);
+						intval($prize['cash']),
 						intval($prize['scholarship']),
 						intval($prize['value']),
 						$prize['prize_en'],
 						intval($prize['number']),
 						intval($prize['ord']),
 						stripslashes($prize['identifier']),
 						intval($prize['trophystudentkeeper']),
 						intval($prize['trophystudentreturn']),
 						intval($prize['trophyschoolkeeper']),
 						intval($prize['trophyschoolreturn']),
 						$prize_id
 				]);
 				show_pdo_errors_if_any($pdo);
 				// FIXME: update the translations
--- a/admin/communication.php
+++ b/admin/communication.php
@ -701,21 +701,22 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
 	$numtotal = $recipq->rowCount();
-	$q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES (
+	$q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) 
-			'" . $email->val . "',
+    	VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NULL, ?, 0)");
-			'" . $email->name . "',
+
-			'" . $_SESSION['users_uid'] . "',
+	$q->execute([
-			'" . $email->from . "',
+		$email->val,
-			'" . $email->subject . "',
+		$email->name,
-			'" . $email->body . "',
+		$_SESSION['users_uid'],
-			'" . $email->bodyhtml . "',
+		$email->from,
-			'" . $email->type . "',
+		$email->subject,
-			$fcid,
+		$email->body,
-			NOW(),
+		$email->bodyhtml,
-			NULL,
+		$email->type,
-			$numtotal,
+		$fcid,
-			0)");
+		$numtotal
-	$q->execute();
+	]);
 	$emailqueueid = $pdo->lastInsertId();
 	show_pdo_errors_if_any($pdo);
@ -746,13 +747,15 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
 		);
 		if ($u['email'] && $u['email'][0] != '*') {
-			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES (
+			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)");
-				'$emailqueueid',
+
-				'" . $pdo->quote($u['email']) . "',
+			$q->execute([
-				'" . $pdo->quote($u['name']) . "',
+				$emailqueueid,
-				'" . $pdo->quote(json_encode($replacements) . "',
+				$u['email'],
-				NULL)"));
+				$u['name'],
-			$q->execute();
+				json_encode($replacements)
 			]);
 			show_pdo_errors_if_any($pdo);
 		}
 		$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
@ -870,21 +873,20 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
 	}
 	$numtotal = $recipq->rowCount();
-	$q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES (
+	$q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) VALUES (?, ?, ?, ?, ?, ?, ?, ?, NULL, NOW(), NULL, ?, 0)");
-				'" . $pdo->quote($email->val) . "',
+
-				'" . $pdo->quote($email->name) . "',
+	$q->execute([
-				'" . $pdo->quote($_SESSION['users_uid']) . "',
+		$email->val,
-				'" . $pdo->quote($email->from) . "',
+		$email->name,
-				'" . $pdo->quote($email->subject) . "',
+		$_SESSION['users_uid'],
-				'" . $pdo->quote($email->body) . "',
+		$email->from,
-				'" . $pdo->quote($email->bodyhtml) . "',
+		$email->subject,
-				'" . $pdo->quote($email->type) . "',
+		$email->body,
-				NULL,
+		$email->bodyhtml,
-				NOW(),
+		$email->type,
-				NULL,
+		$numtotal
-				$numtotal,
+	]);
-				0)");
+	
 	$q->execute();
 	$emailqueueid = lastInsertId();
 	show_pdo_errors_if_any($pdo);
@ -939,13 +941,15 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
 		}
 		if ($toemail) {
-			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES (
+			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)");
-					'$emailqueueid',
+
-					'" . $toemail . "',
+			$q->execute([
-					'" . $toname . "',
+				$emailqueueid,
-					'" . json_encode($replacements) . "',
+				$toemail,
-					NULL)");
+				$toname,
-			$q->execute();
+				json_encode($replacements)
 			]);
 			show_pdo_errors_if_any($pdo);
 		}
--- a/admin/donors.php
+++ b/admin/donors.php
@ -54,26 +54,31 @@ switch (get_value_from_array($_GET, 'action')) {
 		if ($id) {
 			$exec = 'UPDATE sponsors SET '
-				. "donortype='" . stripslashes($_POST['donortype']) . "', "
+				. "donortype=?, "
-				. "organization='" . stripslashes($_POST['organization']) . "', "
+				. "organization=?, "
-				. "address='" . stripslashes($_POST['address']) . "', "
+				. "address=?, "
-				. "address2='" . stripslashes($_POST['address2']) . "', "
+				. "address2=?, "
-				. "city='" . stripslashes($_POST['city']) . "', "
+				. "city=?, "
-				. "province_code='" . stripslashes($_POST['province_code']) . "', "
+				. "province_code=?, "
-				. "postalcode='" . stripslashes($_POST['postalcode']) . "', "
+				. "postalcode=?, "
-				. "phone='" . stripslashes($_POST['phone']) . "', "
+				. "phone=?, "
-				. "tollfree='" . stripslashes($_POST['tollfree']) . "', "
+				. "tollfree=?, "
-				. "fax='" . stripslashes($_POST['fax']) . "', "
+				. "fax=?, "
-				. "email='" . stripslashes($_POST['email']) . "', "
+				. "email=?, "
-				. "website='" . stripslashes($_POST['website']) . "', "
+				. "website=?, "
-				. "notes='" . stripslashes($_POST['notes']) . "', "
+				. "notes=?, "
-				. "donationpolicyurl='" . stripslashes($_POST['donationpolicyurl']) . "', "
+				. "donationpolicyurl=?, "
-				. "fundingselectiondate='" . stripslashes($_POST['fundingselectiondate']) . "', "
+				. "fundingselectiondate=?, "
-				. "proposalsubmissiondate='" . stripslashes($_POST['proposalsubmissiondate']) . "', "
+				. "proposalsubmissiondate=?, "
-				. "waiveraccepted='" . stripslashes($_POST['waiveraccepted']) . "' "
+				. "waiveraccepted=? "
-				. "WHERE id='$id'";
+				. "WHERE id=?";
 			$q = $pdo->prepare($exec);
-			$q->execute();
+			$q->execute([stripslashes($_POST['donortype']),stripslashes($_POST['organization']),stripslashes($_POST['address']),
 			stripslashes($_POST['address2']),stripslashes($_POST['city']),stripslashes($_POST['province_code']),
 			stripslashes($_POST['postalcode']),stripslashes($_POST['phone']),stripslashes($_POST['tollfree']),
 			stripslashes($_POST['fax']),stripslashes($_POST['email']),stripslashes($_POST['website']),
 			stripslashes($_POST['notes']),stripslashes($_POST['donationpolicyurl']),stripslashes($_POST['fundingselectiondate']),
 			stripslashes($_POST['proposalsubmissiondate']),stripslashes($_POST['waiveraccepted']),$id]);
 			echo $q->errorInfo();
 			// FIXME accept the logo
@ -422,18 +427,18 @@ switch (get_value_from_array($_GET, 'action')) {
 		if ($goal && $value && $supporttype) {
 			$q = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_goal,fundraising_campaigns_id,value,status,probability,fiscalyear,thanked,datereceived,supporttype) VALUES (
-			'$sponsorid',
+			?,
-			'" . $goal . "',
+			?,
-			'$campaignid',
+			?,
-			'$value',
+			?,
 			'received',
 			'100',
-			'{$config['FISCALYEAR']}',
+			?,
 			'no',
-			'" . $datereceived . "',
+			?,
-			'" . $supporttype . "'
+			?
 			)");
-			$q->execute();
+			$q->execute([$sponsorid,$goal,$campaignid,$value,$config['FISCALYEAR'],$datereceived,$supporttype]);
 			$id = $pdo->lastInsertId();
 			$logStr = getDonationString($id);
 			save_activityinfo("Added donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System');
--- a/admin/judges_teams_projects.php
+++ b/admin/judges_teams_projects.php
@ -81,20 +81,20 @@ if (get_value_from_array($_GET, 'judges_projects_list_eligible'))
 	$_SESSION['viewstate']['judges_projects_list_eligible'] = $_GET['judges_projects_list_eligible'];
 if (get_value_from_array($_GET, 'action') == 'delete' && $_GET['delete'] && $_GET['edit']) {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id='" . $_GET['delete'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['delete']]);
 	echo happy(i18n('Judging team project successfully removed'));
 	$action = 'edit';
 }
 if (get_value_from_array($_POST, 'action') == 'assign' && $_POST['edit'] && $_POST['timeslot'] && $_POST['project_id']) {
-	$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES ('" . $_POST['edit'] . "','" . $_POST['timeslot'] . "','" . $_POST['project_id'] . "','" . $config['FAIRYEAR'] . "')");
+	$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES (?,?,?,?)");
-	$stmt->execute();
+	$stmt->execute([$_POST['edit'],$_POST['timeslot'],$_POST['project_id'],$config['FAIRYEAR']]);
 	echo happy(i18n('Project assigned to team timeslot'));
 }
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@ -155,13 +155,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 				judges_teams,
 				judges_teams_timeslots_link
 			WHERE
-				judges_teams.id='" . $team['id'] . "' AND
+				judges_teams.id=? AND
 				judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 				judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 			ORDER BY
 				date,starttime
 			");
-	$q->execute();
+	$q->execute([$team['id']]);
 	$numslots = $q - rowCount();
 	if ($numslots) {
@ -201,7 +201,7 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					projectnumber is not null 
 					' . getJudgingEligibilityCode() . " AND
 					projects.registrations_id=registrations.id AND
-					projects.year='" . $config['FAIRYEAR'] . "'
+					projects.year=?
 				ORDER BY
 					projectnumber";
 		} else if ($_SESSION['viewstate']['judges_projects_list_show'] == 'unassigned') {
@ -219,13 +219,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					' . getJudgingEligibilityCode(). ' AND
 					projects.registrations_id=registrations.id AND
 					judges_teams_timeslots_projects_link.projects_id IS NULL AND
-					projects.year='" . $config['FAIRYEAR'] . "'
+					projects.year=?
 				ORDER BY
 					projectnumber";
 		}
 		$pq = $pdo->prepare($querystr);
-		$pq->execute();
+		$pq->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$eligibleprojects = getProjectsEligibleOrNominatedForAwards($award_ids);
@ -284,14 +284,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 						projects,
 						judges_teams_timeslots_projects_link
 					WHERE
-						judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
+						judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
-						judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+						judges_teams_timeslots_projects_link.judges_teams_id=? AND
 						judges_teams_timeslots_projects_link.projects_id=projects.id AND
-						judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+						judges_teams_timeslots_projects_link.year=?
