From a6a46ec556288f9e65ffa31a03c90026ccd56826 Mon Sep 17 00:00:00 2001
From: patrick <patrick@algolibre.io>
Date: Sun, 9 Feb 2025 17:24:37 +0000
Subject: [PATCH] Refactor SQL queries

---
 admin/award_awardcreatedivisional.php         |   72 +-
 admin/award_awards.php                        |   86 +-
 admin/award_download.php                      |  131 +-
 admin/award_upload.php                        |   93 +-
 admin/awards.inc.php                          |   28 +-
 admin/cms.php                                 |   30 +-
 admin/committees.php                          |   34 +-
 admin/communication.php                       |  194 +-
 admin/documentdownloader.php                  |    4 +-
 admin/donations.php                           |    8 +-
 admin/donors.php                              |  173 +-
 admin/donors_search.php                       |    8 +-
 admin/exhibithall_sa.php                      |   24 +-
 admin/export_checkin.php                      |   18 +-
 admin/fair_stats.php                          |   36 +-
 admin/fair_stats_select.php                   |    8 +-
 admin/fundraising.php                         |   40 +-
 admin/fundraising_campaigns.php               |  110 +-
 admin/fundraising_campaigns_prospecting.php   |   24 +-
 admin/fundraising_common.inc.php              |    4 +-
 admin/fundraising_goals_handler.inc.php       |   28 +-
 admin/fundraising_main.inc.php                |   33 +-
 admin/fundraising_reports.php                 |    4 +-
 admin/fundraising_reports_std.php             |   32 +-
 admin/fundraising_setup.php                   |  124 +-
 admin/fundraising_sponsorship.php             |    4 +-
 admin/fundraising_sponsorship_handler.inc.php |   32 +-
 admin/fundraising_types.php                   |    4 +-
 admin/gettranslation.php                      |    4 +-
 admin/judges.inc.php                          |   48 +-
 admin/judges_info.php                         |   20 +-
 admin/judges_jdiv.php                         |   48 +-
 admin/judges_sa.php                           |  150 +-
 admin/judges_schedulerconfig_check.inc.php    |   50 +-
 admin/judges_teams.php                        |  119 +-
 admin/judges_teams_members.php                |   68 +-
 admin/judges_teams_projects.php               |   42 +-
 admin/judges_teams_timeslots.php              |   28 +-
 admin/judges_timeslots.php                    |   90 +-
 admin/judging_score_edit.php                  |   24 +-
 admin/judging_score_entry.php                 |   30 +-
 admin/project_editor.php                      |  126 +-
 admin/registration_list.php                   |   93 +-
 admin/registration_receivedforms.php          |   62 +-
 admin/registration_stats.php                  |   15 +-
 admin/registration_webconsent.php             |   18 +-
 admin/reports.inc.php                         |   48 +-
 admin/reports.php                             |   31 +-
 admin/reports_acscript.php                    |   26 +-
 admin/reports_appeal_letters.php              |    7 +-
 admin/reports_ceremony.php                    |    8 +-
 admin/reports_gen.php                         |   16 +-
 admin/reports_judges.inc.php                  |   34 +-
 admin/reports_judges.php                      |   20 +-
 admin/reports_judges_allyears.php             |    8 +-
 admin/reports_judges_teams_projects.php       |   24 +-
 admin/reports_mailinglabels_generator.php     |    8 +-
 admin/reports_program_awards.php              |   16 +-
 admin/reports_projects_details.php            |   15 +-
 admin/reports_projects_judges_teams.php       |   22 +-
 admin/reports_students.inc.php                |   28 +-
 admin/rerollprizes.php                        |  154 +-
 admin/schools.php                             |  105 +-
 admin/schoolsimport.php                       |   47 +-
 admin/send_emailqueue.php                     |   28 +-
 admin/settranslation.php                      |   16 +-
 admin/sponsor_contacts.php                    |   18 +-
 admin/student_editor.php                      |  215 ++-
 admin/tours_assignments.php                   |   50 +-
 admin/tours_manager.php                       |    8 +-
 admin/tours_sa.php                            |   31 +-
 admin/tours_sa_config.php                     |   10 +-
 admin/translations.php                        |   11 +-
 admin/user_editor_window.php                  |    8 +-
 admin/user_list.php                           |   20 +-
 admin/winners.php                             |   72 +-
 app/projectinfo.php                           |   17 +-
 app/projectlist.php                           |   12 +-
 app/projects.php                              |   12 +-
 committees.php                                |    2 +-
 common.inc.php                                | 1585 +++++++++--------
 config/backuprestore.php                      |   20 +-
 config/categories.php                         |   55 +-
 config/dates.php                              |   18 +-
 config/divisions.php                          |   75 +-
 config/divisions_cwsf.php                     |    8 +-
 config/languagepacks.php                      |    4 +-
 config/pagetexts.php                          |   43 +-
 config/rollover.php                           |  207 +--
 config/rolloverfiscal.php                     |   28 +-
 config/safetyquestions.php                    |   38 +-
 config/signaturepage.php                      |    8 +-
 config/subdivisions.php                       |   44 +-
 config/variables.php                          |   21 +-
 config_editor.inc.php                         |   27 +-
 confirmed_participants.php                    |   16 +-
 contact.php                                   |    9 +-
 db/db.update.111.php                          |    8 +-
 db/db.update.116.php                          |  112 +-
 db/db.update.117.php                          |   12 +-
 db/db.update.118.php                          |   34 +-
 db/db.update.122.php                          |   20 +-
 db/db.update.129.php                          |   12 +-
 db/db.update.129.user.inc.php                 |  104 +-
 db/db.update.131.php                          |   20 +-
 db/db.update.136.php                          |    6 +-
 db/db.update.142.php                          |    4 +-
 db/db.update.146.php                          |   12 +-
 db/db.update.146.user.inc.php                 |  100 +-
 db/db.update.149.user.inc.php                 |  104 +-
 db/db.update.155.php                          |    8 +-
 db/db.update.174.php                          |    6 +-
 db/db.update.62.php                           |   42 +-
 db/db.update.75.php                           |   45 +-
 db/db.update.76.php                           |   16 +-
 db/db.update.81.php                           |    4 +-
 db/db.update.87.php                           |    4 +-
 db/db_update.php                              |    8 +-
 fair_additional_materials.inc.php             |    6 +-
 fair_info.php                                 |   18 +-
 fair_stats.php                                |    4 +-
 judge.inc.php                                 |   24 +-
 judge_availability.php                        |   20 +-
 judge_expertise.php                           |   12 +-
 judge_main.php                                |    8 +-
 judge_project_summary.php                     |   12 +-
 judge_schedule.php                            |   26 +-
 judge_special_awards.php                      |   18 +-
 lpdf.php                                      |    4 +-
 projects.inc.php                              |   68 +-
 questions.inc.php                             |   95 +-
 register_participants.inc.php                 |   92 +-
 register_participants.php                     |   84 +-
 register_participants_emergencycontact.php    |   47 +-
 register_participants_isefforms.php           |   40 +-
 register_participants_main.php                |   24 +-
 register_participants_mentor.php              |   78 +-
 register_participants_namecheck.php           |   11 +-
 register_participants_project.php             |   81 +-
 ..._participants_project_divisionselector.php |   20 +-
 register_participants_safety.php              |   28 +-
 register_participants_signature.php           |   50 +-
 register_participants_signature_tcpdf.php     |   49 +-
 register_participants_spawards.php            |   34 +-
 register_participants_students.php            |  204 ++-
 register_participants_tours.php               |   62 +-
 remote.php                                    |  143 +-
 schoolaccess.php                              |   40 +-
 schoolinvite.php                              |  110 +-
 scripts/assignprojectnumbers.php              |   12 +-
 scripts/assigntourrankings.php                |    4 +-
 scripts/judges_fake.php                       |   32 +-
 scripts/populate_fake.php                     |   12 +-
 scripts/rolloverschools.php                   |   12 +-
 sponsor_main.php                              |   16 +-
 tableeditor.class.php                         |   36 +-
 tours.class.php                               |   16 +-
 user.inc.php                                  |   88 +-
 user_invite.php                               |    8 +-
 user_new.php                                  |    4 +-
 user_personal.php                             |    4 +-
 volunteer.inc.php                             |    6 +-
 volunteer_position.php                        |   24 +-
 winners.php                                   |   26 +-
 164 files changed, 4208 insertions(+), 4059 deletions(-)

diff --git a/admin/award_awardcreatedivisional.php b/admin/award_awardcreatedivisional.php
index 449619a2..4e5faf60 100644
--- a/admin/award_awardcreatedivisional.php
+++ b/admin/award_awardcreatedivisional.php
@@ -44,19 +44,19 @@ else if (get_value_from_array($_POST, 'award_types_id'))
 
 // first, we can only do this if we dont have any type=divisional awards created yet
 
-$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT COUNT(id) AS num FROM award_awards WHERE award_types_id='1' AND year=?");
+$q->execute([$config['FAIRYEAR']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 if ($r->num) {
 	echo error(i18n('%1 Divisional awards already exist.  There must not be any divisional awards in order to run this wizard', array($r->num)));
 } else {
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$div[$r->id] = $r->division;
 
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$cat[$r->id] = $r->category;
 
@@ -64,8 +64,8 @@ if ($r->num) {
 	$ckeys = array_keys($cat);
 
 	if ($config['filterdivisionbycategory'] == 'yes') {
-		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
+		$q->execute([$config['FAIRYEAR']]);
 		$divcat = array();
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@@ -109,44 +109,42 @@ if ($r->num) {
 
 			echo i18n('Creating %1 - %2', array($c_category, $d_division)) . '<br />';
 
-			$q = $pdo->prepare("INSERT INTO award_awards (sponsors_id,award_types_id,name,criteria,`order`,year) VALUES (
-						'{$_GET['sponsors_id']}',
-						'1',
-						'$c_category - $d_division',
-						'" . i18n('Best %1 projects in the %2 division', array($c_category, $d_division)) . "',
-						'$ord',
-						'{$config['FAIRYEAR']}'
-					)");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO award_awards (sponsors_id, award_types_id, name, criteria, `order`, year) 
+                    VALUES (?, '1', ?, ?, ?, ?)");
+			$q->execute([$_GET['sponsors_id'], i18n('Best %1 projects in the %2 division', [$c_category, $d_division]), 
+            		 $c_category, $ord, $config['FAIRYEAR']]);
+
 			show_pdo_errors_if_any($pdo);
 			$award_awards_id = $pdo->lastInsertId();
 
-			$q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES ('$award_awards_id','$c_id','{$config['FAIRYEAR']}')");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (?,?,?");
+			$q->execute([$award_awards_id,$c_id,$config['FAIRYEAR']]);
 