 					ORDER BY
 						projectnumber
 					");
-			$projq->execute();
+			$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@ -357,13 +357,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-		$q->execute();
+		$q->execute([$team['id']]);
 		$numslots = $q->rowCount();
 		echo '<a href="judges_teams_projects.php?action=edit&edit=' . $team['id'] . '">' . i18n('Edit team project assignments') . '</a>';
@ -391,14 +391,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					projects,
 					judges_teams_timeslots_projects_link
 				WHERE
-					judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
+					judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
-					judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+					judges_teams_timeslots_projects_link.judges_teams_id=? AND
 					judges_teams_timeslots_projects_link.projects_id=projects.id AND
-					judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					projectnumber
 				");
-			$projq->execute();
+			$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
--- a/admin/judges_teams_timeslots.php
+++ b/admin/judges_teams_timeslots.php
@ -42,15 +42,15 @@ if (array_key_exists('action', $_POST))
 if (get_value_from_array($_GET, 'action') && $action == 'delete') {
 	$id = intval($_GET['delete']);
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
 	message_push(happy(i18n('Judging team timeslot successfully removed')));
 }
 if (array_key_exists('empty', $_GET) && $action == 'empty') {
 	$id = intval($_GET['empty']);
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id'");
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=?");
-	$stmt->execute();
+	$stmt->execute([$id]);
 	message_push(happy(i18n('Judging team timeslots successfully removed')));
 }
@ -61,8 +61,8 @@ if ($action == 'assign') {
 		foreach ($_POST['teams'] AS $tm) {
 			foreach ($_POST['timeslots'] AS $ts) {
 				$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year) 
-						VALUES ('$tm','$ts','{$config['FAIRYEAR']}')");
+						VALUES (?,?,?)");
-				$stmt->execute();
+				$stmt->execute([$tm,$ts,$config['FAIRYEAR']]);
 			}
 		}
 		message_push(happy(i18n('%1 Timeslots assigned to %2 teams', array(count($_POST['timeslots']), count($_POST['teams'])))));
@ -126,8 +126,8 @@ echo '<a href="" onclick="return checknone(\'timeslots\')">select none</a>';
 echo '&nbsp;|&nbsp';
 echo '<a href="" onclick="return checkinvert(\'timeslots\')">invert selection</a>';
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@ -143,16 +143,16 @@ echo '<th>' . i18n('End Time') . '</th>';
 echo "</tr>\n";
 $q = $pdo->prepare("SELECT * FROM judges_timeslots 
-			WHERE year='{$config['FAIRYEAR']}' 
+			WHERE year=? 
 			AND round_id='0' ORDER BY date,starttime");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr>';
 	$span = $show_date ? 4 : 3;
 	echo "<td colspan=\"$span\">{$r->name} (" . $round_str[$r->type] . ')</td>';
 	$qq = $pdo->prepare("SELECT * FROM judges_timeslots 
-					WHERE round_id='{$r->id}' ORDER BY date,starttime");
+					WHERE round_id=? ORDER BY date,starttime");
-	$qq->execute();
+	$qq->execute([$r->id]);
 	while ($rr = $qq->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
 		echo "<td><input type=\"checkbox\" name=\"timeslots[]\" value=\"{$rr->id}\" /></td>";
@ -213,13 +213,13 @@ foreach ($teams AS $team) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$team['id']]);
 	$numslots = $q->rowCount();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
--- a/admin/judges_timeslots.php
+++ b/admin/judges_timeslots.php
@ -188,9 +188,9 @@ if ($action == 'savemultiple') {
 		$tt = $duration + $break;
 		for ($x = 0; $x < $addnum; $x++) {
-			$q = $pdo->prepare("SELECT \tDATE_ADD('$date $hr:$min:00', INTERVAL $duration MINUTE) AS endtime, 
+			$q = $pdo->prepare("SELECT \tDATE_ADD(? ?:?:00', INTERVAL ? MINUTE) AS endtime, 
-						DATE_ADD('$date $hr:$min:00', INTERVAL $tt MINUTE) AS startnext ");
+						DATE_ADD(? ?:?:00', INTERVAL ? MINUTE) AS startnext ");
-			$q->execute();
+			$q->execute([$date,$hr,$min,$duration,$date,$hr,$min,$tt]);
 			show_pdo_errors_if_any($pdo);
 			$r = $q->fetch(PDO::FETCH_OBJ);
 			list($ed, $et) = split(' ', $r->endtime);
@ -199,10 +199,10 @@ if ($action == 'savemultiple') {
 			$starttime = sprintf('%02d:%02d:00', $hr, $min);
 			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (date,type,round_id,starttime,endtime,year) VALUES (
-					'$date','timeslot','{$round_data['id']}',
+					?,'timeslot',?,
-					'$starttime', '$et',
+					?,?,
-					'{$config['FAIRYEAR']}')");
+					?)");
-			$stmt->execute();
+			$stmt->execute([$date,$round_data['id'],$starttime,$et,$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$date = $nd;
 			list($s_h, $s_m, $s_s) = split(':', $nt);
--- a/admin/project_editor.php
+++ b/admin/project_editor.php
@ -139,20 +139,21 @@ function project_save()
 		$title = stripslashes($_POST['title']);
 	$stmt = $pdo->prepare('UPDATE projects SET '
-		. "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $title) . "', "
+		. "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT','?') . "', "
-		. "projectdivisions_id='" . intval($_POST['projectdivisions_id'] . "', "
+		. "projectdivisions_id=?, "
-			. "projecttype='" . stripslashes($_POST['projecttype']) . "', "
+			. "projecttype=?, "
-			. "language='" . stripslashes($_POST['language']) . "', "
+			. "language=?, "
-			. "req_table='" . stripslashes($_POST['req_table']) . "', "
+			. "req_table=?, "
-			. "req_electricity='" . stripslashes($_POST['req_electricity']) . "', "
+			. "req_electricity=?, "
-			. "req_special='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['req_special'])) . "', "
+			. "req_special=?, "
-			. "human_participants='" . stripslashes($_POST['human_participants']) . "', "
+			. "human_participants=?, "
-			. "animal_participants='" . stripslashes($_POST['animal_participants']) . "', "
+			. "animal_participants=?, "
-			. "summary='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])) . "', "
+			. "summary=?, "
-			. "summarycountok='$summarycountok',"
+			. "summarycountok=?,"
-			. "feedback='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])) . "', "
+			. "feedback=?, "
-			. "projectsort='" . stripslashes($_POST['projectsort']) . "'"
+			. "projectsort=?"
-			. "WHERE id='" . intval($_POST['id'])) . "'");
+			. "WHERE id=?");
 	$stmt->execute([$title,intval($_POST['projectdivisions_id'],stripslashes($_POST['projecttype']),stripslashes($_POST['language']),stripslashes($_POST['req_table']),stripslashes($_POST['req_electricity']),stripslashes($_POST['human_participants']),stripslashes($_POST['animal_participants']),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])),$summarycountok,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])),stripslashes($_POST['projectsort']),intval($_POST['id']))]);
 	show_pdo_errors_if_any($pdo);
 	happy_('Project information successfully updated');
--- a/admin/rerollprizes.php
+++ b/admin/rerollprizes.php
@ -113,18 +113,18 @@ if ($config['FAIRYEAR'] == 2008) {
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,`value`,prize,number,`order`,year,excludefromac) VALUES (
-				'" . $award_awards_id . "',
+				?,
-				'" . $r2->cash . "',
+				?,
-				'" . $r2->scholarship . "',
+				?,
-				'" . $r2->value . "',
+				?,
-				'" . $r2->prize . "',
+				?,
-				'" . $r2->number . "',
+				?,
-				'" . $r2->order . "',
+				?,
-				'" . $newfairyear . "',
+				?,
-				'" . $r2->excludefromac . "')");
+				?)");
 				}
 			}
-
+			$q2->execute([$award_awards_id,$r2->cash,$r2->scholarship,$r2->value,$r2->prize,$r2->number,$r2->order,$newfairyear,$r2->excludefromac]);
 			echo i18n('Rolling award contacts') . '<br />';
 			// award contacts
 			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year=?");
@ -132,19 +132,20 @@ if ($config['FAIRYEAR'] == 2008) {
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_contacts (award_sponsors_id,salutation,firstname,lastname,position,email,phonehome,phonework,phonecell,fax,notes,year) VALUES (
-				'" . $r->award_sponsors_id . "',
+				?,
-				'" . $r->salutation . "',
+				?,
-				'" . $r->firstname . "',
+				?,
-				'" . $r->lastname . "',
+				?,
-				'" . $r->position . "',
+				?,
-				'" . $r->email . "',
+				?,
-				'" . $r->phonehome . "',
+				?,
-				'" . $r->phonework . "',
+				?,
-				'" . $r->phonecell . "',
+				?,
-				'" . $r->fax . "',
+				?,
-				'" . $r->notes . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
 			$stmt->execute([$r->award_sponsors_id,$r->salutation,$r->firstname,$r->lastname,$r->position,$r->email,$r->phonehome,$r->phonework,$r->phonecell,$r->fax,$r->notes,$newfairyear]);
 			echo i18n('Rolling award types') . '<br />';
 			// award types
 			$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
--- a/admin/schools.php
+++ b/admin/schools.php
@ -155,29 +155,35 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 	}
 	$exec = 'UPDATE schools SET '
-		. "school='" . get_value_from_array($_POST, 'school') . "', "
+		. "school=?, "
-		. "schoollang='" . get_value_from_array($_POST, 'schoollang') . "', "
+		. "schoollang=?, "
-		. "designate='" . get_value_from_array($_POST, 'schooldesignate') . "', "
+		. "designate=?, "
-		. "schoollevel='" . get_value_from_array($_POST, 'schoollevel') . "', "
+		. "schoollevel=?, "
-		. "school='" . get_value_from_array($_POST, 'school') . "', "
+		. "school=?, "
-		. "board='" . get_value_from_array($_POST, 'board') . "', "
+		. "board=?, "
-		. "district='" . get_value_from_array($_POST, 'district') . "', "
+		. "district=?, "
-		. "address='" . get_value_from_array($_POST, 'address') . "', "
+		. "address=?, "
-		. "city='" . get_value_from_array($_POST, 'city') . "', "
+		. "city=?, "
-		. "province_code='" . get_value_from_array($_POST, 'province_code') . "', "
+		. "province_code=?, "
-		. "postalcode='" . get_value_from_array($_POST, 'postalcode') . "', "
+		. "postalcode=?, "
-		. "schoolemail='" . get_value_from_array($_POST, 'schoolemail') . "', "
+		. "schoolemail=?, "
-		. "phone='" . get_value_from_array($_POST, 'phone') . "', "
+		. "phone=?, "
-		. "fax='" . get_value_from_array($_POST, 'fax') . "', "
+		. "fax=?, "
-		. "registration_password='" . get_value_from_array($_POST, 'registration_password') . "', "
+		. "registration_password=?, "
-		. "projectlimit='" . get_value_from_array($_POST, 'projectlimit') . "', "
+		. "projectlimit=?, "
-		. "projectlimitper='" . get_value_from_array($_POST, 'projectlimitper') . "', "
+		. "projectlimitper=?, "
-		. "accesscode='" . get_value_from_array($_POST, 'accesscode') . "', "
+		. "accesscode=?, "
-		. $sciencehead_update . $principal_update
+		. "?  ?"
-		. "atrisk='$atrisk' "
+		. "atrisk=?"