-			$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES ('$award_awards_id','$d_id','{$config['FAIRYEAR']}')");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
+			$q->execute([$award_awards_id,$d_id,$config['FAIRYEAR']]);
 			$ord++;
 
 			echo '&nbsp;&nbsp;' . i18n('Prizes: ');
 			foreach ($prizes AS $prize) {
-				$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,value,prize,number,`order`,excludefromac,trophystudentkeeper,trophystudentreturn,trophyschoolkeeper,trophyschoolreturn,year) VALUES (
-							'$award_awards_id',
-							'{$prize['cash']}',
-							'{$prize['scholarship']}',
-							'{$prize['value']}',
-							'{$prize['prize']}',
-							'{$prize['number']}',
-							'{$prize['order']}',
-							'{$prize['excludefromac']}',
-							'{$prize['trophystudentkeeper']}',
-							'{$prize['trophystudentreturn']}',
-							'{$prize['trophyschoolkeeper']}',
-							'{$prize['trophyschoolreturn']}',
-							'{$config['FAIRYEAR']}'
-							)");
+				$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id, cash, scholarship, value, prize, number, `order`, excludefromac, trophystudentkeeper, trophystudentreturn, trophyschoolkeeper, trophyschoolreturn, year) 
+					VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
+
+				$q->execute([
+					$award_awards_id,
+					$prize['cash'],
+					$prize['scholarship'],
+					$prize['value'],
+					$prize['prize'],
+					$prize['number'],
+					$prize['order'],
+					$prize['excludefromac'],
+					$prize['trophystudentkeeper'],
+					$prize['trophystudentreturn'],
+					$prize['trophyschoolkeeper'],
+					$prize['trophyschoolreturn'],
+					$config['FAIRYEAR']
+				]);
 
-				$q->execute();
 
 				echo $prize['prize'] . ',';
 			}
diff --git a/admin/award_awards.php b/admin/award_awards.php
index 08028650..2ec8f925 100644
--- a/admin/award_awards.php
+++ b/admin/award_awards.php
@@ -33,8 +33,8 @@ $_GET['action'] = $_GET['action'] ?? '';
 switch ($_GET['action']) {
 	case 'awardinfo_load':
 		$id = intval(get_value_from_array($_GET, 'id'));
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+		$q->execute([$id]);
 		$ret = $q->fetch(PDO::FETCH_ASSOC);
 
 		// json_encode NEEDS UTF8 DATA, but we store it in the database as ISO :(
@@ -57,8 +57,8 @@ switch ($_GET['action']) {
 
 		if ($id == -1) {
 			$q = $pdo->prepare("INSERT INTO award_awards (year,self_nominate,schedule_judges) 
-					VALUES ('{$config['FAIRYEAR']}','yes','yes')");
-			$q->execute();
+					VALUES (?,'yes','yes')");
+			$q->execute([$config['FAIRYEAR']]);
 			$id = $pdo->lastInsertId();
 			happy_('Award Created');
 			/* Set the award_id in the client */
@@ -83,9 +83,9 @@ switch ($_GET['action']) {
 				criteria='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['criteria'])) . "', 
 				sponsors_id='" . intval($_POST['sponsors_id']) . "' ";
 		}
-		$q .= "WHERE id='$id'";
+		$q .= "WHERE id=?";
 		$q = $pdo->prepare($q);
-		$q->execute();
+		$q->execute([$id]);
 		print_r($_POST);
 		echo $q;
 		show_pdo_errors_if_any($pdo);
@@ -97,15 +97,15 @@ switch ($_GET['action']) {
 		// select the current categories that this award is linked to
 		$ret = array('categories' => array(), 'divisions' => array());
 
-		$q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE award_awards_id=?");
+		$q->execute([$id]);
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 			$ret['categories'][] = $r['projectcategories_id'];
 		}
 
 		// select the current categories that this award is linked to
-		$q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
-		$q->execute();
+		$q = $pdo->$prepare("SELECT * FROM award_awards_projectdivisions WHERE award_awards_id=?");
+		$q->execute([$id]);
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 			$ret['divisions'][] = $r['projectdivisions_id'];
 		}
@@ -122,8 +122,8 @@ switch ($_GET['action']) {
 		}
 
 		// wipe out any old award-category links
-		$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
+		$q->execute([$id]);
 		foreach ($_POST['categories'] AS $key => $cat) {
 			$c = intval($cat);
 			$q = $pdo->prepare('INSERT INTO award_awards_projectcategories (award_awards_id, projectcategories_id, year) 
@@ -138,8 +138,8 @@ switch ($_GET['action']) {
 
 		// wipe out any old award-divisions links
 
-		$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
+		$q->execute([$id]);
 
 		// now add the new ones
 		foreach ($_POST['divisions'] AS $key => $div) {
@@ -165,8 +165,8 @@ switch ($_GET['action']) {
 				continue;
 			$order++;
 
-			$q = $pdo->prepare("UPDATE `award_prizes` SET `order`='$order' WHERE `id`='$id'");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE `award_prizes` SET `order`=? WHERE `id`=?");
+			$q->execute([$order, $id]);
 		}
 		//	print_r($_GET);
 		happy_('Order Updated.');
@@ -179,8 +179,8 @@ switch ($_GET['action']) {
 				continue;
 			$order++;
 
-			$q = $pdo->prepare("UPDATE `award_awards` SET `order`='$order' WHERE `id`='$id'");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE `award_awards` SET `order`=? WHERE `id`=?");
+			$q->execute([$order, $id]);
 		}
 		happy_('Order updated');
 		exit;
@@ -191,8 +191,8 @@ switch ($_GET['action']) {
 			$q = $pdo->prepare("SELECT * FROM award_prizes WHERE year='-1' AND award_awards_id='0' ORDER BY `order`");
 			$q->execute();
 		} else {
-			$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$id' ORDER BY `order`");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=? ORDER BY `order`");
+			$q->execute([$id]);
 		}
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 			foreach ($r AS $k => $v) {
@@ -205,8 +205,8 @@ switch ($_GET['action']) {
 	case 'prize_load':
 		$id = intval($_GET['id']);
 
-		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE id=?");
+		$q->execute([$id]);
 		$ret = $q->fetch(PDO::FETCH_ASSOC);
 		foreach ($ret AS $k => $v) {
 			$ret[$k] = iconv('ISO-8859-1', 'UTF-8', $v);
@@ -276,8 +276,8 @@ switch ($_GET['action']) {
 		$id = intval($_GET['id']);
 		/* Prepare two lists of fair IDs, for which fairs can upload and download this award */
 
-		$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE award_awards_id=?");
+		$q->execute([$id]);
 		$ul = array();
 		$dl = array();
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
@@ -287,8 +287,8 @@ switch ($_GET['action']) {
 				$dl[$r['fairs_id']] = true;
 		}
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+		$q->execute([$id]);
 		$a = $q->fetch(PDO::FETCH_ASSOC);
 		?>
 		<h4><?= i18n('Feeder Fairs') ?></h4>
@@ -354,16 +354,16 @@ switch ($_GET['action']) {
 
 		/* Now save each one */
 
-		$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("DELETE FROM fairs_awards_link WHERE award_awards_id=?");
+		$q->execute([$id]);
 		show_pdo_errors_if_any($pdo);
 		foreach ($data as $fairs_id => $f) {
 			$dl = ($f['dl'] == true) ? 'yes' : 'no';
 			$ul = ($f['ul'] == true) ? 'yes' : 'no';
 
 			$q = $pdo->prepare("INSERT INTO fairs_awards_link (award_awards_id,fairs_id,download_award,upload_winners)
-					VALUES ('$id','$fairs_id','$dl','$ul')");
-			$q->execute();
+					VALUES (?,?,?,?)");
+			$q->execute([$id,$fairs_id,$dl,$ul]);
 			show_pdo_errors_if_any($pdo);
 		}
 		$ident = stripslashes($_POST['identifier']);
@@ -371,12 +371,12 @@ switch ($_GET['action']) {
 		$mat = intval($_POST['additional_materials']);
 		$w = intval($_POST['register_winners']);
 
-		$q = $pdo->prepare("UPDATE award_awards SET external_identifier='$ident',
-							external_additional_materials='$mat',
-							external_register_winners='$w',
-							per_fair='$per_fair'
-						WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("UPDATE award_awards SET external_identifier=?,
+							external_additional_materials=?,
+							external_register_winners=?,
+							per_fair=?
+						WHERE id=?");
+		$q->execute([[$ident, $mat,$w],$per_fair,$id]);
 
 		happy_('Feeder Fair information saved');
 		exit;
@@ -729,8 +729,8 @@ while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
 			</td></tr>
 		<tr><td><?= i18n('Type') ?>:</td><td>
 <?
-$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year='{$config['FAIRYEAR']}' ORDER BY type");
-$tq->execute();
+$tq = $pdo->prepare("SELECT id,type FROM award_types WHERE year=? ORDER BY type");
+$tq->execute([$config['FAIRYEAR']]);
 echo '<select id="awardinfo_award_types_id" name="award_types_id">';
 // only show the "choose a type" option if we are adding,if we are editing, then they must have already chosen one.
 echo $firsttype;
@@ -1110,14 +1110,14 @@ award_awards
 LEFT JOIN sponsors ON sponsors.id = award_awards.sponsors_id
 LEFT JOIN award_types ON award_types.id = award_awards.award_types_id
 WHERE 
-				award_awards.year='{$config['FAIRYEAR']}'
+				award_awards.year=?
 				$where_asi
 				$where_ati
-			AND \taward_types.year='{$config['FAIRYEAR']}'
+			AND \taward_types.year=?
 		$orderby
 ");
 
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 show_pdo_errors_if_any($pdo);
 
@@ -1147,8 +1147,8 @@ if ($q->rowCount()) {
 		echo " <td $eh>{$r->type}</td>\n";
 		echo " <td $eh>{$r->name}</td>\n";
 
-		$numq = $pdo->prepare("SELECT SUM(number) AS num FROM award_prizes WHERE award_awards_id='{$r->id}'");
-		$numq->execute();
+		$numq = $pdo->prepare("SELECT SUM(number) AS num FROM award_prizes WHERE award_awards_id=?");
+		$numq->execute([$r->id]);
 		$numr = $numq->fetch(PDO::FETCH_ASSOC);
 		if (!$numr['num'])
 			$numr['num'] = 0;
diff --git a/admin/award_download.php b/admin/award_download.php
index dbbd6830..f4deba09 100644
--- a/admin/award_download.php
+++ b/admin/award_download.php
@@ -72,8 +72,8 @@ switch (get_value_from_array($_GET, 'action')) {
 
 		// get a list of all the existing awards for this external source
 
-		$aq = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
-		$aq->execute();
+		$aq = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
+		$aq->execute([$fairs_id,$config['FAIRYEAR']]);
 		$existingawards = array();
 		while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
 			$existingawards[$ar->id] = true;
@@ -109,29 +109,29 @@ switch (get_value_from_array($_GET, 'action')) {
 			}
 
 			$tq = $pdo->prepare("SELECT * FROM award_awards WHERE 
-					external_identifier='$identifier' AND 
-					award_source_fairs_id='$fairs_id' AND 
-					year='$year'");
-			$tq->execute();
+					external_identifier=? AND 
+					award_source_fairs_id=? AND 
+					year=?");
+			$tq->execute([$identifier,$fairs_id,$year]);
 			if ($tq->rowCount() == 0) {
 				/* Award doesn't exist, create it, then update it with the common code below */
 
 				$q = $pdo->prepare("INSERT INTO award_awards (award_types_id,
 						year, external_identifier,
 						award_source_fairs_id) 
-					VALUES (2,'{$year}',
-					'" . $identifier . "',
-					'$fairs_id')");
-				$q->execute();
+					VALUES (2,?,
+					?,
+					?)");
+				$q->execute([$year,$identifier,$fairs_id]);
 				$award_id = $pdo->lastInsertId();
 				/* By default make all divs/cats eligible */
 				foreach ($divs as $id => $d)
-					$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions(award_awards_id,projectdivisions_id,year) VALUES ('$award_id','$id','{$config['FAIRYEAR']}')");
-				$q->execute();
+					$q = $pdo->prepare("INSERT INTO award_awards_projectdivisions(award_awards_id,projectdivisions_id,year) VALUES (?,?,?)");
+				$q->execute([$award_id,$id,$config['FAIRYEAR']]);
 
 				foreach ($cats as $id => $c)
-					$q = $pdo->prepare("INSERT INTO award_awards_projectcategories(award_awards_id,projectcategories_id,year) VALUES ('$award_id','$id','{$config['FAIRYEAR']}')");
-				$q->execute();
+					$q = $pdo->prepare("INSERT INTO award_awards_projectcategories(award_awards_id,projectcategories_id,year) VALUES (?,?,?)");
+				$q->execute([$award_id,$id,$config['FAIRYEAR']]);
 			} else {
 				echo i18n('Award already exists, updating info') . '<br />';
 				$awardrecord = $q->fetch(PDO::FETCH_OBJ);
@@ -144,14 +144,14 @@ switch (get_value_from_array($_GET, 'action')) {
 			// check if the sponsor exists, if not, add them
 			$sponsor_str = $award['sponsor'];
 
-			$sponsorq = $pdo->prepare("SELECT * FROM sponsors WHERE organization='$sponsor_str'");
-			$sponsorq->execute();
+			$sponsorq = $pdo->prepare("SELECT * FROM sponsors WHERE organization=?");
+			$sponsorq->execute([$sponsor_str]);
 			if ($sponsorr = $sponsorq->fetch(PDO::FETCH_OBJ)) {
 				$sponsor_id = $sponsorr->id;
 			} else {
 				$q = $pdo->prepare("INSERT INTO sponsors (organization,year,notes) 
-				VALUES ('$sponsor_str','$year','" . "Imported from external source: $r->name" . "')");
-				$q->execute();
+				VALUES (?,?,'" . "Imported from external source: $r->name" . "')");
+				$q->execute([$sponsor_str,$year]);
 				show_pdo_errors_if_any($pdo);
 				$sponsor_id = $pdo->lastInsertId();
 			}
@@ -159,21 +159,33 @@ switch (get_value_from_array($_GET, 'action')) {
 			$self_nominate = ($award['self_nominate'] == 'yes') ? 'yes' : 'no';
 			$schedule_judges = ($award['schedule_judges'] == 'yes') ? 'yes' : 'no';
 
-			$q = $pdo->prepare("UPDATE award_awards SET
-				sponsors_id='$sponsor_id',
-				name='" . $award['name_en'] . "',
-				criteria='" . $award['criteria_en'] . "',
-				external_postback='" . $postback . "',
-				external_register_winners='" . (($award['external_register_winners'] == 1) ? 1 : 0) . "',
-				external_additional_materials='" . (($award['external_additional_materials'] == 1) ? 1 : 0) . "',
-				self_nominate='$self_nominate',
-				schedule_judges='$schedule_judges'
-			WHERE 
-				id='$award_id' 
-				AND external_identifier='" . $identifier . "' 
-				AND year='$year'
-		");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE award_awards SET 
+				sponsors_id = ?, 
+				name = ?, 
+				criteria = ?, 
+				external_postback = ?, 
+				external_register_winners = ?, 
+				external_additional_materials = ?, 
+				self_nominate = ?, 
+				schedule_judges = ? 
+				WHERE id = ? 
+				AND external_identifier = ? 
+				AND year = ?");
+
+			$q->execute([
+				$sponsor_id,
+				$award['name_en'],
+				$award['criteria_en'],
+				$postback,
+				($award['external_register_winners'] == 1) ? 1 : 0,
+				($award['external_additional_materials'] == 1) ? 1 : 0,
+				$self_nominate,
+				$schedule_judges,
+				$award_id,
+				$identifier,
+				$year
+			]);
+
 			show_pdo_errors_if_any($pdo);
 
 			// update the prizes
@@ -185,8 +197,8 @@ switch (get_value_from_array($_GET, 'action')) {
 			echo i18n('Number of prizes: %1', array(count($prizes))) . '<br />';
 			/* Get existing prizes */
 
-			$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$award_id'");
-			$pq->execute();
+			$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
+			$pq->execute([$award_id]);
 			$existingprizes = array();
 			while ($pr = $pq->fetch(PDO::FETCH_ASSOC))
 				$existingprizes[$pr['prize']] = $pr;
@@ -204,8 +216,8 @@ switch (get_value_from_array($_GET, 'action')) {
 					$p = stripslashes($prize['prize_en']);
 
 					$q = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,prize,year,external_identifier)
-					VALUES ('$award_id','$p','$year','$p')");
-					$q->execute();
+					VALUES (?,?,?,?)");
+					$q->execute([$award_id,$p,$year,$p]);
 					$prize_id = $pdo->lastInsertId();
 				} else {
 					$ep = $existingprizes[$prize['prize_en']];
@@ -218,22 +230,35 @@ switch (get_value_from_array($_GET, 'action')) {
 				if (!array_key_exists('identifier', $prize))
 					$prize['identifier'] = $prize['prize_en'];
 
-				$q = $pdo->prepare("UPDATE award_prizes SET 
-					cash='" . intval($prize['cash']) . "',
-					scholarship='" . intval($prize['scholarship']) . "',
-					value='" . intval($prize['value']) . "',
-					prize='" . $prize['prize_en'] . "',
-					number='" . intval($prize['number']) . "',
-					`order`='" . intval($prize['ord']) . "',
-					external_identifier='" . stripslashes($prize['identifier']) . "',
-					trophystudentkeeper='" . intval($prize['trophystudentkeeper']) . "',
-					trophystudentreturn='" . intval($prize['trophystudentreturn']) . "',
-					trophyschoolkeeper='" . intval($prize['trophyschoolkeeper ']) . "',
-					trophyschoolreturn='" . intval($prize['trophyschoolreturn']) . "'
-				WHERE
-					id='$prize_id'");
-
-				$q->execute();
+					$q = $pdo->prepare("UPDATE award_prizes SET 
+						cash =?, 
+						scholarship =?, 
+						value =?, 
+						prize =?, 
+						number =?, 
+						`order` =?, 
+						external_identifier =?, 
+						trophystudentkeeper =?, 
+						trophystudentreturn =?, 
+						trophyschoolkeeper =?, 
+						trophyschoolreturn =? 
+						WHERE id =?");
+				
+					$q->execute([
+						intval($prize['cash']),
+						intval($prize['scholarship']),
+						intval($prize['value']),
+						$prize['prize_en'],
+						intval($prize['number']),
+						intval($prize['ord']),
+						stripslashes($prize['identifier']),
+						intval($prize['trophystudentkeeper']),
+						intval($prize['trophystudentreturn']),
+						intval($prize['trophyschoolkeeper']),
+						intval($prize['trophyschoolreturn']),
+						$prize_id
+				]);
+				
 
 				show_pdo_errors_if_any($pdo);
 				// FIXME: update the translations
diff --git a/admin/award_upload.php b/admin/award_upload.php
index e3dbc762..670fb9d8 100644
--- a/admin/award_upload.php
+++ b/admin/award_upload.php
@@ -69,7 +69,8 @@ function get_winners($awardid, $fairs_id)
 	if ($awardid == -1) {
 		/* Get all for this fair */
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
+		$q->execute([$fairs_id,$config['FAIRYEAR']]);
 		if ($q->rowCount() == 0) {
 			error_("Can't find award id $awardid");
 			return false;
@@ -80,8 +81,8 @@ function get_winners($awardid, $fairs_id)
 	} else {
 		/* Get the award */
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$awardid' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=? AND year=?");
+		$q->execute([$awardid,$config['FAIRYEAR']]);
 		if ($q->rowCount() != 1) {
 			error_("Can't find award id $awardid");
 			return false;
@@ -92,8 +93,8 @@ function get_winners($awardid, $fairs_id)
 
 	/* Get the fair for the div/cat mappings */
 
-	$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$award['award_source_fairs_id']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+	$q->execute([$award['award_source_fairs_id']]);
 	$fair = $q->fetch(PDO::FETCH_ASSOC);
 
 	$catmap = unserialize($fair['catmap']);
@@ -113,8 +114,8 @@ function get_winners($awardid, $fairs_id)
 
 		/* Get the prizes */
 
-		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$award['id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
+		$q->execute([$award['id']]);
 		while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
 			$pid = $prize['id'];
 
@@ -122,24 +123,24 @@ function get_winners($awardid, $fairs_id)
 						LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 						LEFT JOIN projects ON projects.id=winners.projects_id
 					WHERE 
-						awards_prizes_id='$pid' AND 
-						winners.year='{$config['FAIRYEAR']}'");
-			$wq->execute();
+						awards_prizes_id=? AND 
+						winners.year=?");
+			$wq->execute([$pid,$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			/* Get all projects assigned to this prize */
 			$prizewinners = array();
 			while ($project = $wq->fetch(PDO::FETCH_ASSOC)) {
 				/* Get the students */
 