-		. "WHERE id='$id'";
+		. "WHERE id=?";
 	$stmt = $pdo->prepare($exec);
-	$stmt->execute();
+	$stmt->execute([get_value_from_array($_POST, 'school'),get_value_from_array($_POST, 'schoollang'),get_value_from_array($_POST, 'schooldesignate'),get_value_from_array($_POST, 'schoollevel'),
 	get_value_from_array($_POST, 'school'),get_value_from_array($_POST, 'board'),get_value_from_array($_POST, 'district'),
 	get_value_from_array($_POST, 'address'),get_value_from_array($_POST, 'city'),get_value_from_array($_POST, 'province_code'),
 	get_value_from_array($_POST, 'postalcode'),get_value_from_array($_POST, 'schoolemail'),get_value_from_array($_POST, 'phone'),
 	get_value_from_array($_POST, 'fax'),get_value_from_array($_POST, 'registration_password'),get_value_from_array($_POST, 'projectlimit'),
 	get_value_from_array($_POST, 'projectlimitper'),get_value_from_array($_POST, 'accesscode'),$sciencehead_update,$principal_update,
 	$atrisk,$id]);
 	show_pdo_errors_if_any($pdo);
 	if (get_value_from_array($_POST, 'save') == 'add')
--- a/admin/schoolsimport.php
+++ b/admin/schoolsimport.php
@ -87,26 +87,29 @@ if (get_value_from_array($_POST, 'action') == 'import') {
 					user_save($principal);
 				}
 				$stmt = $pdo->prepare("INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,schoolemail,accesscode,registration_password,projectlimit,projectlimitper,year,principal_uid,sciencehead_uid) VALUES (
-						'" . stripslashes($row[0]) . "',
+						'?,
-						'" . stripslashes($row[1]) . "',
+						'?,
-						'" . stripslashes($row[2]) . "',
+						'?,
-						'" . stripslashes($row[3]) . "',
+						'?',
-						'" . stripslashes($row[4]) . "',
+						'?',
-						'" . stripslashes($row[5]) . "',
+						'?',
-						'" . stripslashes($row[6]) . "',
+						'?',
-						'" . stripslashes($row[7]) . "',
+						'?',
-						'" . stripslashes($row[8]) . "',
+						'?',
-						'" . stripslashes($row[9]) . "',
+						'?',
-						'" . stripslashes($row[10]) . "',
+						'?',
-						'" . stripslashes($row[14]) . "',
+						'?',
-						'" . stripslashes($row[18]) . "',
+						'?',
-						'" . stripslashes($row[19]) . "',
+						'?',
-						'" . stripslashes($row[20]) . "',
+						'?',
-						'" . stripslashes($row[21]) . "',
+						'?',
-						'" . $config['FAIRYEAR'] . "',
+						'?,
-						'" . $principal['uid'] . "',
+						'?,
-						'" . $scienceHead['uid'] . "')");
+						'?)");
-				$stmt->execute();
+				$stmt->execute([stripslashes($row[0]),stripslashes($row[1],stripslashes($row[2]),stripslashes($row[3])),
 				stripslashes($row[4]),stripslashes($row[5]),stripslashes($row[6]),stripslashes($row[7]),stripslashes($row[8]),
 				stripslashes($row[9]),stripslashes($row[10]),stripslashes($row[14]),stripslashes($row[18]),stripslashes($row[19]),
 				stripslashes($row[20]),stripslashes($row[21]),$config['FAIRYEAR'],$principal['uid'],$scienceHead['uid']]);
 				if (!$pdo->errorInfo())
 					$loaded++;
 				else
--- a/admin/student_editor.php
+++ b/admin/student_editor.php
@ -152,25 +152,33 @@ function students_save()
 			// INSERT new record
 			$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
 			$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
-				. "'" . $registrations_id . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
+				. "?, "
-				. "'" . stripslashes($_POST['sex'][$x]) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', "
+				. "?, "
-				. "'" . stripslashes($_POST['postalcode'][$x]) . "', "
+				. "?, "
-				. "'" . stripslashes($_POST['phone'][$x]) . "', "
+				. "?, "
-				. "'$dob', "
+				. "?, "
-				. "'" . stripslashes($_POST['grade'][$x]) . "', "
+				. "?, "
-				. $schoolvalue
+				. "?"
-				. "'" . stripslashes($_POST['tshirt'][$x]) . "', "
+				. "?, "
-				. "'" . stripslashes($_POST['medicalalert'][$x]) . "', "
+				. "?, "
-				. "'" . stripslashes($_POST['foodreq'][$x]) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', "
+				. "?, "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', "
+				. "?, "
-				. "'" . $config['FAIRYEAR'] . "')");
+				. "?)");
 			$stmt->execute([$registrations_id,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),stripslashes($_POST['sex'][$x]),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])),
 			stripslashes($_POST['postalcode'][$x]),stripslashes($_POST['phone'][$x]),$dob,stripslashes($_POST['grade'][$x]),
 			$schoolvalue,stripslashes($_POST['tshirt'][$x]),stripslashes($_POST['medicalalert'][$x]),stripslashes($_POST['foodreq'][$x]),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])),
 			$config['FAIRYEAR']]);
 			happy_('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x]));
 		} else {
@ -185,25 +193,36 @@ function students_save()
 			// UPDATE existing record
 			$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
 			$stmt = $pdo->prepare('UPDATE students SET '
-				. "firstname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
+				. "firstname=?, "
-				. "lastname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
+				. "lastname=?, "
-				. "sex='" . stripslashes($_POST['sex'][$x]) . "', "
+				. "sex=/, "
-				. "email='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', "
+				. "email=?, "
-				. "address='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', "
+				. "address=?, "
-				. "city='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', "
+				. "city=?, "
-				. "province='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', "
+				. "province=?, "
-				. "postalcode='" . stripslashes($_POST['postalcode'][$x]) . "', "
+				. "postalcode=?, "
-				. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
+				. "phone=?, "
-				. "dateofbirth='$dob', "
+				. "dateofbirth=?, "
-				. "grade='" . stripslashes($_POST['grade'][$x]) . "', "
+				. "grade=?, "
-				. $schoolquery
+				. "?"
-				. "medicalalert='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['medicalalert'][$x])) . "', "
+				. "medicalalert=?, "
-				. "foodreq='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['foodreq'][$x])) . "', "
+				. "foodreq=?, "
-				. "teachername='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', "
+				. "teachername=?, "
-				. "teacheremail='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', "
+				. "teacheremail=?, "
-				. "tshirt='" . stripslashes($_POST['tshirt'][$x]) . "' "
+				. "tshirt=/ "
-				. "WHERE id='" . $_POST['id'][$x] . "'");
+				. "WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),
 			stripslashes($_POST['sex'][$x]),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])),
 			stripslashes($_POST['postalcode'][$x]),stripslashes($_POST['phone'][$x]),
 			$dob,stripslashes($_POST['grade'][$x]),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $schoolquery,stripslashes($_POST['medicalalert'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['foodreq'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),
 			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])),
 			stripslashes($_POST['tshirt'][$x]),$_POST['id'][$x]]);
 			happy_('%1 %2 successfully updated', array(iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['firstname'][$x]), iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['lastname'][$x])));
 		}
 		$x++;
--- a/admin/tours_sa.php
+++ b/admin/tours_sa.php
@ -304,10 +304,10 @@ foreach ($tours as $x => $t) {
 				(`students_id`,`registrations_id`,
 						`tour_id`,`year`,`rank`)
 				VALUES (
-				'$sid', '{$s['registrations_id']}', 
+				'?', '?', 
-				'{$t['id']}', '{$config['FAIRYEAR']}',
+				'?', '?',
 				'0')");
-		$stmt->execute();
+		$stmt->execute([$sid,$s['registrations_id'],$t['id'],$config['FAIRYEAR']]);
 	}
 }
--- a/admin/translations.php
+++ b/admin/translations.php
@ -65,7 +65,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
    if ($_POST['changedFields']) {
        $changed = split(',', $_POST['changedFields']);
        foreach ($changed AS $ch) {
-            $stmt = $pdo->prepare("UPDATE translations SET val='" . stripslashes($_POST['val'][$ch]) . "' WHERE strmd5='" . $ch . "' AND lang='" . $_SESSION['translang'] . "'");
+            $stmt = $pdo->prepare("UPDATE translations SET val=? WHERE strmd5=? AND lang=?");
            $stmt->execute([stripslashes($_POST['val'][$ch]),$ch ,$_SESSION['translang']]);
        }
        echo happy(i18n('Translation(s) saved'));
    }
--- a/config/categories.php
+++ b/config/categories.php
@ -71,14 +71,15 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 		if ($q->rowCount()) {
 			echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
 		} else {
-			$stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES ( '
+			$stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
-				. "'" . $_POST['id'] . "', "
+				?,
-				. "'" . stripslashes($_POST['category']) . "', "
+				?, 
-				. "'" . stripslashes($_POST['category_shortform']) . "', "
+				?, 
-				. "'" . $_POST['mingrade'] . "', "
+				?, 
-				. "'" . $_POST['maxgrade'] . "', "
+				?, 
-				. "'" . $config['FAIRYEAR'] . "')");
+				?)');
-			$stmt->execute();
+			$stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),
 			$_POST['mingrade'],$_POST['maxgrade'],$config['FAIRYEAR']]);
 			echo happy(i18n('Category successfully added'));
 		}
 	} else {
--- a/config/divisions.php
+++ b/config/divisions.php
@ -63,11 +63,8 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
 				$stmt->execute([ $_POST['saveid'],$config['FAIRYEAR']]);
 				if (is_array($_POST['divcat'])) {
 					foreach ($_POST['divcat'] as $tempcat) {
-						$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
+						$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?,?)');
-							. "'" . $_POST['id'] . "', "
+						$stmt->execute([$_POST['id'],$tempcat,$config['FAIRYEAR']]);
 							. "'" . $tempcat . "', "
 							. "'" . $config['FAIRYEAR'] . "') ");
 						$stmt->execute();
 					}
 				}
 			}
@ -82,25 +79,19 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
 if (get_value_from_array($_POST, 'action') == 'new') {
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
-		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount()) {
 			echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
 		} else {
-			$stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES ( '
+			$stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES (?,?,?,?)');
-				. "'" . $_POST['id'] . "', "
+			$stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$config['FAIRYEAR']]);
 				. "'" . stripslashes($_POST['division']) . "', "
 				. "'" . stripslashes($_POST['division_shortform']) . "', "
 				. "'" . $config['FAIRYEAR'] . "') ");
 			$stmt->execute();
 			// ###### Feature Specific - filtering divisions by category
 			if ($config['filterdivisionbycategory'] == 'yes') {
 				foreach ($_POST['divcat'] as $tempcat) {
-					$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
+					$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?)');
-						. "'" . $tempcat . "', "
+					$stmt->execute([$tempcat,$conference['id']]);
 						. "'" . $config['FAIRYEAR'] . "') ");
 					$stmt->execute();
 				}
 			}
 			// #######
@ -114,10 +105,10 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
 	// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
 	// for this division exist they should be deleted
-	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['remove'], $config['FAIRYEAR']]);
-	$stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id=? AND year=?");
-	$stmt->execute();
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	echo happy(i18n('Division successfully removed'));
 }
@ -142,8 +133,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo '<input type="hidden" name="action" value="' . get_value_from_array($_GET, 'action') . "\">\n";
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id=? AND year=?");
-		$q->execute();
+		$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
 		$divisionr = $q->fetch(PDO::FETCH_OBJ);
 		$buttontext = 'Save';
@ -158,12 +149,12 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	// ###### Feature Specific - filtering divisions by category
 	if ($config['filterdivisionbycategory'] == 'yes') {
 		echo ' <td>';
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR']]);
 		while ($categoryr = $q->fetch(PDO::FETCH_OBJ)) {
-			$query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=' . $divisionr->id . ' AND projectcategories_id=' . $categoryr->id . " AND year='" . $config['FAIRYEAR'] . "'";
+			$query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND projectcategories_id=? AND year=?';
 			$t = $pdo->prepare($query);
-			$t->execute();
+			$t->execute([$divisionr->id,$categoryr->id,$config['FAIRYEAR']]);
 			if ($t && $t->rowCount() > 0)
 				echo "<nobr><input type=\"checkbox\" name=\"divcat[]\" value=\"$categoryr->id\" checked=\"checked\" /> $categoryr->category</nobr><br/>";
 			else
@ -175,8 +166,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <td><input type="submit" value="' . i18n($buttontext) . '" /></td>';
 	echo '</tr>';
 } else {
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
 		echo " <td>$r->id</td>";
@ -186,11 +177,11 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 		if ($config['filterdivisionbycategory'] == 'yes') {
 			$c = $pdo->prepare("SELECT category FROM projectcategoriesdivisions_link, projectcategories 
 					WHERE projectcategoriesdivisions_link.projectcategories_id = projectcategories.id
-				AND projectdivisions_id='$r->id'
+				AND projectdivisions_id=?
-				AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "'
+				AND projectcategoriesdivisions_link.year=?
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				AND projectcategories.year=?
 				ORDER BY projectcategories.mingrade");
-			$c->execute();
+			$c->execute([$r->id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			if (!$c) {
 				$tempcat = '&nbsp;';
--- a/config/pagetexts.php
+++ b/config/pagetexts.php
@ -48,13 +48,14 @@
 		if ($q_current->rowCount() == 0) {
 			$q1 = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES (
-				".$pdo->quote($r->textname).",
+				?,
-				".$pdo->quote($r->textdescription).",
+				?,
-				".$pdo->quote($r->text).",
+				?,
-				".$pdo->quote($config['FAIRYEAR']).",
+				?,
-				".$pdo->quote($lang).")");
+				?)");
-			$q1->execute();
+			$q1->execute([$pdo->quote($r->textname),$pdo->quote($r->textdescription),$pdo->quote($r->text),
 			$pdo->quote($config['FAIRYEAR']),$pdo->quote($lang)]);
 		}
    }
 }
@ -69,12 +70,12 @@
 		$stmt = $pdo->prepare("UPDATE pagetext 
 				SET 
 					lastupdate=NOW(), 
-					text=$text
+					text=?
 				WHERE 
-					textname=".$pdo->quote($_POST['textname'])." 
+					textname=? 
-					AND year='".$config['FAIRYEAR']."'
+					AND year=?
-					AND lang='$lang'");
+					AND lang=?");
-		$stmt->execute();
+		$stmt->execute([$text,$pdo->quote($_POST['textname']),$config['FAIRYEAR'],$lang]);
 	}
 	echo happy(i18n("Page texts successfully saved"));
--- a/config/rollover.php
+++ b/config/rollover.php
@ -139,11 +139,11 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
-				'" . $r->newdate . "',
+				?,
-				'" . $r->name . "',
+				?,
-				'" . $r->description . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->newdate,$r->name,$r->description,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -154,13 +154,13 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,lastupdate,year,lang) VALUES (
-				'" . $r->textname . "',
+				?,
-				'" . $r->textdescription . "',
+				?,
-				'" . $r->text . "',
+				?,
-				'" . $r->lastupdate . "',
+				?,
-				'" . $newfairyear . "',
+				?,
-                '" . $r->lang . "')");
+                ?)");
-			$stmt->execute();
+			$stmt->execute([$r->textname,$r->textdescription,$r->text,$r->lastupdate,$newfairyear,$r->lang]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -171,13 +171,13 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
-				'" . $r->id . "',
+				?,
-				'" . $r->category . "',
+				?,
-				'" . $r->category_shortform . "',
+				?,
-				'" . $r->mingrade . "',
+				?,
-				'" . $r->maxgrade . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->id,$r->category,$r->category_shortform,$r->mingrade,$r->maxgrade,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -188,12 +188,12 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectdivisions (id,division,division_shortform,cwsfdivisionid,year) VALUES (
-				'" . $r->id . "',
+				?,
-				'" . $r->division . "',
+				?,
-				'" . $r->division_shortform . "',
+				?,
-				'" . $r->cwsfdivisionid . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->id,$r->division,$r->division_shortform,$r->cwsfdivisionid,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -204,10 +204,10 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (
-				'" . $r->projectdivisions_id . "',
+				?,
-				'" . $r->projectcategories_id . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->projectdivisions_id,$r->projectcategories_id ,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -218,11 +218,11 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (
-				'" . $r->id . "',
+				?,
-				'" . $r->projectsubdivisions_id . "',
+				?,
-				'" . $r->subdivision . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->id,$r->projectsubdivisions_id,$r->subdivision,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -233,12 +233,12 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES (
-				'" . $r->question . "',
+				?,
-				'" . $r->type . "',
+				?,
-				'" . $r->required . "',
+				?,
-				'" . $r->ord . "',
+				?,
-				'" . $newfairyear . "')");
+				?");
-			$stmt->execute();
+			$stmt->execute([$r->question,$r->type,$r->required ,$r->ord,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -270,11 +270,11 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
-				'" . $r->id . "',
+				?,
-				'" . $r->type . "',
+				?,
-				'" . $r->order . "',
+				?,
-				'" . $newfairyear . "')");
+				?)");
-			$stmt->execute();
+			$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -288,28 +288,33 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 			$shuid = ($r->sciencehead_uid == null) ? 'NULL' : ("'" . intval($r->sciencehead_uid) . "'");
 			$stmt = $pdo->prepare('INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,principal_uid,schoolemail,sciencehead_uid,accesscode,lastlogin,junior,intermediate,senior,registration_password,projectlimit,projectlimitper,year) VALUES (
-				' . $pdo->quote($r->school) . ',
+				?,
-				' . $pdo->quote($r->schoollang) . ',
+				?,
-				' . $pdo->quote($r->schoollevel) . ',
+				?,
-				' . $pdo->quote($r->board) . ',
+				?,
-				' . $pdo->quote($r->district) . ',
+				?,
-				' . $pdo->quote($r->phone) . ',
+				?,
-				' . $pdo->quote($r->fax) . ',
+				?,
-				' . $pdo->quote($r->address) . ',
+				?,
-				' . $pdo->quote($r->city) . ',
+				?,
-				' . $pdo->quote($r->province_code) . ',
+				?,
-				' . $pdo->quote($r->postalcode) . ",$puid,
+				?,?,
-				" . $pdo->quote($r->schoolemail) . ",$shuid,
+				?,?,
-				" . $pdo->quote($r->accesscode) . ',
+				?,
 				NULL,
-				' . $pdo->quote($r->junior) . ',
+				?,
-				' . $pdo->quote($r->intermediate) . ',
+				?,
-				' . $pdo->quote($r->senior) . ',
+				?,
-				' . $pdo->quote($r->registration_password) . ',
+				?,
-				' . $pdo->quote($r->projectlimit) . ',
+				?,
-				' . $pdo->quote($r->projectlimitper) . ',
+				?,
-				' . $newfairyear . ')');
+				?)');
-			$stmt->execute();
+			$stmt->execute([$pdo->quote($r->school),$pdo->quote($r->schoollang),$pdo->quote($r->schoollevel),
 			$pdo->quote($r->board),$pdo->quote($r->district),$pdo->quote($r->phone),$pdo->quote($r->fax),
 			$pdo->quote($r->address),$pdo->quote($r->city),$pdo->quote($r->province_code),$pdo->quote($r->postalcode),$puid,
 			$pdo->quote($r->schoolemail),$shuid,$pdo->quote($r->accesscode),$pdo->quote($r->junior),$pdo->quote($r->intermediate),
 			$pdo->quote($r->senior),$pdo->quote($r->registration_password),$pdo->quote($r->projectlimit),$pdo->quote($r->projectlimitper),
 			$newfairyear ]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -320,14 +325,15 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES (
 				'',
-				'$newfairyear',
+				?,
-				" . $pdo->quote($r->section) . ',
+				?,
-				' . $pdo->quote($r->db_heading) . ',
+				?,
-				' . $pdo->quote($r->question) . ',
+				?,
-				' . $pdo->quote($r->type) . ',
+				?,
-				' . $pdo->quote($r->required) . ',
+				?,
-				' . $pdo->quote($r->ord) . ')');
+				?)");
-			$stmt->execute();
+			$stmt->execute([$newfairyear,$pdo->quote($r->section),$pdo->quote($r->db_heading),$pdo->quote($r->question),
 			$pdo->quote($r->type),$pdo->quote($r->required),$pdo->quote($r->ord)]);
 			show_pdo_errors_if_any($pdo);
 		}
@ -347,9 +353,9 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 			$d = $newfairyear - $currentfairyear;
 			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`,`name`)
-				VALUES ('$newfairyear','0','{$r['type']}',DATE_ADD('{$r['date']}', INTERVAL $d YEAR),
+				VALUES (?,'0',?,DATE_ADD(?, INTERVAL ? YEAR),
-					'{$r['starttime']}','{$r['endtime']}','{$r['name']}')");
+					?,?,?)");
-			$stmt->execute();
+			$stmt->execute([$newfairyear,$r['type'],$r['date'],$d,$r['starttime'],$r['endtime'],$r['name']]);
 			show_pdo_errors_if_any($pdo);
 			$round_id = $pdo->lastInsertId();
 			$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
@ -357,9 +363,9 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 			show_pdo_errors_if_any($pdo);
 			while ($rr = $qq->fetch(PDO::FETCH_ASSOC)) {
 				$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`)
-						VALUES ('$newfairyear','$round_id','timeslot',DATE_ADD('{$rr['date']}', INTERVAL $d YEAR),
+						VALUES (?,?,'timeslot',DATE_ADD(?, INTERVAL ? YEAR),
-							'{$rr['starttime']}','{$rr['endtime']}')");
+							?,?)");
-				$stmt->execute();
+				$stmt->execute([$newfairyear,$round_id,$rr['date'],$d,$rr['starttime'],$rr['endtime']]);
 				show_pdo_errors_if_any($pdo);
 			}
 		}
--- a/config/safetyquestions.php
+++ b/config/safetyquestions.php
@ -36,12 +36,13 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P
 			echo notice(i18n('Defaulting non-numeric order value %1 to 0', array($_POST['ord'])));
 		$stmt = $pdo->prepare("UPDATE safetyquestions SET 
-				question='" . stripslashes($_POST['question']) . "',
+				question=?,
-				`type`='" . stripslashes($_POST['type']) . "',
+				`type`=?,
-				`required`='" . stripslashes($_POST['required']) . "',
+				`required`=?,
-				ord='" . stripslashes($_POST['ord']) . "'
+				ord=?
-				WHERE id='" . $_POST['save'] . "' AND year='" . $config['FAIRYEAR'] . "'");
+				WHERE id=? AND year=?");
-		$stmt->execute();
+		$stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']),
 		stripslashes($_POST['ord']),$_POST['save'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		echo happy(i18n('Safety question successfully saved'));
@ -52,13 +53,14 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P
 if (get_value_from_array($_POST, 'action') == 'new') {
 	if ($_POST['question']) {
 		$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES ( 
-					'" . stripslashes($_POST['question']) . "',
+					?,
-					'" . stripslashes($_POST['type']) . "',
+					?,
-					'" . stripslashes($_POST['required']) . "',
+					?,
-					'" . stripslashes($_POST['ord']) . "',
+					?,
-					'" . $config['FAIRYEAR'] . "'
+					?