-				$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='{$project['registrations_id']}'
-							AND year='{$config['FAIRYEAR']}'");
-				$sq->execute();
+				$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id=?
+							AND year=?");
+			$sq->execute([$project['registrations_id'],$config['FAIRYEAR']]);
 				$students = array();
 				while ($s = $sq->fetch(PDO::FETCH_ASSOC)) {
 					/* Get the student's school */
 
-					$schoolq = $pdo->prepare("SELECT * FROM schools WHERE id='{$s['schools_id']}'");
-					$schoolq->execute();
+					$schoolq = $pdo->prepare("SELECT * FROM schools WHERE id=?");
+					$schoolq->execute([$s['schools_id']]);
 					$schoolr = $schoolq->fetch(PDO::FETCH_ASSOC);
 					$school = array('xml_type' => 'school');  /* for ysc compatability */
 					foreach ($school_fields as $k => $v)
@@ -191,8 +192,8 @@ function count_winners($awardid, $fairs_id)
 	if ($awardid == -1) {
 		/* Get all for this fair */
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id='$fairs_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE award_source_fairs_id=? AND year=?");
+		$q->execute([$fairs_id,$config['FAIRYEAR']]);
 		if ($q->rowCount() == 0) {
 			error_("Can't find award id $awardid");
 			return 0;
@@ -203,8 +204,8 @@ function count_winners($awardid, $fairs_id)
 	} else {
 		/* Get the award */
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$awardid' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=? AND year=?");
+		$q->execute([$awardid,$config['FAIRYEAR']]);
 		if ($q->rowcount() != 1) {
 			error_("Can't find award id $awardid");
 			return 0;
@@ -216,8 +217,8 @@ function count_winners($awardid, $fairs_id)
 	foreach ($awards as $award) {
 		/* Get the prizes */
 
-		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$award['id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
+		$q->execute([$award['id']]);
 		while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
 			$pid = $prize['id'];
 
@@ -225,9 +226,9 @@ function count_winners($awardid, $fairs_id)
 						LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 						LEFT JOIN projects ON projects.id=winners.projects_id
 					WHERE 
-						awards_prizes_id='$pid' AND 
-						winners.year='{$config['FAIRYEAR']}'");
-			$wq->execute();
+						awards_prizes_id=? AND 
+						winners.year=?");
+			$wq->execute([$pid,$config['FAIRYEAR']]);
 			$wc = $wq->fetch(PDO::FETCH_ASSOC);
 			$count += $wc['C'];
 		}
@@ -239,8 +240,8 @@ function load_server_cats_divs($fairs_id)
 {
 	global $config, $pdo;
 
-	$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+	$q->execute([$fairs_id]);
 	$fair = $q->fetch(PDO::FETCH_ASSOC);
 
 	$req = array('get_categories' => array('year' => $config['FAIRYEAR']),
@@ -254,8 +255,8 @@ function load_server_cats_divs($fairs_id)
 		$catmap = array();
 		/* Load ours */
 
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
+		$q->execute([$config['FAIRYEAR']]);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			foreach ($data['categories'] as $id => $c) {
 				if ($c['mingrade'] == $r->mingrade) {
@@ -270,8 +271,8 @@ function load_server_cats_divs($fairs_id)
 	} else {
 		$ret['divmap'] = array();
 
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+		$q->execute([$config['FAIRYEAR']]);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$lowest = 999;
 			$lowest_id = 0;
@@ -300,8 +301,8 @@ switch (get_value_from_array($_GET, 'action')) {
 
 		/* Get the fair */
 
-		$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+		$q->execute([$fairs_id]);
 		$fair = $q->fetch(PDO::FETCH_ASSOC);
 
 		echo '<br />';
@@ -393,8 +394,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		list($c, $d, $cm, $dm) = load_server_cats_divs($fairs_id);
 		$divs = projectdivisions_load();
 
-		$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+		$q->execute([$fairs_id]);
 		$fair = $q->fetch(PDO::FETCH_ASSOC);
 
 ?>	<h4><?= i18n('Division Mapping') ?></h4>
@@ -439,9 +440,9 @@ switch (get_value_from_array($_GET, 'action')) {
 		$catmap = serialize($cat);
 		$divmap = serialize($div);
 
-		$q = $pdo->prepare("UPDATE fairs SET catmap='$catmap',divmap='$divmap' WHERE id='$fairs_id'");
+		$q = $pdo->prepare("UPDATE fairs SET catmap=?,divmap=? WHERE id=?");
 
-		$q->execute();
+		$q->execute([$catmap,$divmap,$fairs_id]);
 		show_pdo_errors_if_any($pdo);
 
 		happy_('Category/Division mapping information saved');
@@ -450,12 +451,12 @@ switch (get_value_from_array($_GET, 'action')) {
 	case 'additional_materials':
 		$award_awards_id = intval($_GET['award_awards_id']);
 
-		$q = $pdo->prepare("SELECT award_source_fairs_id,external_identifier FROM award_awards WHERE id='$award_awards_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT award_source_fairs_id,external_identifier FROM award_awards WHERE id=?");
+		$q->execute([$award_awards_id]);
 		$a = $q->fetch(PDO::FETCH_ASSOC);
 
-		$q = $pdo->prepare("SELECT * FROM fairs WHERE id='{$a['award_source_fairs_id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+		$q->execute([$a['award_source_fairs_id']]);
 		$fair = $q->fetch(PDO::FETCH_ASSOC);
 		$req = array('award_additional_materials' => array(
 			'year' => $config['FAIRYEAR'],
@@ -474,8 +475,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		$winners = get_winners($award_awards_id, $fairs_id);
 		$divs = projectdivisions_load();
 
-		$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+		$q->execute([$fairs_id]);
 		$fair = $q->fetch(PDO::FETCH_ASSOC);
 
 		echo i18n("The following list of winning projects/students will be sent to: <b>%1</b>.  Use the 'Edit Default Division Assignments' button to change the default mappings for divisions.  You can over-ride any division assignment by changing it in the list below.  Category assignments are done automatically based on grade.  When you are happy with the list below, click the 'Upload Winners' button.", array($fair['name']));
@@ -702,10 +703,10 @@ if (!function_exists('curl_init')) {
 $q = $pdo->prepare("SELECT fairs.id, fairs.name, fairs.type, COUNT(award_awards.id) as AWARD_COUNT FROM fairs 
 			LEFT JOIN award_awards ON award_awards.award_source_fairs_id=fairs.id
 			WHERE award_awards.award_source_fairs_id IS NOT NULL
-				AND award_awards.year='{$config['FAIRYEAR']}'
+				AND award_awards.year=?
 			GROUP BY fairs.id
 			ORDER BY fairs.name ");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 ?>
@@ -747,9 +748,9 @@ $q = $pdo->prepare("SELECT award_awards.id, award_awards.name AS awardname,
 			FROM award_awards 
 			LEFT JOIN fairs ON fairs.id=award_awards.award_source_fairs_id 
 			WHERE award_awards.award_source_fairs_id IS NOT NULL
-				AND award_awards.year='{$config['FAIRYEAR']}'
+				AND award_awards.year=?
 			ORDER BY fairs.name, award_awards.name");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 ?>
diff --git a/admin/awards.inc.php b/admin/awards.inc.php
index 0dca7404..eb5aae87 100644
--- a/admin/awards.inc.php
+++ b/admin/awards.inc.php
@@ -27,8 +27,8 @@ function award_delete($award_awards_id)
 {
     /* Delete all winners attached to this award */
 
-    $q = $pdo->prepare("SELECT id FROM award_prizes WHERE award_awards_id='$award_awards_id'");
-    $q->execute();
+    $q = $pdo->prepare("SELECT id FROM award_prizes WHERE award_awards_id=?");
+    $q->execute([$award_awards_id]);
 
     while (($p = $q->fetch(PDO::FETCH_ASSOC))) {
         $q = $pdo->prepare();
@@ -40,26 +40,26 @@ function award_delete($award_awards_id)
 
      /* Delete the award */
 
-    $q = $pdo->prepare("DELETE FROM award_prizes WHERE award_awards_id='$award_awards_id'");
-    $q->execute();
+    $q = $pdo->prepare("DELETE FROM award_prizes WHERE award_awards_id=?");
+    $q->execute([$award_awards_id]);
 
-    $q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id='$award_awards_id'");
-    $q->execute();
+    $q = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE award_awards_id=?");
+    $q->execute([$award_awards_id]);
 
-    $q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id='$award_awards_id'");
-    $q->execute();
+    $q = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE award_awards_id=?");
+    $q->execute([$award_awards_id]);
 
-    $q = $pdo->prepare("DELETE FROM award_awards WHERE id='$award_awards_id'");
-    $q->execute();
+    $q = $pdo->prepare("DELETE FROM award_awards WHERE id=?");
+    $q->execute([$award_awards_id]);
 }
 
 function award_prize_delete($award_prizes_id)
 {
-    $q = $pdo->prepare("DELETE FROM winners WHERE award_prizes_id='$award_prizes_id'");
-    $q->execute();
+    $q = $pdo->prepare("DELETE FROM winners WHERE award_prizes_id=?");
+    $q->execute([$award_prizes_id]);
 
-    $q = $pdo->prepare("DELETE FROM award_prizes WHERE id='$award_prizes_id'");
-    $q->execute();
+    $q = $pdo->prepare("DELETE FROM award_prizes WHERE id=?");
+    $q->execute([$award_prizes_id]);
 }
 
 ?>
diff --git a/admin/cms.php b/admin/cms.php
index 42512b2e..555878e8 100644
--- a/admin/cms.php
+++ b/admin/cms.php
@@ -71,14 +71,14 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 		$text = stripslashes(get_value_from_array($_POST, $textname, ''));
 
 		$q = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,title,showlogo) VALUES (
-			'" . $filename . "',
-			'$insertdt',
-			'$lang',
-			'" . $text . "',
-			'" . get_value_from_array($_POST, $titlename, '') . "',
-			'" . get_value_from_array($_POST, $showlogoname, '') . "'
+			?,
+			?,
+			?,
+			?,
+			?,
+			?
 			)");
-		$q->execute();
+		$q->execute([$filename,$insertdt,$lang,$text,get_value_from_array($_POST, $titlename, ''),get_value_from_array($_POST, $showlogoname, '')]);
 		if ($pdo->errorInfo()) {
 			echo error(i18n('An error occurred saving %1 in %2', array($filename, $langname)));
 			$err = true;
@@ -103,8 +103,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
 		echo '<table class="tableview" width="100%">';
 		echo '<tr><th colspan="2">';
 
-		$q = $pdo->prepare("SELECT * FROM cms WHERE filename='" . get_value_from_array($_GET, 'filename', '') . "' AND lang='$lang' ORDER BY dt DESC LIMIT 1");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? ORDER BY dt DESC LIMIT 1");
+		$q->execute([get_value_from_array($_GET, 'filename', ''),$lang]);
 		if ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			if ($r->dt == '0000-00-00 00:00:00' || !$r->dt)
 				$dt = 'Never';
@@ -112,8 +112,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
 				$dt = $r->dt;
 			echo '<b>' . htmlspecialchars($_GET['filename']) . " - $langname</b> &nbsp;&nbsp; " . i18n('Last updated') . ": $dt<br />";
 			if ($_GET['dt']) {
-				$q2 = $pdo->prepare("SELECT * FROM cms WHERE filename='" . $_GET['filename'] . "' AND lang='$lang' AND dt<='" . $_GET['dt'] . "' ORDER BY dt DESC LIMIT 1");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? AND dt<=? ORDER BY dt DESC LIMIT 1");
+				$q2->execute([$_GET['filename'], $lang, $_GET['dt']]);
 				$r2 = $q2->fetch(PDO::FETCH_OBJ);
 				if ($r2->dt != $r->dt) {
 					echo "Displaying historical file.  Date: $r->dt";
@@ -163,8 +163,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
 
 	echo '<tr><th>' . i18n('File History') . "</th></tr>\n";
 
-	$q = $pdo->prepare("SELECT DISTINCT(dt) FROM cms WHERE filename='" . get_value_from_array($_GET, 'filename', '') . "' ORDER BY dt DESC LIMIT $historylimit");
-	$q->execute();
+	$q = $pdo->prepare("SELECT DISTINCT(dt) FROM cms WHERE filename=? ORDER BY dt DESC LIMIT ?");
+	$q->execute([get_value_from_array($_GET, 'filename', ''),$historylimit]);
 	$first = true;
 	if ($q->rowCount()) {
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -207,8 +207,8 @@ if (get_value_from_array($_GET, 'filename', '') || get_value_from_array($_GET, '
 	echo '<tr><th>' . i18n('Filename') . '</th><th>' . i18n('Last Update') . '</th></tr>';
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		echo '<tr><td><a href="cms.php?filename=' . rawurlencode($r->filename) . "\">/web/$r->filename</a></td>";
-		$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename='" . $r->filename . "' ORDER BY dt DESC LIMIT 1");
-
+		$q2 = $pdo->prepare("SELECT dt FROM cms WHERE filename=? ORDER BY dt DESC LIMIT 1");
+		$q->execute($r->filename);
 		$r2 = $q2->fetch(PDO::FETCH_OBJ);
 		if ($r2->dt == '0000-00-00 00:00:00')
 			$dt = 'Never';
diff --git a/admin/committees.php b/admin/committees.php
index f62db68b..28eed071 100644
--- a/admin/committees.php
+++ b/admin/committees.php
@@ -127,8 +127,8 @@ global $uid;
 if (get_value_from_array($_POST, 'addcommittee')) {
 	// add a new committee
 	// re-order the committees
-	$q = $pdo->prepare("INSERT INTO committees (name) VALUES ('" . $_POST['addcommittee'] . "')");
-	$q->execute();
+	$q = $pdo->prepare("INSERT INTO committees (name) VALUES (?)");
+	$q->execute([$_POST['addcommittee']]);
 	echo happy(i18n('Committee successfully added'));
 }
 
@@ -143,8 +143,8 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
 	while (get_value_from_array($ids, $x)) {
 		$cid = intval($ids[$x]);
 
-		$q = $pdo->prepare("UPDATE committees SET ord='" . intval($ords[$x]) . "' WHERE id='$cid'");
-		$q->execute();
+		$q = $pdo->prepare("UPDATE committees SET ord=? WHERE id=?");
+		$q->execute([intval($ords[$x]),$cid]);
 		$x++;
 
 		$ctitle = $titles[$cid];
@@ -163,9 +163,9 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
 			$t = stripslashes($title);
 			$u = intval($uid);
 
-			$q = $pdo->prepare("UPDATE committees_link SET title='$t', ord='$o'
-				WHERE committees_id='$cid' AND users_uid='$u'");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE committees_link SET title=?, ord=?
+				WHERE committees_id=? AND users_uid=?");
+			$q->execute([$t,$o,$cid,$u]);
 		}
 	}
 	echo happy(i18n('Committees successfully saved'));
@@ -174,12 +174,12 @@ if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST
 if (get_value_from_array($_POST, 'action') == 'assign') {
 	if (get_value_from_array($_POST, 'committees_id') && get_value_from_array($_POST, 'users_uid')) {
 		$cid = intval($_POST['committees_id']);
-		$q = $pdo->prepare("SELECT * FROM committees_link WHERE committees_id='$cid' AND users_uid='$uid'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM committees_link WHERE committees_id=? AND users_uid=?");
+		$q->execute([$cid,$uid]);
 
 		if (!$q->rowCount()) {
-			$q = $pdo->prepare("INSERT INTO committees_link (committees_id,users_uid) VALUES ('$cid','$uid')");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO committees_link (committees_id,users_uid) VALUES (?,?)");
+			$q->execute([$cid,$uid]);
 			echo happy(i18n('Successfully added member to committee'));
 		} else
 			echo error(i18n('That member already exists in that committee'));
@@ -190,8 +190,8 @@ if (get_value_from_array($_POST, 'action') == 'assign') {
 if (get_value_from_array($_GET, 'deletecommittee')) {
 	$del = intval($_GET['deletecommittee']);
 
-	$q = $pdo->prepare("DELETE FROM committees WHERE id='$del'");
-	$q->execute();
+	$q = $pdo->prepare("DELETE FROM committees WHERE id=?");
+	$q->execute([$del]);
 	echo happy(i18n('Committee removed'));
 }
 
@@ -206,8 +206,8 @@ if (get_value_from_array($_GET, 'unlinkmember') && get_value_from_array($_GET, '
 	$com = intval($_GET['unlinkcommittee']);
 	// unlink the member from the committee
 
-	$q = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='$mem' AND committees_id='$com'");
-	$q->execute();
+	$q = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=? AND committees_id=?");
+	$q->execute([$mem,$com]);
 	echo happy(i18n('Committee member unlinked from committee'));
 }
 
@@ -313,11 +313,11 @@ if ($q->rowCount()) {
 								users.lastname
 								FROM committees_link 
 								JOIN users ON users.uid = committees_link.users_uid 
-								WHERE committees_id='{$r->id}' 
+								WHERE committees_id=? 
 								GROUP BY users.uid 
 								ORDER BY ord,
 								users.lastname ");
-		$q2->execute();
+		$q2->execute([$r->id]);
 
 		if ($q2->rowCount() == 0) {
 			echo '&nbsp; &nbsp;';
diff --git a/admin/communication.php b/admin/communication.php
index ac9f0d22..51d56c35 100644
--- a/admin/communication.php
+++ b/admin/communication.php
@@ -46,8 +46,8 @@ function launchQueue()
 switch (get_value_from_array($_GET, 'action')) {
 	case 'dialog_choose_load':
 		$emails_id = intval($_GET['emails_id']);
-		$q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+		$q->execute([$emails_id]);
 		$e = $q->fetch(PDO::FETCH_ASSOC);
 		?>
 	<table class="editor">
@@ -70,8 +70,8 @@ case 'dialog_choose':
 		<option value="-1">-- <?= i18n('Choose a Communication') ?> --</option>
 	<?
 	$type = $pdo->quote($_GET['type']);
-	$q = $pdo->prepare("SELECT * FROM emails WHERE type='$type'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM emails WHERE type=?");
+	$q->execute([$type]);
 	while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
 		echo "<option value=\"{$e['id']}\">{$e['name']}</option>";
 	}
@@ -173,8 +173,8 @@ case 'email_save':
 
 	if ($id == 0) {
 		if ($key && $name) {
-			$q = $pdo->prepare("INSERT INTO emails(type,val) VALUES('$type','$key')");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO emails(type,val) VALUES(?,?)");
+			$q->execute([$type,$key]);
 			show_pdo_errors_if_any($pdo);
 			$id = lastInsertId();
 		} else {
@@ -188,15 +188,15 @@ case 'email_save':
 
 	$body = getTextFromHtml($bodyhtml);
 	$q = $pdo->prepare("UPDATE emails SET 
-								name='$name',
-								description='$description',
-								`from`='$from',
-								subject='$subject',
-								body='$body',
-								bodyhtml='$bodyhtml',
-								fundraising_campaigns_id=$fcstr
-						WHERE id='$id'");
-	$q->execute();
+								name=?,
+								description=?,
+								`from`=?,
+								subject=?,
+								body=?,
+								bodyhtml=?,
+								fundraising_campaigns_id=?
+						WHERE id=?");
+	$q->execute([$name,$description,$from,$subject,$body,$bodyhtml,$fcstr,$id]);
 	show_pdo_errors_if_any($pdo);
 	happy_('Email Saved');
 	exit;
@@ -215,8 +215,8 @@ case 'dialog_edit':
 		if (array_key_exists('fundraising_campaigns_id', $_GET)) {
 			$fcid = intval($_GET['fundraising_campaigns_id']);
 			$type = 'fundraising';
-			$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
+			$q->execute([$fcid]);
 			$fc = $q->fetch(PDO::FETCH_OBJ);
 			$name = i18n('%1 communication for %2', array(ucfirst($key), $fc->name));
 		} else {
@@ -227,8 +227,8 @@ case 'dialog_edit':
 		$from = $_SESSION['name'] . ' <' . $_SESSION['email'] . '>';
 	}
 	if ($id) {
-		$q = $pdo->prepare("SELECT * FROM emails WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+		$q->execute([$id]);
 		if ($q->rowCount() != 1) {
 			echo 'Ambiguous edit';
 			exit;
@@ -408,20 +408,20 @@ case 'dialog_send':
 	$fcid = intval($_GET['fundraising_campaigns_id']);
 	$emailid = intval($_GET['emails_id']);
 
-	$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
-	$fcq->execute();
+	$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
+	$fcq->execute([$fcid]);
 	$fc = $fcq->fetch(PDO::FETCH_OBJ);
 
-	$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
-	$emailq->execute();
+	$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+	$emailq->execute([$emailid]);
 	$email = $email->fetch(PDO::FETCH_OBJ);
 
 	?>
 	<form id="send">
 	<table style="width:100%">
 	<?
-	$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+	$q->execute([$fcid]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$numrecipients = $r->num;
 