 					)");
-		$stmt->execute();
+		$stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']),
 		stripslashes($_POST['ord']),$config['FAIRYEAR'] ]);
 		show_pdo_errors_if_any($pdo);
 		echo happy(i18n('Safety question successfully added'));
--- a/config/subdivisions.php
+++ b/config/subdivisions.php
@ -75,11 +75,11 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 			echo error(i18n('Sub-Division ID %1 already exists', array($newid)));
 		} else {
 			$stmt = $pdo->prepare('INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES ( '
-				. "'$newid', "
+				. "?, "
-				. "'" . $_POST['projectdivisions_id'] . "', "
+				. "?, "
-				. "'" . stripslashes($_POST['subdivision']) . "', "
+				. "?, "
-				. "'" . $config['FAIRYEAR'] . "') ");
+				. "?) ");
-			$stmt->execute();
+			$stmt->execute([$newid,$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$config['FAIRYEAR']]);
 			echo happy(i18n('Sub-Division successfully added'));
 		}
 	} else {
--- a/config/variables.php
+++ b/config/variables.php
@ -32,14 +32,15 @@ $q = $pdo->prepare("SELECT * FROM config WHERE year='-1'");
 $q->execute();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$q = $pdo->prepare("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
-		'" . $r->var . "',
+		?,
-		'" . $r->val . "',
+		?,
-		'" . $r->category . "',
+		?,
-		'" . $r->type . "',
+		?,
-		'" . $r->type_values . "',
+		?,
-		'" . $r->ord . "',
+		?,
-		'" . $r->description . "',
+		?,
-		'" . $config['FAIRYEAR'] . "')");
+		?)");
 	$q->execute([$r->var,$r->val,$r->category,$r->type,$r->type_values,$r->ord,$r->description,$config['FAIRYEAR']]);
 }
 // for the Special category
--- a/db/db.update.118.php
+++ b/db/db.update.118.php
@ -58,14 +58,14 @@ function db_update_118_post()
 				$password .= $available[rand(0, $availlen)];
 			// set passwordset to 0000-00-00 to force it to expire on next login
-			$sql = 'INSERT INTO users (`types`,`username`,`created`,`password`,`passwordset`,`' . implode('`,`', $userfields) . '`,`year`) VALUES (';
+			$sql = 'INSERT INTO users (`types`,`username`,`created`,`password`,`passwordset`,`' . implode('`,`','?') . '`,`year`) VALUES (';
-			$sql .= "'sponsor','" . $username . "',NOW(),'$password','0000-00-00'";
+			$sql .= "'sponsor',?,NOW(),?,'0000-00-00'";
 			foreach ($userfields AS $f) {
 				$sql .= ",'" . $r->$f . "'";
 			}
 			$sql .= ",'" . $r->year . "')";
 			$stmt = $pdo->prepare($sql);
-			$stmt->execute();
+			$stmt->execute([$userfields,$username,$password]);
 			show_pdo_errors_if_any($pdo);
 			$user_id = $pdo->lastInsertId();
--- a/db/db.update.62.php
+++ b/db/db.update.62.php
@ -48,19 +48,19 @@ function db_update_62_post()
 			(`types`,`firstname`,`lastname`,`username`,`password`,`passwordexpiry`,
 			`email`,`phonehome`,`phonework`,`phonecell`,`fax`,`organization`,
 			`created`,`deleted`) 
-			VALUES ('committee','$fn', '$ln', '$username',
+			VALUES ('committee',?,?,?,
-				'" . $c['password'] . "',
+				?,
-				$passwordexpiry,
+				?,
-				'{$c['email']}',
+				?,
-				'{$c['phonehome']}',
+				?,
-				'{$c['phonework']}',
+				?,
-				'{$c['phonecell']}',
+				?,
-				'{$c['fax']}',
+				?,
-				'" . $c['organization'] . "',
+				?,
 				NOW(),
-				'$deleted')";
+				?)";
 		$stmt = $pdo->prepare($q);
-		$stmt->execute();
+		$stmt->execute([$fn,$ln,$username,$c['password'],$passwordexpiry,$c['email'],$c['phonehome'],$c['phonework'],$c['phonecell'],$c['fax'],$c['organization'],$deleted]);
 		echo "$q\n";
 		$id = $pdo->lastInsertId();
@ -71,22 +71,22 @@ function db_update_62_post()
 		$q = "INSERT INTO users_committee(`users_id`,`emailprivate`,
 				`ord`,`displayemail`,`access_admin`,`access_config`,
 				`access_super`) VALUES (
-					'$id', '{$c['emailprivate']}',
+					?,?,
-					'{$c['ord']}',
+					?,
-					'$displayemail',
+					?,
-					'$access_admin',
+					?,
-					'$access_config',
+					?,
-					'$access_super')";
+					?)";
 		$stmt = $pdo->prepare($q);
-		$stmt->execute();
+		$stmt->execute([$id,$c['emailprivate'],$c['ord'],$displayemail,$access_admin,$access_config,$access_super]);
 		echo "$q\n";
 		show_pdo_errors_if_any($pdo);
 		/* Update committee links */
-		$q = "UPDATE committees_link SET users_id='$id'
+		$q = "UPDATE committees_link SET users_id=?
-				WHERE committees_members_id='{$c['id']}'";
+				WHERE committees_members_id=?";
 		$stmt = $pdo->prepare($q);
-		$stmt->execute();
+		$stmt->execute([$id,$c['id']]);
 		echo "$q\n";
 	}
 }
--- a/questions.inc.php
+++ b/questions.inc.php
@ -194,14 +194,14 @@ function questions_save_new_question($qs, $year)
 {
 	global $pdo;
 	$stmt = $pdo->prepare('INSERT INTO questions '
-		. '(question,type,section,db_heading,required,ord,year) VALUES ('
+		. '(question,type,section,db_heading,required,ord,year) VALUES (
-		?,"
+		?,
-		?,"
+		?,
-		?,"
+		?,
-		?,"
+		?,
-		?,"
+		?,
-		?,"
+		?,
-		?")");
+		?)');
 	$stmt->execute([$qs['question'],$qs['type'],$qs['section'],$qs['db_heading'],$qs['required'],$year]);
 	show_pdo_errors_if_any($pdo);
 }
--- a/register_participants.php
+++ b/register_participants.php
@ -33,14 +33,14 @@ $q = $pdo->query("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()<
 $datecheck = $q->fetch(PDO::FETCH_OBJ);
 if (get_value_from_array($_POST, 'action') == 'new') {
-	$q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?");
+	$q = $pdo->prepare('SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?');
-	$q->execute([$_SESSION['email'],$_POST['regnum'],$config['FAIRYEAR']]);
+	$q->execute([$_SESSION['email'], $_POST['regnum'], $config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$_SESSION['registration_number'] = $r->num;
 		$_SESSION['registration_id'] = $r->id;
-		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)");
+		$stmt = $pdo->prepare('INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)');
-		$stmt->execute([$r->id,$_SESSION['email'],$r->schools_id,$config['FAIRYEAR']]);
+		$stmt->execute([$r->id, $_SESSION['email'], $r->schools_id, $config['FAIRYEAR']]);
 		$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?");
 		$stmt->execute([$r->id]);
@ -56,13 +56,24 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 	if (get_value_from_array($_POST, 'email'))
 		$_SESSION['email'] = stripslashes($_POST['email']);
-	$q = $pdo->prepare('SELECT registrations.id AS regid, registrations.num AS regnum, students.id AS studentid, students.firstname FROM registrations,students '
+	$q = $pdo->prepare('SELECT 
-		. "WHERE students.email='" . $_SESSION['email'] . "' "
+        registrations.id AS regid, 
-		. "AND registrations.num='" . intval($_POST['regnum']) . "' "
+        registrations.num AS regnum, 
-		. 'AND students.registrations_id=registrations.id '
+        students.id AS studentid, 
-		. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+        students.firstname 
-		. 'AND students.year=' . $config['FAIRYEAR']);
+    FROM registrations 
-	$q->execute();
+    JOIN students ON students.registrations_id = registrations.id 
    WHERE students.email = ? 
    AND registrations.num = ? 
    AND registrations.year = ? 
    AND students.year = ?');
 	$q->execute([
 		$_SESSION['email'],
 		intval($_POST['regnum']),
 		$config['FAIRYEAR'],
 		$config['FAIRYEAR']
 	]);
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
@ -78,24 +89,24 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 	}
 } else if (get_value_from_array($_GET, 'action') == 'resend' && get_value_from_array($_SESSION, 'email')) {
 	// first see if the email matches directly from the registrations table
-	$q = $pdo->prepare("SELECT registrations.num FROM 
+	$q = $pdo->prepare('SELECT registrations.num FROM 
 				registrations
 			WHERE 
 				registrations.email=? 
-				AND registrations.year=?");
+				AND registrations.year=?');
 	$q->execute([$_SESSION['email'], $config['FAIRYEAR']]);
 	if ($q->rowCount())
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	else {
 		// no match from registrations, so lets see if it matches from the students table
-		$q = $pdo->prepare("SELECT registrations.num FROM 
+		$q = $pdo->prepare('SELECT registrations.num FROM 
 					registrations, 
 					students 
 				WHERE 
 					students.email=? 
 					AND students.registrations_id=registrations.id 
-					AND registrations.year=?");
+					AND registrations.year=?');
-		$q->execute([$_SESSION['email'],$config['FAIRYEAR']]);
+		$q->execute([$_SESSION['email'], $config['FAIRYEAR']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	}
@ -214,7 +225,7 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 			} else if ($config['participant_registration_type'] == 'schoolpassword') {
 				$showschoolpasswordform = true;
 				if ($_POST['schoolpassword'] && $_POST['schoolid']) {
-					$q = $pdo->prepare("SELECT registration_password FROM schools WHERE id=? AND year=?");
+					$q = $pdo->prepare('SELECT registration_password FROM schools WHERE id=? AND year=?');
 					$q->execute([$_POST['schoolid'], $config['FAIRYEAR']]);
 					$r = $q->fetch(PDO::FETCH_OBJ);
@ -237,7 +248,7 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 					echo '<input type="hidden" name="action" value="login">';
 					echo i18n('Email Address:') . ' ' . $_SESSION['email'] . '<br />';
 					echo i18n('School: ');
-					$q = $pdo->prepare("SELECT id,school FROM schools WHERE year=? ORDER BY school");
+					$q = $pdo->prepare('SELECT id,school FROM schools WHERE year=? ORDER BY school');
 					$q->execute([$config['FAIRYEAR']]);
 					echo '<select name="schoolid">';
 					echo '<option value="">' . i18n('Choose your school') . "</option>\n";
@ -283,7 +294,7 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 					// random number between
 					// 100000 and 999999  (six digit integer)
 					$regnum = rand(100000, 999999);
-					$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
+					$q = $pdo->prepare('SELECT * FROM registrations WHERE num=? AND year=?');
 					$q->execute([$regnum, $config['FAIRYEAR']]);
 				} while ($q->rowCount() > 0);
@ -291,15 +302,16 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 					$schoolidquery = 'null';
 				// actually insert it
-				$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES ('
+				$stmt = $pdo->prepare('INSERT INTO registrations (num, email, start, status, schools_id, year) 
-					. "'$regnum',"
+    									VALUES (?, ?, NOW(), ?, ?, ?)');
-					. "'" . $_SESSION['email'] . "',"
+
-					. 'NOW(),'
+				$stmt->execute([
-					. "'new',"
+					$regnum,
-					. $schoolidquery . ','
+					$_SESSION['email'],
-					. $config['FAIRYEAR']
+					'new',
-					. ')');
+					$schoolidquery,  // Ensure $schoolidquery contains a valid integer
-				$stmt->execute();
+					$config['FAIRYEAR']
 				]);
 				email_send('new_participant', $_SESSION['email'], array(), array('REGNUM' => $regnum, 'EMAIL' => $_SESSION['email']));
--- a/register_participants_main.php
+++ b/register_participants_main.php
@ -41,13 +41,13 @@ if (!($_SESSION['registration_number'] && $_SESSION['registration_id'])) {
 global $pdo;
 $q = $pdo->prepare('SELECT registrations.status AS status, registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?"
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
-$q->execute();
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
--- a/register_participants_mentor.php
+++ b/register_participants_mentor.php
@ -39,13 +39,13 @@ if (!($_SESSION['registration_number'] && $_SESSION['registration_id'])) {
 global $pdo;
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?"
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
-$q->execute();
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
@ -72,33 +72,37 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 				// only insert if we have a name
 				if ($_POST['lastname'][$x]) {
 					// INSERT new record
-					$stmt = $pdo->prepare('INSERT INTO mentors (registrations_id,firstname,lastname,email,phone,organization,position,description,year) VALUES ('
+					$stmt = $pdo->prepare('INSERT INTO mentors (registrations_id,firstname,lastname,email,phone,organization,position,description,year) VALUES (
-						. "'" . $_SESSION['registration_id'] . "', "
+						?, 
-						. "'" . stripslashes($_POST['firstname'][$x]) . "', "
+						?, 
-						. "'" . stripslashes($_POST['lastname'][$x]) . "', "
+						?,
-						. "'" . stripslashes($_POST['email'][$x]) . "', "
+						?,
-						. "'" . stripslashes($_POST['phone'][$x]) . "', "
+						?,
-						. "'" . stripslashes($_POST['organization'][$x]) . "', "
+						?,
-						. "'" . stripslashes($_POST['position'][$x]) . "', "
+						?,
-						. "'" . stripslashes($_POST['description'][$x]) . "', "
+						?,
-						. "'" . $config['FAIRYEAR'] . "')");
+						?)');
-					$stmt->execute();
+					$stmt->execute([$_SESSION['registration_id'],stripslashes($_POST['firstname'][$x]),stripslashes($_POST['lastname'][$x]),
 					stripslashes($_POST['email'][$x]),stripslashes($_POST['phone'][$x]),stripslashes($_POST['organization'][$x]),stripslashes($_POST['position'][$x]),
 					stripslashes($_POST['description'][$x]),$config['FAIRYEAR']]);
 					show_pdo_errors_if_any($pdo);
 					echo notice(i18n('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
 				}
 			} else {
 				// UPDATE existing record
-				$stmt = $pdo->prepare('UPDATE mentors SET '
+				$stmt = $pdo->prepare('UPDATE mentors SET 
-					. "firstname='" . stripslashes($_POST['firstname'][$x]) . "', "
+					?,
-					. "lastname='" . stripslashes($_POST['lastname'][$x]) . "', "
+					?,
-					. "email='" . stripslashes($_POST['email'][$x]) . "', "
+					?,
-					. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
+					?,
-					. "organization='" . stripslashes($_POST['organization'][$x]) . "', "
+					. "organization=?,"
-					. "position='" . stripslashes($_POST['position'][$x]) . "', "
+					. "position=?",
-					. "description='" . stripslashes($_POST['description'][$x]) . "' "
+					. "description=?"
-					. "WHERE id='" . $_POST['id'][$x] . "'");
+					. "WHERE id=?"');
-				$stmt->execute();
+				$stmt->execute([stripslashes($_POST['firstname'][$x]),stripslashes($_POST['lastname'][$x]),stripslashes($_POST['email'][$x]),
 				stripslashes($_POST['phone'][$x]),stripslashes($_POST['organization'][$x]),stripslashes($_POST['position'][$x]),
 				stripslashes($_POST['description'][$x]),$_POST['id'][$x]]);
 				echo notice(i18n('%1 %2 successfully updated', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
 			}
 			$x++;
--- a/register_participants_project.php
+++ b/register_participants_project.php
@ -43,13 +43,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?"
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
-$q->execute();
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
@ -105,20 +105,23 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 				$shorttitle = stripslashes($_POST['shorttitle']);
 			$stmt = $pdo->prepare('UPDATE projects SET '
-				. "title='" . $title . "', "
+				. "title=?, "
-				. "shorttitle='" . $shorttitle . "', "
+				. "shorttitle=?, "
-				. "projectdivisions_id='" . intval($_POST['projectdivisions_id']) . "', "
+				. "projectdivisions_id=?, "
-				. "projecttype='" . stripslashes($_POST['projecttype']) . "', "
+				. "projecttype=?, "
-				. "language='" . stripslashes($_POST['language']) . "', "
+				. "language=?, "
-				. "req_table='" . stripslashes($_POST['req_table']) . "', "
+				. "req_table=?, "
-				. "req_electricity='" . stripslashes($_POST['req_electricity']) . "', "
+				. "req_electricity=?, "
-				. "req_special='" . stripslashes($_POST['req_special']) . "', "
+				. "req_special=?, "
-				. "human_participants='" . stripslashes($_POST['human_participants']) . "', "
+				. "human_participants=?, "
-				. "animal_participants='" . stripslashes($_POST['animal_participants']) . "', "
+				. "animal_participants=?, "
-				. "summary='" . stripslashes($_POST['summary']) . "', "
+				. "summary=?, "
-				. "summarycountok='$summarycountok'"
+				. "summarycountok=?"
-				. "WHERE id='" . $_POST['id'] . "'");
+				. "WHERE id=?");
-			$stmt->execute();
+			$stmt->execute([$title,$shorttitle,intval($_POST['projectdivisions_id']),stripslashes($_POST['projecttype']),
 			stripslashes($_POST['language']),stripslashes($_POST['req_table']),stripslashes($_POST['req_electricity']),
 			stripslashes($_POST['req_special']),stripslashes($_POST['human_participants']),stripslashes($_POST['animal_participants']),
 			stripslashes($_POST['summary']),$summarycountok,$_POST['id']]);
 			show_pdo_errors_if_any($pdo);
 			echo notice(i18n('Project information successfully updated'));
 		} else {
--- a/register_participants_project_divisionselector.php
+++ b/register_participants_project_divisionselector.php
@ -39,13 +39,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?"
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
-$q->execute();
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
--- a/register_participants_safety.php
+++ b/register_participants_safety.php
@ -40,13 +40,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+	. "WHERE students.email=?" 
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	. "AND registrations.num=?"
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+	. 'AND registrations.year=?'
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND students.year=?');
-$q->execute();
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
--- a/register_participants_signature.php
+++ b/register_participants_signature.php
@ -45,17 +45,25 @@ if ($_GET['sample']) {
 		exit;
 	}
-	$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
+	$q = $pdo->prepare('SELECT 
-		. "WHERE students.email='" . $_SESSION['email'] . "' "
+	registrations.id AS regid, 
-		. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+	students.id AS studentid, 
-		. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	students.firstname 
-		. 'AND students.registrations_id=registrations.id '
+FROM registrations 
-		. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+JOIN students ON students.registrations_id = registrations.id 
-		. 'AND students.year=' . $config['FAIRYEAR']);
+WHERE students.email = ? 
 AND registrations.num = ? 
 AND registrations.id = ? 
 AND registrations.year = ? 
 AND students.year = ?');
-	$registration_number = $_SESSION['registration_number'];
+	$q->execute([
-	$registration_id = $_SESSION['registration_id'];
+		$_SESSION['email'],
-	$q->execute();
+		$_SESSION['registration_number'],
 		$_SESSION['registration_id'],
 		$config['FAIRYEAR'],
 		$config['FAIRYEAR']
 	]);
 	show_pdo_errors_if_any($pdo);
@ -100,7 +108,7 @@ if ($_GET['sample']) {
 	$rr->school = 'SampleSchool';
 } else {
 	// grab the project info
-	$q = $pdo->prepare("SELECT projects.*, 
+	$q = $pdo->prepare('SELECT projects.*, 
                        projectcategories.category, 
                        projectdivisions.division
                 FROM projects
@ -110,11 +118,11 @@ if ($_GET['sample']) {
                        AND projects.year=?
                        AND projectdivisions.year=?
                        AND projectcategories.year=?
-                        ");
+                        ');
-	$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
-	$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
+	$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
 	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 	while ($si = $q->fetch(PDO::FETCH_OBJ))
 		$studentinfoarray[] = $si;
@ -136,7 +144,7 @@ $pdf->addTextX("Exhibitor$plural: ", 0.75);
 foreach ($studentinfoarray AS $studentinfo) {
 	if (!$_GET['sample']) {
-		$qq = $pdo->prepare("SELECT school FROM schools WHERE id=?");
+		$qq = $pdo->prepare('SELECT school FROM schools WHERE id=?');
 		$qq->execute([$studentinfo->schools_id]);
 		$rr = $qq->fetch(PDO::FETCH_OBJ);
 	}
--- a/register_participants_signature_tcpdf.php
+++ b/register_participants_signature_tcpdf.php
@ -45,15 +45,16 @@ if (get_value_from_array($_GET, 'sample')) {
 	$q = $pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname 
 \t \t\t\tFROM registrations,students
-	\t \t\tWHERE students.email='{$_SESSION['email']}' 
+	\t \t\tWHERE students.email=? 
-				AND registrations.num='{$_SESSION['registration_number']}'
+				AND registrations.num=?
-				AND registrations.id='{$_SESSION['registration_id']}'
+				AND registrations.id=?
 				AND students.registrations_id=registrations.id
-				AND registrations.year={$config['FAIRYEAR']}
+				AND registrations.year=?
-				AND students.year={$config['FAIRYEAR']}");
+				AND students.year=?");
-	$registration_number = $_SESSION['registration_number'];
+				'?=?' ;
 	$registration_id = $_SESSION['registration_id'];
-	$q->execute();
+	$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],
 	$config['FAIRYEAR'],$registration_number,$_SESSION['registration_number']]);
 	show_pdo_errors_if_any($pdo);
--- a/register_participants_spawards.php
+++ b/register_participants_spawards.php
@ -127,11 +127,11 @@ if ($_POST['action'] == 'save') {
 			$stmt->execute([$project->id,  $config['FAIRYEAR']]);
 			foreach ($splist AS $spaward) {
 				$s = ($spaward == -1) ? 'NULL' : "'$spaward'";
-				$stmt = $pdo->prepare('INSERT INTO project_specialawards_link (award_awards_id,projects_id,year) VALUES ('
+				$stmt = $pdo->prepare('INSERT INTO project_specialawards_link (award_awards_id,projects_id,year) VALUES (
-					. "$s, "
+					?, 
-					. "'$project->id', "
+					?,
-					. "'" . $config['FAIRYEAR'] . "')");
+					?)');
-				$stmt->execute();
+				$stmt->execute([$s,$project->id,$config['FAIRYEAR']]);
 				show_pdo_errors_if_any($pdo);
 			}
 			if ($num) {
--- a/register_participants_students.php
+++ b/register_participants_students.php
@ -41,14 +41,26 @@ if (!($_SESSION['registration_number'] && $_SESSION['registration_id'])) {
 }
 $fairyear = intval($config['FAIRYEAR']);
-$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
+$q = $pdo->prepare('SELECT 
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+        registrations.id AS regid, 
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+        students.id AS studentid, 
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+        students.firstname 
-	. 'AND students.registrations_id=registrations.id '
+    FROM registrations 
-	. 'AND registrations.year=' . $fairyear . ' '
+    JOIN students ON students.registrations_id = registrations.id 
-	. 'AND students.year=' . $fairyear);
+    WHERE students.email = ? 
-$q->execute();
+    AND registrations.num = ? 
    AND registrations.id = ? 
    AND registrations.year = ? 