@@ -513,8 +513,8 @@ case 'dialog_sender':
 	$u = user_load_by_uid(intval($_GET['uid']));
 
 	if ($_GET['template']) {
-		$emailq = $pdo->prepare("SELECT * FROM emails WHERE `val`='" . $_GET['template'] . "'");
-		$emailq->execute();
+		$emailq = $pdo->prepare("SELECT * FROM emails WHERE `val`=?");
+		$emailq->execute([$_GET['template']]);
 		$e = $emailq->fetch(PDO::FETCH_ASSOC);
 	} else
 		$e = null;
@@ -657,11 +657,11 @@ case 'dialog_sender':
 
 	case 'cancel':
 		if ($_GET['cancel']) {
-			$q = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='" . intval($_GET['cancel']) . "'");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
+			$q->execute([intval($_GET['cancel'])]);
 
-			$q = $pdo->prepare("UPDATE emailqueue_recipients SET result='cancelled' WHERE emailqueue_id='" . intval($_GET['cancel']) . "' AND sent IS NULL AND result IS NULL");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE emailqueue_recipients SET result='cancelled' WHERE emailqueue_id=? AND sent IS NULL AND result IS NULL");
+			$q->execute([intval($_GET['cancel'])]);
 			echo 'ok';
 		}
 		exit;
@@ -686,36 +686,37 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
 	$fcid = intval($_POST['fundraising_campaigns_id']);
 	$emailid = intval($_POST['emails_id']);
 
-	$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$fcid'");
-	$fcq->execute();
+	$fcq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
+	$fcq->execute([$fcid]);
 	$fc = $fcq->fetch(PDO::FETCH_OBJ);
 
-	$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
-	$emailq->execute();
+	$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+	$emailq->execute([$emailid]);
 	$email = $emailq->fetch(PDO::FETCH_OBJ);
 
 	$recipq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
-						WHERE fundraising_campaigns_id='$fcid'");
-	$recipq->execute();
+						WHERE fundraising_campaigns_id=?");
+	$recipq->execute([$fcid]);
 	show_pdo_errors_if_any($pdo);
 
 	$numtotal = $recipq->rowCount();
 
-	$q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES (
-			'" . $email->val . "',
-			'" . $email->name . "',
-			'" . $_SESSION['users_uid'] . "',
-			'" . $email->from . "',
-			'" . $email->subject . "',
-			'" . $email->body . "',
-			'" . $email->bodyhtml . "',
-			'" . $email->type . "',
-			$fcid,
-			NOW(),
-			NULL,
-			$numtotal,
-			0)");
-	$q->execute();
+	$q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) 
+    	VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), NULL, ?, 0)");
+
+	$q->execute([
+		$email->val,
+		$email->name,
+		$_SESSION['users_uid'],
+		$email->from,
+		$email->subject,
+		$email->body,
+		$email->bodyhtml,
+		$email->type,
+		$fcid,
+		$numtotal
+	]);
+
 	$emailqueueid = $pdo->lastInsertId();
 	show_pdo_errors_if_any($pdo);
 
@@ -727,8 +728,8 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
 
 		// we only send school access codes to science heads or principals
 
-		$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'");
-		$acq->execute();
+		$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=? AND `year`=?");
+		$acq->execute([$u['uid'],$config['FAIRYEAR']]);
 		$acr = $acq->fetch(PDO::FETCH_OBJ);
 		$accesscode = $acr->accesscode;
 
@@ -746,17 +747,19 @@ if (get_value_from_array($_GET, 'action') == 'sendqueue') {
 		);
 
 		if ($u['email'] && $u['email'][0] != '*') {
-			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES (
-				'$emailqueueid',
-				'" . $pdo->quote($u['email']) . "',
-				'" . $pdo->quote($u['name']) . "',
-				'" . $pdo->quote(json_encode($replacements) . "',
-				NULL)"));
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)");
+
+			$q->execute([
+				$emailqueueid,
+				$u['email'],
+				$u['name'],
+				json_encode($replacements)
+			]);
+
 			show_pdo_errors_if_any($pdo);
 		}
-		$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'");
-		$q->execute();
+		$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
+		$q->execute([$emailid]);
 	}
 	echo 'ok';
 	launchQueue();
@@ -786,16 +789,16 @@ echo '<br />';
  <?
 
 if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete')) {
-	$q = $pdo->prepare("DELETE FROM emails WHERE id='" . $_GET['delete'] . "' AND `type`='user'");
-	$q->execute();
+	$q = $pdo->prepare("DELETE FROM emails WHERE id=? AND `type`='user'");
+	$q->execute([$_GET['delete']]);
 	echo happy('Email successfully deleted');
 }
 
 if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GET, 'send')) {
 	show_pdo_errors_if_any($pdo);
 
-	$q = $pdo->prepare("SELECT * FROM emails WHERE id='" . $_GET['send'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+	$q->execute($_GET['send']);
 
 	$r = $q->fetch(PDO::FETCH_OBJ);
 
@@ -859,8 +862,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
 	// echo $str;
 } else if (get_value_from_array($_POST, 'action') == 'reallysend' && get_value_from_array($_POST, 'reallysend') && get_value_from_array($_POST, 'to')) {
 	$emailid = intval($_POST['reallysend']);
-	$emailq = $pdo->prepare("SELECT * FROM emails WHERE id='$emailid'");
-	$emailq->execute();
+	$emailq = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+	$emailq->execute([$emailid]);
 	$email = $emailq->fetch(PDO::FETCH_OBJ);
 	$to = $_POST['to'];
 
@@ -870,21 +873,20 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
 	}
 
 	$numtotal = $recipq->rowCount();
-	$q = $pdo->prepare("INSERT INTO emailqueue (val,name,users_uid,`from`,subject,body,bodyhtml,`type`,fundraising_campaigns_id,started,finished,numtotal,numsent) VALUES (
-				'" . $pdo->quote($email->val) . "',
-				'" . $pdo->quote($email->name) . "',
-				'" . $pdo->quote($_SESSION['users_uid']) . "',
-				'" . $pdo->quote($email->from) . "',
-				'" . $pdo->quote($email->subject) . "',
-				'" . $pdo->quote($email->body) . "',
-				'" . $pdo->quote($email->bodyhtml) . "',
-				'" . $pdo->quote($email->type) . "',
-				NULL,
-				NOW(),
-				NULL,
-				$numtotal,
-				0)");
-	$q->execute();
+	$q = $pdo->prepare("INSERT INTO emailqueue (val, name, users_uid, `from`, subject, body, bodyhtml, `type`, fundraising_campaigns_id, started, finished, numtotal, numsent) VALUES (?, ?, ?, ?, ?, ?, ?, ?, NULL, NOW(), NULL, ?, 0)");
+
+	$q->execute([
+		$email->val,
+		$email->name,
+		$_SESSION['users_uid'],
+		$email->from,
+		$email->subject,
+		$email->body,
+		$email->bodyhtml,
+		$email->type,
+		$numtotal
+	]);
+	
 	$emailqueueid = lastInsertId();
 	show_pdo_errors_if_any($pdo);
 
@@ -915,8 +917,8 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
 		}
 		if ($u) {
 			// we only send school access codes to science heads or principals
-			$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid='{$u['uid']}' OR principal_uid='{$u['uid']}') AND `year`='{$config['FAIRYEAR']}'");
-			$acq->execute();
+			$acq = $pdo->prepare("SELECT accesscode FROM schools WHERE (sciencehead_uid=? OR principal_uid=?) AND `year`=?");
+			$acq->execute([$u['uid'],$u['uid'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$acr = $acq->fetch(PDO::FETCH_OBJ);
 			$accesscode = $acr->accesscode;
@@ -939,18 +941,20 @@ if (get_value_from_array($_GET, 'action') == 'send' && get_value_from_array($_GE
 		}
 
 		if ($toemail) {
-			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id,toemail,toname,replacements,sent) VALUES (
-					'$emailqueueid',
-					'" . $toemail . "',
-					'" . $toname . "',
-					'" . json_encode($replacements) . "',
-					NULL)");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO emailqueue_recipients (emailqueue_id, toemail, toname, replacements, sent) VALUES (?, ?, ?, ?, NULL)");
+
+			$q->execute([
+				$emailqueueid,
+				$toemail,
+				$toname,
+				json_encode($replacements)
+			]);
+
 			show_pdo_errors_if_any($pdo);
 		}
 
-		$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id='$emailid'");
-		$q->execute();
+		$q = $pdo->prepare("UPDATE emails SET lastsent=NOW() WHERE id=?");
+		$q->execute([$emailid]);
 	}
 	launchQueue();
 	echo '<br />';
diff --git a/admin/documentdownloader.php b/admin/documentdownloader.php
index 3c5724f0..c69dbb2e 100644
--- a/admin/documentdownloader.php
+++ b/admin/documentdownloader.php
@@ -25,8 +25,8 @@
 require ('../common.inc.php');
 require_once ('../user.inc.php');
 user_auth_required('committee', 'admin');
-$q = $pdo->prepare("SELECT * FROM documents WHERE id='" . $_GET['id'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM documents WHERE id=?");
+$q->execute([$_GET['id']]);
 if ($r = $q->fetch(PDO::FETCH_OBJ)) {
     header('Content-type: ' . trim(exec("file -bi ../data/documents/$r->filename")));
     header('Content-disposition: inline; filename="' . $r->filename . '"');
diff --git a/admin/donations.php b/admin/donations.php
index 98c1353d..c7890f24 100644
--- a/admin/donations.php
+++ b/admin/donations.php
@@ -143,15 +143,15 @@ function refresh_fundraising_table() {
 <?
 
 // first, insert any defaults
-$q = $pdo->prepare("SELECT * FROM fundraising WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM fundraising WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if (!$q->rowCount()) {
     $q = $pdo->prepare("SELECT * FROM fundraising WHERE year='-1'");
 
     $q->execute();
     while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-        $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES ('$r->type','" . $r->name . "','" . $r->description . "','$r->system','$r->goal','" . $config['FAIRYEAR'] . "')");
-        $q->execute();
+        $q = $pdo->prepare("INSERT INTO fundraising (`type`,`name`,`description`,`system`,`goal`,`year`) VALUES (?,?,?,?,?,?)");
+        $q->execute([$r->type,$r->name,$r->description,$r->system,$r->goal,$config['FAIRYEAR']]);
     }
 }
 
diff --git a/admin/donors.php b/admin/donors.php
index f83bdba1..dc32e018 100644
--- a/admin/donors.php
+++ b/admin/donors.php
@@ -32,8 +32,8 @@ global $pdo;
 switch (get_value_from_array($_GET, 'action')) {
 	case 'organizationinfo_load':
 		$id = intval($_GET['id']);
-		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+		$q->execute([$id]);
 		$ret = $q->fetch(PDO::FETCH_ASSOC);
 		echo json_encode($ret);
 		exit;
@@ -43,8 +43,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		$id = intval($_POST['sponsor_id']);
 		if ($id == -1) {
 			echo "INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')";
-			$q = $pdo->prepare("INSERT INTO sponsors (year) VALUES ('" . $config['FAIRYEAR'] . "')");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO sponsors (year) VALUES (?)");
+			$q->execute([$config['FAIRYEAR']]);
 			$id = $pdo->lastInsertId();
 			echo json_encode(array('id' => $id));
 			save_activityinfo('Created donor/sponsor', $id, $_SESSION['users_uid'], 'System');
@@ -54,26 +54,31 @@ switch (get_value_from_array($_GET, 'action')) {
 
 		if ($id) {
 			$exec = 'UPDATE sponsors SET '
-				. "donortype='" . stripslashes($_POST['donortype']) . "', "
-				. "organization='" . stripslashes($_POST['organization']) . "', "
-				. "address='" . stripslashes($_POST['address']) . "', "
-				. "address2='" . stripslashes($_POST['address2']) . "', "
-				. "city='" . stripslashes($_POST['city']) . "', "
-				. "province_code='" . stripslashes($_POST['province_code']) . "', "
-				. "postalcode='" . stripslashes($_POST['postalcode']) . "', "
-				. "phone='" . stripslashes($_POST['phone']) . "', "
-				. "tollfree='" . stripslashes($_POST['tollfree']) . "', "
-				. "fax='" . stripslashes($_POST['fax']) . "', "
-				. "email='" . stripslashes($_POST['email']) . "', "
-				. "website='" . stripslashes($_POST['website']) . "', "
-				. "notes='" . stripslashes($_POST['notes']) . "', "
-				. "donationpolicyurl='" . stripslashes($_POST['donationpolicyurl']) . "', "
-				. "fundingselectiondate='" . stripslashes($_POST['fundingselectiondate']) . "', "
-				. "proposalsubmissiondate='" . stripslashes($_POST['proposalsubmissiondate']) . "', "
-				. "waiveraccepted='" . stripslashes($_POST['waiveraccepted']) . "' "
-				. "WHERE id='$id'";
+				. "donortype=?, "
+				. "organization=?, "
+				. "address=?, "
+				. "address2=?, "
+				. "city=?, "
+				. "province_code=?, "
+				. "postalcode=?, "
+				. "phone=?, "
+				. "tollfree=?, "
+				. "fax=?, "
+				. "email=?, "
+				. "website=?, "
+				. "notes=?, "
+				. "donationpolicyurl=?, "
+				. "fundingselectiondate=?, "
+				. "proposalsubmissiondate=?, "
+				. "waiveraccepted=? "
+				. "WHERE id=?";
 			$q = $pdo->prepare($exec);
-			$q->execute();
+			$q->execute([stripslashes($_POST['donortype']),stripslashes($_POST['organization']),stripslashes($_POST['address']),
+			stripslashes($_POST['address2']),stripslashes($_POST['city']),stripslashes($_POST['province_code']),
+			stripslashes($_POST['postalcode']),stripslashes($_POST['phone']),stripslashes($_POST['tollfree']),
+			stripslashes($_POST['fax']),stripslashes($_POST['email']),stripslashes($_POST['website']),
+			stripslashes($_POST['notes']),stripslashes($_POST['donationpolicyurl']),stripslashes($_POST['fundingselectiondate']),
+			stripslashes($_POST['proposalsubmissiondate']),stripslashes($_POST['waiveraccepted']),$id]);
 			echo $q->errorInfo();
 
 			// FIXME accept the logo
@@ -93,8 +98,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		echo "<table cellspacing=3 cellpadding=3>\n";
 
 		// LAST DONATION
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id='$id' ORDER BY datereceived DESC LIMIT 1");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE sponsors_id=? ORDER BY datereceived DESC LIMIT 1");
+		$q->execute([$id]);
 		if ($r = $q->fetch(PDO::FETCH_OBJ))
 			$lastdonation = i18n('%1 on %2', array(format_money($r->value, false), format_date($r->datereceived)), array('Donation amount', 'Donation date'));
 		else
@@ -102,11 +107,11 @@ switch (get_value_from_array($_GET, 'action')) {
 
 		// TOTAL THIS YEAR
 		$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations 
-				WHERE sponsors_id='$id' 
+				WHERE sponsors_id=? 
 				AND status='received'
-				AND fiscalyear={$config['FISCALYEAR']} 
+				AND fiscalyear=? 
 				");
-		$q->execute();
+		$q->execute([$id,$config['FISCALYEAR']]);
 		if ($r = $q->fetch(PDO::FETCH_OBJ))
 			$totalthisyear = format_money($r->total, false);
 		else
@@ -115,11 +120,11 @@ switch (get_value_from_array($_GET, 'action')) {
 		// TOTAL LAST YEAR
 		$lastyear = $config['FISCALYEAR'] - 1;
 		$q = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations 
-				WHERE sponsors_id='$id' 
+				WHERE sponsors_id=? 
 				AND status='received'
-				AND fiscalyear=$lastyear
+				AND fiscalyear=?
 				");
-		$q->execute();
+		$q->execute([$id,$lastyear]);
 
 		if ($r = $q->fetch(PDO::FETCH_OBJ))
 			$totallastyear = format_money($r->total, false);
@@ -139,11 +144,11 @@ switch (get_value_from_array($_GET, 'action')) {
 				fundraising_campaigns.name AS campaignname 
 				FROM fundraising_donations 
 				LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id 
-				WHERE sponsors_id='$id' 
+				WHERE sponsors_id=? 
 				AND status='received' 
-				AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' 
+				AND fundraising_donations.fiscalyear=? 
 				ORDER BY datereceived DESC");
-		$q->execute();
+		$q->execute([$id,$config['FISCALYEAR']]);
 		show_pdo_errors_if_any($pdo);
 
 		if ($q->rowCount()) {
@@ -193,10 +198,10 @@ switch (get_value_from_array($_GET, 'action')) {
 				fundraising_campaigns.name AS campaignname 
 				FROM fundraising_donations 
 				LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id 
-				WHERE sponsors_id='$id' 
+				WHERE sponsors_id=? 
 					AND status='received' 
 				ORDER BY datereceived DESC");
-		$q->execute();
+		$q->execute([$id]);
 
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			echo "<tr>\n";
@@ -228,13 +233,13 @@ switch (get_value_from_array($_GET, 'action')) {
 				FROM users 
 				LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
 				WHERE 
-				sponsors_id='$id' 
+				sponsors_id=? 
 				AND types LIKE '%sponsor%'
 				GROUP BY uid
 				HAVING deleted='no' 
 				ORDER BY users_sponsor.primary DESC,lastname,firstname
 			");
-		$query->execute();
+		$query->execute([$id]);
 		show_pdo_errors_if_any($pdo);
 		$uids = array();
 		while ($r = $query->fetch(PDO::FETCH_OBJ)) {
@@ -242,9 +247,9 @@ switch (get_value_from_array($_GET, 'action')) {
 		}
 
 		$q = $pdo->prepare("SELECT * FROM fundraising_campaigns
-				WHERE fiscalyear='{$config['FISCALYEAR']}' 
+				WHERE fiscalyear=? 
 				ORDER BY name");
-		$q->execute();
+		$q->execute([$config['FISCALYEAR']]);
 		$str = '';
 		echo '<select id="fundraising_campaign_id" name="fundraising_campaigns_id" onchange="campaignchange()">';
 		echo '<option value="">' . i18n('Choose an appeal') . "</option>\n";
@@ -255,10 +260,10 @@ switch (get_value_from_array($_GET, 'action')) {
 
 			if (count($uids)) {
 				$tq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link
-						WHERE fundraising_campaigns_id='$r->id'
+						WHERE fundraising_campaigns_id=?
 						AND users_uid IN (" . implode(',', $uids) . ')
 						');
-				$tq->execute();
+				$tq->execute([$r->id]);
 				if ($tq->rowCount()) {
 					$incampaign = i18n('*In Appeal*') . ': ';
 				} else
@@ -284,8 +289,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		echo '<option value="">' . i18n('Choose a purpose') . "</option>\n";
 		// FIXME: only show campaigns that they were included as part of
 		// we need a campaigns_users_link or campaigns_sponsors_link or something
-		$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
+		$q->execute([$config['FISCALYEAR']]);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			echo "<option value=\"$r->goal\">$r->name</option>\n";
 		}
@@ -365,8 +370,8 @@ switch (get_value_from_array($_GET, 'action')) {
 
 	case 'newcontactsearch':
 		if ($_POST['email'])
-			$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email='" . trim($_POST['email']) . "' GROUP BY uid HAVING deleted='no'");
-		$q->execute();
+			$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email=? GROUP BY uid HAVING deleted='no'");
+		$q->execute([trim($_POST['email'])]);
 		if ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			echo i18n('There is an exact email address match for %1', array($_POST['email']));
 			echo '<ul>';
@@ -393,7 +398,7 @@ switch (get_value_from_array($_GET, 'action')) {
 			if ($_POST['email'])
 				$searchstr .= " AND email LIKE '%" . $_POST['email'] . "%'";
 