    AND students.year = ?');
 $q->execute([
 	$_SESSION['email'],
 	$_SESSION['registration_number'],
 	$_SESSION['registration_id'],
 	$fairyear,
 	$fairyear
 ]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
@ -82,7 +94,7 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 			if ($students_id == 0) {
 				// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record.  for anything else they can school the school on their own.
 				if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
-					$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id=? AND YEAR=?");
+					$q = $pdo->prepare('SELECT schools_id FROM registrations WHERE id=? AND YEAR=?');
 					$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 					$r = $q->fetch(PDO::FETCH_OBJ);
 					$schools_id = $r->schools_id;
@ -93,28 +105,38 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 				}
 				// INSERT new record
 				$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-				$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,pronunciation,sex,email,address,city,county,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
+				$stmt = $pdo->prepare('INSERT INTO students 
-					. "'" . $_SESSION['registration_id'] . "', "
+    (registrations_id, firstname, lastname, pronunciation, sex, email, address, city, county, province, 
-					. "'" . stripslashes($_POST['firstname'][$x]) . "', "
+     postalcode, phone, dateofbirth, grade, schools_id, tshirt, medicalalert, foodreq, 
-					. "'" . stripslashes($_POST['lastname'][$x]) . "', "
+     teachername, teacheremail, year) 
-					. "'" . stripslashes($_POST['pronunciation'][$x]) . "', "
+    VALUES ('
-					. "'" . stripslashes($_POST['sex'][$x]) . "', "
+					. '?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '
-					. "'" . stripslashes($_POST['email'][$x]) . "', "
+					. '?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)');
-					. "'" . stripslashes($_POST['address'][$x]) . "', "
+
-					. "'" . stripslashes($_POST['city'][$x]) . "', "
+				$stmt->execute([
-					. "'" . stripslashes($_POST['county'][$x]) . "', "
+					$_SESSION['registration_id'],
-					. "'" . stripslashes($_POST['province'][$x]) . "', "
+					stripslashes($_POST['firstname'][$x]),
-					. "'" . stripslashes($_POST['postalcode'][$x]) . "', "
+					stripslashes($_POST['lastname'][$x]),
-					. "'" . stripslashes($_POST['phone'][$x]) . "', "
+					stripslashes($_POST['pronunciation'][$x]),
-					. "'$dob', "
+					stripslashes($_POST['sex'][$x]),
-					. "'" . stripslashes($_POST['grade'][$x]) . "', "
+					stripslashes($_POST['email'][$x]),
-					. $schoolvalue
+					stripslashes($_POST['address'][$x]),
-					. "'" . stripslashes($_POST['tshirt'][$x]) . "', "
+					stripslashes($_POST['city'][$x]),
-					. "'" . stripslashes($_POST['medicalalert'][$x]) . "', "
+					stripslashes($_POST['county'][$x]),
-					. "'" . stripslashes($_POST['foodreq'][$x]) . "', "
+					stripslashes($_POST['province'][$x]),
-					. "'" . stripslashes($_POST['teachername'][$x]) . "', "
+					stripslashes($_POST['postalcode'][$x]),
-					. "'" . stripslashes($_POST['teacheremail'][$x]) . "', "
+					stripslashes($_POST['phone'][$x]),
-					. "'" . $config['FAIRYEAR'] . "')");
+					$dob,
 					stripslashes($_POST['grade'][$x]),
 					$schoolvalue,
 					stripslashes($_POST['tshirt'][$x]),
 					stripslashes($_POST['medicalalert'][$x]),
 					stripslashes($_POST['foodreq'][$x]),
 					stripslashes($_POST['teachername'][$x]),
 					stripslashes($_POST['teacheremail'][$x]),
 					$config['FAIRYEAR']
 				]);
 				$students_id = $pdo->lastInsertId();
 				echo notice(i18n('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
@ -129,38 +151,61 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 				// UPDATE existing record
 				$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
 				$stmt = $pdo->prepare('UPDATE students SET '
-					. "firstname='" . stripslashes($_POST['firstname'][$x]) . "', "
+					. 'firstname = ?, '
-					. "lastname='" . stripslashes($_POST['lastname'][$x]) . "', "
+					. 'lastname = ?, '
-					. "pronunciation='" . stripslashes($_POST['pronunciation'][$x]) . "', "
+					. 'pronunciation = ?, '
-					. "sex='" . stripslashes($_POST['sex'][$x]) . "', "
+					. 'sex = ?, '
-					. "email='" . stripslashes($_POST['email'][$x]) . "', "
+					. 'email = ?, '
-					. "address='" . stripslashes($_POST['address'][$x]) . "', "
+					. 'address = ?, '
-					. "city='" . stripslashes($_POST['city'][$x]) . "', "
+					. 'city = ?, '
-					. "county='" . stripslashes($_POST['county'][$x]) . "', "
+					. 'county = ?, '
-					. "province='" . stripslashes($_POST['province'][$x]) . "', "
+					. 'province = ?, '
-					. "postalcode='" . stripslashes($_POST['postalcode'][$x]) . "', "
+					. 'postalcode = ?, '
-					. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
+					. 'phone = ?, '
-					. "dateofbirth='$dob', "
+					. 'dateofbirth = ?, '
-					. "grade='" . stripslashes($_POST['grade'][$x]) . "', "
+					. 'grade = ?, '
 					. $schoolquery
-					. "medicalalert='" . stripslashes($_POST['medicalalert'][$x]) . "', "
+					. 'medicalalert = ?, '
-					. "foodreq='" . stripslashes($_POST['foodreq'][$x]) . "', "
+					. 'foodreq = ?, '
-					. "teachername='" . stripslashes($_POST['teachername'][$x]) . "', "
+					. 'teachername = ?, '
-					. "teacheremail='" . stripslashes($_POST['teacheremail'][$x]) . "', "
+					. 'teacheremail = ?, '
-					. "tshirt='" . stripslashes($_POST['tshirt'][$x]) . "' "
+					. 'tshirt = ? '
-					. "WHERE id='$students_id'");
+					. 'WHERE id = ?');
 				$stmt->execute([
 					stripslashes($_POST['firstname'][$x]),
 					stripslashes($_POST['lastname'][$x]),
 					stripslashes($_POST['pronunciation'][$x]),
 					stripslashes($_POST['sex'][$x]),
 					stripslashes($_POST['email'][$x]),
 					stripslashes($_POST['address'][$x]),
 					stripslashes($_POST['city'][$x]),
 					stripslashes($_POST['county'][$x]),
 					stripslashes($_POST['province'][$x]),
 					stripslashes($_POST['postalcode'][$x]),
 					stripslashes($_POST['phone'][$x]),
 					$dob,
 					stripslashes($_POST['grade'][$x]),
 					stripslashes($_POST['medicalalert'][$x]),
 					stripslashes($_POST['foodreq'][$x]),
 					stripslashes($_POST['teachername'][$x]),
 					stripslashes($_POST['teacheremail'][$x]),
 					stripslashes($_POST['tshirt'][$x]),
 					$students_id
 				]);
 				echo notice(i18n('%1 %2 successfully updated', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
 			}
 			/* Update the regfee items link */
 			if ($config['participant_regfee_items_enable'] == 'yes') {
-				$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id=?");
+				$stmt = $pdo->prepare('DELETE FROM regfee_items_link WHERE students_id=?');
 				$stmt->execute([$students_id]);
 				if (is_array($_POST['regfee_item'][$x])) {
 					foreach ($_POST['regfee_item'][$x] as $id => $enabled) {
-						$stmt = $pdo->prepare("INSERT INTO regfee_items_link(`students_id`,`regfee_items_id`)
+						$stmt = $pdo->prepare('INSERT INTO regfee_items_link(`students_id`,`regfee_items_id`)
-								VALUES (?,?) ");
+								VALUES (?,?) ');
-						$stmt->execute([$students_id,$id]);
+						$stmt->execute([$students_id, $id]);
 					}
 				}
 			}
@ -175,20 +220,20 @@ if (get_value_from_array($_GET, 'action') == 'removestudent') {
 	} else {
 		$students_id = intval($_GET['removestudent']);
 		// first make sure this is one belonging to this registration id
-		$q = $pdo->prepare("SELECT id FROM students WHERE id=? AND registrations_id=/");
+		$q = $pdo->prepare('SELECT id FROM students WHERE id=? AND registrations_id=/');
 		$q->execute([$students_id, $_SESSION['registration_id']]);
 		if ($q->rowCount() == 1) {
-			$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+			$stmt = $pdo->prepare('DELETE FROM students WHERE id=? AND registrations_id=?');
 			$stmt->execute([$students_id, $_SESSION['registration_id']]);
 			// now see if they have an emergency contact that also needs to be removed
-			$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+			$q = $pdo->prepare('SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?');
 			$q->execute([$students_id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
 			// no need to error message if this doesnt exist
 			if ($q->rowCount() == 1)
-				$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+				$stmt = $pdo->prepare('DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?');
 			$stmt->execute([$students_id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
-			$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id=?");
+			$stmt = $pdo->prepare('DELETE FROM regfee_items_link WHERE students_id=?');
 			$stmt->execute([$students_id]);
 			echo notice(i18n('Student successfully removed'));
 		} else {
@ -207,14 +252,14 @@ if ($newstatus != 'complete') {
 // now query and display
-$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
+$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
 $q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 if ($q->rowCount() == 0) {
 	// uhh oh, we didnt find any, this isnt possible! lets insert one using the logged in persons email address
 	// although... this can never really happen, since the above queries only allow the page to view if the student
 	// is found in the students table... soo... well, lets leave it here as a fallback anyways, just incase
-	$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES (?,?,?)");
+	$stmt = $pdo->prepare('INSERT INTO students (registrations_id,email,year) VALUES (?,?,?)');
-	$stmt->execute([$_SESSION['registration_id'], $_SESSION['email'],$config['FAIRYEAR']]);
+	$stmt->execute([$_SESSION['registration_id'], $_SESSION['email'], $config['FAIRYEAR']]);
 	// if we just inserted it, then we will obviously find 1
 	$numfound = 1;
 } else {
@ -437,7 +482,7 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 	echo "<tr>\n";
 	echo ' <td>' . i18n('School') . '</td><td colspan="3">';
 	if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
-		$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school");
+		$schoolq = $pdo->prepare('SELECT id,school,city FROM schools WHERE year=? ORDER by city,school');
 		$schoolq->execute([$config['FAIRYEAR']]);
 		echo "<select name=\"schools_id[$x]\">\n";
 		echo '<option value="">' . i18n('Choose School') . "</option>\n";
@ -450,7 +495,7 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 		}
 		echo '</select>' . REQUIREDFIELD;
 	} else {
-		$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?");
+		$schoolq = $pdo->prepare('SELECT id,school FROM schools WHERE year=? AND id=?');
 		$schoolq->execute([$config['FAIRYEAR'], $studentinfo->schools_id]);
 		$r = $schoolq->fetch(PDO::FETCH_OBJ);
 		echo $r->school;
@ -465,8 +510,8 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 	echo "</tr>\n";
 	if ($config['participant_regfee_items_enable'] == 'yes') {
-		$sel_q = $pdo->prepare("SELECT * FROM regfee_items_link 
+		$sel_q = $pdo->prepare('SELECT * FROM regfee_items_link 
-					WHERE students_id=?");
+					WHERE students_id=?');
 		$sel_q->execute([$id]);
 		$sel = array();
 		while ($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) {
--- a/register_participants_tours.php
+++ b/register_participants_tours.php
@ -38,14 +38,23 @@ if (!$_SESSION['registration_number']) {
 	exit;
 }
-$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
+$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname 
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
+    FROM registrations 
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
+    JOIN students ON students.registrations_id = registrations.id 
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+    WHERE students.email = ? 
-	. 'AND students.registrations_id=registrations.id '
+    AND registrations.num = ? 
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
+    AND registrations.id = ? 
-	. 'AND students.year=' . $config['FAIRYEAR']);
+    AND registrations.year = ? 
-$q->execute();
+    AND students.year = ?');
 $q->execute([
 	$_SESSION['email'],
 	$_SESSION['registration_number'],
 	$_SESSION['registration_id'],
 	$config['FAIRYEAR'],
 	$config['FAIRYEAR']
 ]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
@ -74,7 +83,7 @@ if ($_POST['action'] == 'save') {
 				WHERE registrations_id=? 
 				AND year=? 
 				AND rank!='0'");
-		$stmt->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]);
+		$stmt->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 		if (is_array($_POST['toursel'])) {
 			foreach ($_POST['toursel'] AS $students_id => $ts) {
 				$selarray = array();
@ -94,13 +103,18 @@ if ($_POST['action'] == 'save') {
 					/* Remember this choice in a format that is easily searchable */
 					$selarray[] = $x;
-					$stmt = $pdo->prepare('INSERT INTO tours_choice (registrations_id,students_id,tour_id,year,rank) VALUES ('
+					$stmt = $pdo->prepare('INSERT INTO tours_choice 
-						. "'" . $_SESSION['registration_id'] . "', "
+    (registrations_id, students_id, tour_id, year, rank) 
-						. "'" . intval($students_id) . "', "
+    VALUES (?, ?, ?, ?, ?)');
-						. "'" . intval($tid) . "', "
+
-						. "'" . $config['FAIRYEAR'] . "', "
+					$stmt->execute([
-						. "'$rank')");
+						$_SESSION['registration_id'],
-					$stmt->execute();
+						intval($students_id),
 						intval($tid),
 						$config['FAIRYEAR'],
 						$rank
 					]);
 					show_pdo_errors_if_any($pdo);
 				}
 			}
@ -131,8 +145,8 @@ if ($newstatus != 'complete') {
 }
 $assigned_tour = array();
-$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id=? AND year=?");
+$q = $pdo->prepare('SELECT * FROM tours_choice WHERE registrations_id=? AND year=?');
-$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]);
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	if ($r->rank == 0)
 		$assigned_tour[$r->students_id] = $r->tour_id;
@ -140,7 +154,7 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 }
 $tours = array();
-$q = $pdo->prepare("SELECT * FROM tours WHERE year=? ORDER BY id");
+$q = $pdo->prepare('SELECT * FROM tours WHERE year=? ORDER BY id');
 $q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() == 0) {
 	echo notice(i18n('There is not tour information'));
@ -163,8 +177,8 @@ $max = $config['tours_choices_max'];
 echo "<form method=\"post\" action=\"register_participants_tours.php\">\n";
 echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
-$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
+$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
-$q->execute([$_SESSION['registration_id'],$config['FAIRYEAR']]);
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 $num_found = $q->rowCount();
 $print_submit = false;
--- a/remote.php
+++ b/remote.php
@ -274,8 +274,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 		} while ($q->rowCount() > 0);
 		// actually insert it
-		$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES ('
+		$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES (
-			?,?,NOW(),'open',NULL,?')');
+			?,?,NOW(),open,NULL,?)');
 		$stmt->execute([$regnum,$regnum,$year]);
 		$registrations_id = $pdo->lastInsertId();
 		/* We'll fill in the email address later */
@ -295,12 +295,13 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 	$registration = $q->fetch(PDO::FETCH_ASSOC);
 	/* Update the project in case anythign changed */
-	$stmt = $pdo->prepare("UPDATE projects SET title='" . $project['title'] . "',
+	$stmt = $pdo->prepare("UPDATE projects SET title=?,
 					summary='" . $project['abstract'] . "',
-					projectcategories_id='" . intval($project['projectcategories_id']) . "',
+					projectcategories_id=?,
-					projectdivisions_id='" . intval($project['projectdivisions_id']) . "'
+					projectdivisions_id=?
-				WHERE id='$pid'");
+				WHERE id=?");
-	$stmt->execute();
+	$stmt->execute([$project['title'],intval($project['projectcategories_id']),
 	intval($project['projectdivisions_id']),$pid]);
 	/* Record the winner */
 	$stmt = $pdo->prepare("INSERT INTO winners(`awards_prizes_id`,`projects_id`,`year`,`fairs_id`)
--- a/schoolinvite.php
+++ b/schoolinvite.php
@ -8,7 +8,7 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 	echo '<a href="schoolaccess.php">&lt;&lt; ' . i18n('Return to school access main page') . '</a><br />';
 	echo '<br />';
-	$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
+	$q = $pdo->prepare('SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?');
 	$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$school = $q->fetch(PDO::FETCH_OBJ);
@ -17,7 +17,7 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 			if ($_POST['action'] == 'invite') {
 				if ($_POST['firstname'] && $_POST['lastname'] && $_POST['email'] && $_POST['grade']) {
 					// make sure they arent already invited!
-					$q = $pdo->prepare("SELECT firstname, lastname FROM students WHERE year=? AND email=?");
+					$q = $pdo->prepare('SELECT firstname, lastname FROM students WHERE year=? AND email=?');
 					$q->execute([$config['FAIRYEAR'], $_POST['email']]);
 					if ($q->rowCount()) {
 						echo error(i18n('That students email address has already been invited'));
@ -28,31 +28,37 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 							// random number between
 							// 100000 and 999999  (six digit integer)
 							$regnum = rand(100000, 999999);
-							$q = $pdo->prepare("SELECT * FROM registrations WHERE num? AND year=?");
+							$q = $pdo->prepare('SELECT * FROM registrations WHERE num? AND year=?');
 							$q->execute([$regnum, $config['FAIRYEAR']]);
 						} while ($q->rowCount() > 0);
 						// actually insert it
-						$stmt = $pdo->prepare('INSERT INTO registrations (num,email,emailcontact,start,status,year) VALUES ('
+						$stmt = $pdo->prepare('INSERT INTO registrations (num, email, emailcontact, start, status, year) 
-							. "'$regnum',"
+    					VALUES (?, ?, ?, NOW(), ?, ?)');
-							. "'" . $_POST['email'] . "',"
+
-							. "'" . $_POST['emailcontact'] . "',"
+						$stmt->execute([
-							. 'NOW(),'
+							$regnum,
-							. "'open',"
+							$_POST['email'],
-							. $config['FAIRYEAR']
+							$_POST['emailcontact'],
-							. ')');
+							'open',
-						$stmt->execute();
+							$config['FAIRYEAR']
 						]);
 						$regid = $pdo->lastInsertId();
-						$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,firstname,lastname,schools_id,grade,year) VALUES (
+						$stmt = $pdo->prepare("INSERT INTO students (registrations_id, email, firstname, lastname, schools_id, grade, year) 
-								'$regid',
+							VALUES (?, ?, ?, ?, ?, ?, ?)");
-								'" . $_POST['email'] . "',
+
-								'" . $_POST['firstname'] . "',
+						$stmt->execute([
-								'" . $_POST['lastname'] . "',
+							$regid,
-								'" . $_SESSION['schoolid'] . "',
+							$_POST['email'],
-								'" . $_POST['grade'] . "',
+							$_POST['firstname'],
-								'" . $config['FAIRYEAR'] . "')");
+							$_POST['lastname'],
-						$stmt->execute();
+							$_SESSION['schoolid'],
 							$_POST['grade'],
 							$config['FAIRYEAR']
 						]);
 						email_send('new_participant', $_POST['email'], array(), array('REGNUM' => $regnum, 'EMAIL' => $_POST['email']));
 						if ($_POST['emailcontact'])
@ -65,24 +71,24 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 			if ($_GET['action'] == 'uninvite') {
 				// first, make sure that this is really their student, and it sfor this year.
-				$q = $pdo->prepare("SELECT * FROM students WHERE id=? AND year=? AND schools_id=?");
+				$q = $pdo->prepare('SELECT * FROM students WHERE id=? AND year=? AND schools_id=?');
 				$q->execute([$_GET['uninvite'], $config['FAIRYEAR'], $_SESSION['schoolid']]);
 				if ($q->rowCount()) {
 					$r = $q->fetch(PDO::FETCH_OBJ);
 					$registrations_id = $r->registrations_id;
 					if ($registrations_id)  // just to be safe!
 					{
-						$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?");
+						$stmt = $pdo->prepare('DELETE FROM students WHERE registrations_id=?');
 						$stmt->execute([$registrations_id]);
-						$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=?");
+						$stmt = $pdo->prepare('DELETE FROM projects WHERE registrations_id=?');
 						$stmt->execute([$registrations_id]);
-						$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=?");
+						$stmt = $pdo->prepare('DELETE FROM mentors WHERE registrations_id=?');
 						$stmt->execute([$registrations_id]);
-						$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=?");
+						$stmt = $pdo->prepare('DELETE FROM safety WHERE registrations_id=?');
 						$stmt->execute([$registrations_id]);
-						$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=?");
+						$stmt = $pdo->prepare('DELETE FROM emergencycontact WHERE registrations_id=?');
 						$stmt->execute([$registrations_id]);
-						$stmt = $pdo->prepare("DELETE FROM registrations WHERE id=?");
+						$stmt = $pdo->prepare('DELETE FROM registrations WHERE id=?');
 						$stmt->execute([$registrations_id]);
 						echo happy(i18n('Student successfully uninvited'));
@ -91,8 +97,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 					echo error(i18n('Invalid student to uninvite'));
 			}
-			$q = $pdo->prepare("SELECT (NOW()>? AND NOW()<?) AS datecheck");
+			$q = $pdo->prepare('SELECT (NOW()>? AND NOW()<?) AS datecheck');
-			$q->execute([$config['dates']['regopen'],$config['dates']['regclose']]);
+			$q->execute([$config['dates']['regopen'], $config['dates']['regclose']]);
 			$datecheck = $q->fetch(PDO::FETCH_OBJ);
 			$q = $pdo->prepare("SELECT \t
@ -110,7 +116,7 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 					ORDER BY 
 						lastname,
 						firstname");
-			$q->execute([$school->id,$config['FAIRYEAR']]);
+			$q->execute([$school->id, $config['FAIRYEAR']]);
 			$currentinvited = $q->rowCount();
 			if ($datecheck != 0) {
@ -135,10 +141,10 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 						}
 					} else if ($school->projectlimitper == 'agecategory') {
 						echo '<br />';
-						$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+						$catq = $pdo->prepare('SELECT * FROM projectcategories WHERE year=? ORDER BY id');
 						$catq->execute([$config['FAIRYEAR']]);
 						while ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
-							$q2 = $pdo->prepare("SELECT COUNT(students.id) AS num
+							$q2 = $pdo->prepare('SELECT COUNT(students.id) AS num
 									FROM 
 										students,
 										registrations 
@ -149,8 +155,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 										AND students.year=? 
 										AND students.registrations_id=registrations.id 
 										GROUP BY registrations.num
-									");
+									');
-							$q2->execute([$school->id,$catr->mingrade,$catr->maxgrade,$config['FAIRYEAR']]);
+							$q2->execute([$school->id, $catr->mingrade, $catr->maxgrade, $config['FAIRYEAR']]);
 							show_pdo_errors_if_any($pdo);
 							$r2 = $q2->fetch(PDO::FETCH_OBJ);
 							$currentinvited = $r2->num;