-			$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE $searchstr GROUP BY uid HAVING deleted='no'");
+			$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE '$searchstr' GROUP BY uid HAVING deleted='no'");
 			$q->execute();
 			$num = $q->rowCount();
 			if ($num == 0) {
@@ -422,18 +427,18 @@ switch (get_value_from_array($_GET, 'action')) {
 
 		if ($goal && $value && $supporttype) {
 			$q = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_goal,fundraising_campaigns_id,value,status,probability,fiscalyear,thanked,datereceived,supporttype) VALUES (
-			'$sponsorid',
-			'" . $goal . "',
-			'$campaignid',
-			'$value',
+			?,
+			?,
+			?,
+			?,
 			'received',
 			'100',
-			'{$config['FISCALYEAR']}',
+			?,
 			'no',
-			'" . $datereceived . "',
-			'" . $supporttype . "'
+			?,
+			?
 			)");
-			$q->execute();
+			$q->execute([$sponsorid,$goal,$campaignid,$value,$config['FISCALYEAR'],$datereceived,$supporttype]);
 			$id = $pdo->lastInsertId();
 			$logStr = getDonationString($id);
 			save_activityinfo("Added donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System');
@@ -453,8 +458,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		if ($logStr = getDonationString($id)) {
 			save_activityinfo("Removed donation/sponsorship: $logStr", $sponsorid, $_SESSION['users_uid'], 'System');
 			happy_('Donation/sponsorship removed');
-			$q = $pdo->prepare("DELETE FROM fundraising_donations WHERE id='$id' AND sponsors_id='$sponsorid'");
-			$q->execute();
+			$q = $pdo->prepare("DELETE FROM fundraising_donations WHERE id=? AND sponsors_id=?");
+			$q->execute([$id,$sponsorid]);
 			show_pdo_errors_if_any($pdo);
 		} else {
 			error_('Invalid donation/sponsorship to remove');
@@ -474,8 +479,8 @@ function delete_contact()
 	global $pdo;
 	if (array_key_exists('userid', $_POST)) {
 		$uid = $_POST['userid'];
-		$data = $pdo->prepare("SELECT CONCAT_WS(' ', users.firstname, users.lastname) AS name FROM users WHERE id=" . $uid);
-		$data->execute();
+		$data = $pdo->prepare("SELECT CONCAT_WS(' ', users.firstname, users.lastname) AS name FROM users WHERE id=?");
+		$data->execute([$uid]);
 		$namedata = $data->fetch();
 		$name = trim($namedata['name']);
 		user_delete($uid, 'sponsor');
@@ -514,8 +519,8 @@ function save_contact()
 		// load or create the user, according to the situation
 		if ($_POST['recordtype'] == 'new') {
 			if ($_POST['email']) {
-				$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email='" . trim($_POST['email']) . "' GROUP BY uid HAVING deleted='no'");
-				$q->execute();
+				$q = $pdo->prepare("SELECT *,MAX(year) FROM users WHERE email=? GROUP BY uid HAVING deleted='no'");
+				$q->execute([trim($_POST['email'])]);
 				if ($q->rowCount()) {
 					error_('A user with that email address already exists');
 					exit;
@@ -544,12 +549,12 @@ function save_contact()
 				FROM users_sponsor, users 
 				WHERE
 				users_sponsor.users_id=users.id
-				AND sponsors_id='$sponsor_id'
+				AND sponsors_id=?
 				AND `primary`='yes'
-				AND year='" . $config['FAIRYEAR'] . "'
-				AND users_id!='$id'";
+				AND year=?
+				AND users_id!=?";
 			$q = $pdo->prepare($query);
-			$q->execute();
+			$q->execute([$sponsor_id,$config['FAIRYEAR'],$id]);
 			if ($q->rowCount() == 0) {
 				/* This has to be the primary since there isn't one already */
 				$p = 'yes';
@@ -557,8 +562,8 @@ function save_contact()
 		} else {
 			/* Unset all other primaries */
 			$q = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
-					WHERE sponsors_id='$sponsor_id' AND users_id != '$id'");
-			$q->execute();
+					WHERE sponsors_id=? AND users_id !=?");
+			$q->execute([$sponsor_id,$id]);
 		}
 
 		// we now know whether or not they're the primary user.  Update them with that,
@@ -624,13 +629,13 @@ function draw_contactsinfo_form($contact = null)
 	// loop through each contact and draw a form with their data in it.
 	$query = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
 	WHERE 
-	sponsors_id='" . $sponsor_id . "' 
+	sponsors_id=? 
 	AND types LIKE '%sponsor%'
 	GROUP BY uid
 	HAVING deleted='no' 
 	ORDER BY users_sponsor.primary DESC,lastname,firstname
 	");
-	$query->execute();
+	$query->execute([$sponsor_id]);
 	show_pdo_errors_if_any($pdo);
 
 	while ($contact = $query->fetch()) {
@@ -665,8 +670,8 @@ function draw_contact_form($sponsor_id, $contact = null)
 	global $salutations, $config, $pdo;
 
 	// grab the sponsor details, so we can do diff things for individual vs organization
-	$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='$sponsor_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+	$q->execute([$sponsor_id]);
 	$sponsor = $q->fetch(PDO::FETCH_OBJ);
 
 	if ($contact != null) {
@@ -816,8 +821,8 @@ function draw_activityinfo_form()
 			</td>
 			<td align="center">
 <?php
-	$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name");
+	$q->execute([$config['FISCALYEAR']]);
 	echo '<select name="fundraising_campaigns_id">';
 	echo '<option value="">' . i18n('Choose Appeal') . "</option>\n";
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -838,10 +843,10 @@ function draw_activityinfo_form()
 	\t  FROM fundraising_donor_logs AS fdl 
 	\t  LEFT JOIN users ON fdl.users_id=users.id 
 	\t  LEFT JOIN fundraising_campaigns ON fdl.fundraising_campaigns_id=fundraising_campaigns.id
-	\t  WHERE sponsors_id=" . $sponsorid . ' ORDER BY dt DESC';
+	\t  WHERE sponsors_id=? ORDER BY dt DESC";
 	// echo "<tr><td colspan=\"3\">" . $query . "</td></tr>";
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$sponsorid ]);
 	show_pdo_errors_if_any($pdo);
 	if ($q->rowCount()) {
 		while ($r = $q->fetch()) {
@@ -872,14 +877,14 @@ function save_activityinfo($comment, $donorId, $userId, $type, $campaign_id = nu
 		$cid = 'NULL';
 
 	$query = "INSERT INTO fundraising_donor_logs (sponsors_id, dt, users_id, log, `type`, fundraising_campaigns_id) 
-		VALUES ($donorId,
+		VALUES (?,
 		NOW(),
-		$userId,
-		'" . $comment . "',
-		'" . $type . "',
-		$cid)";
+		?,
+		?,
+		?,
+		?)";
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$donorId,$userId,$comment,$type,$cid]);
 	show_pdo_errors_if_any($pdo);
 }
 
@@ -890,10 +895,10 @@ function getDonationString($id)
 		fundraising_campaigns.name AS campaignname 
 		FROM fundraising_donations 
 		LEFT JOIN fundraising_campaigns ON fundraising_donations.fundraising_campaigns_id=fundraising_campaigns.id 
-		WHERE fundraising_donations.id='$id' 
-		AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}' 
+		WHERE fundraising_donations.id=? 
+		AND fundraising_donations.fiscalyear=? 
 		");
-	$q->execute();
+	$q->execute([$id,$config['FISCALYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$str = '';
 	if ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/donors_search.php b/admin/donors_search.php
index 5b20cdfa..8d00fa70 100644
--- a/admin/donors_search.php
+++ b/admin/donors_search.php
@@ -52,12 +52,12 @@ $lastyear = $config['FISCALYEAR'] - 1;
 $rows = array();
 
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-	$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='$r->id' AND status='received' AND fiscalyear='$thisyear'");
-	$cq->execute();
+	$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
+	$cq->execute([$r->id,$thisyear]);
 	$cr = $cq->fetch(PDO::FETCH_OBJ);
 	$thisyeartotal = $cr->total;
-	$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='$r->id' AND status='received' AND fiscalyear='$lastyear'");
-	$cq->execute();
+	$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
+	$cq->execute([$r->id,$lastyear]);
 	$cr = $cq->fetch(PDO::FETCH_OBJ);
 	$lastyeartotal = $cr->total;
 	if ($lastyeartotal)
diff --git a/admin/exhibithall_sa.php b/admin/exhibithall_sa.php
index 369f9fe0..d0d2b265 100644
--- a/admin/exhibithall_sa.php
+++ b/admin/exhibithall_sa.php
@@ -236,8 +236,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 
 TRACE("Loading Project Age Categories...\n");
 $cat = array();
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catshort[$r->id] = $r->category_shortform;
 	$cat[$r->id] = $r->category;
@@ -248,13 +248,13 @@ TRACE("Loading Projects...\n");
 $projects = array();
 $q = $pdo->prepare("SELECT projects.* FROM projects, registrations 
 				WHERE
-					projects.year='{$config['FAIRYEAR']}' 
+					projects.year=? 
 					AND registrations.id = projects.registrations_id
 				" . getJudgingEligibilityCode());
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($p = $q->fetch(PDO::FETCH_OBJ)) {
-	$qq = $pdo->prepare("SELECT grade,schools_id FROM students WHERE registrations_id='{$p->registrations_id}'");
-	$qq->execute();
+	$qq = $pdo->prepare("SELECT grade,schools_id FROM students WHERE registrations_id=?");
+	$qq->execute([$p->registrations_id]);
 	$num_students = $qq->rowCouunt();
 	$grade = 0;
 	$schools_id = 0;
@@ -286,8 +286,8 @@ if ($action == 'pn') {
 		$n = sprintf('%03d', $p['floornumber']);
 		$pn = "$c $n $d";
 		TRACE("Project {$p['projects_id']} at loc {$p['floornumber']}: $pn\n");
-		$q = $pdo->prepare("UPDATE projects SET projectnumber='$pn' WHERE id='{$p['projects_id']}'");
-		$q->execute();
+		$q = $pdo->prepare("UPDATE projects SET projectnumber=? WHERE id=?");
+		$q->execute([$pn,$p['projects_id']]);
 	}
 	TRACE("Done.\n");
 	exit;
@@ -629,12 +629,12 @@ for ($x = 0; $x < $a->num_buckets; $x++) {
 print_r($projects);
 
 /* Assign floor numbers */
-$q = $pdo->prepare("UPDATE projects SET floornumber=0 WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("UPDATE projects SET floornumber=0 WHERE year=?");
+$q->execute($config['FAIRYEAR']);
 
 foreach ($projects as $pid => $p) {
-	$q = $pdo->prepare("UPDATE projects SET floornumber='{$p['floornumber']}' WHERE id='$pid'");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE projects SET floornumber=? WHERE id=?");
+	$q->execute([$p['floornumber'],$pid]);
 	TRACE("Project $pid => Floor number {$p['floornumber']}\n");
 }
 
diff --git a/admin/export_checkin.php b/admin/export_checkin.php
index 431bfdc4..77d18a14 100644
--- a/admin/export_checkin.php
+++ b/admin/export_checkin.php
@@ -28,8 +28,8 @@ require_once ('../user.inc.php');
 user_auth_required('committee', 'admin');
 require ('../lpdf.php');
 
-$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $_GET['cat'] . "'");
-$catq->execute();
+$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? AND id=?");
+$catq->execute([$config['FAIRYEAR'],$_GET['cat']]);
 if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
 	$pdf = new lpdf(i18n($config['fairname']),
 		i18n('Checkin List') . ' - ' . i18n($catr->category),
@@ -47,13 +47,13 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
 				registrations
 				left outer join projects on projects.registrations_id=registrations.id
 			WHERE
-				registrations.year='" . $config['FAIRYEAR'] . "' 
+				registrations.year=? 
 				AND ( registrations.status='complete' OR registrations.status='paymentpending' )
-				AND projects.projectcategories_id='$catr->id'
+				AND projects.projectcategories_id=?
 			ORDER BY
 				projects.title
 			");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$catr->id]);
 	show_pdo_errors_if_any($pdo);
 
 	$table = array();
@@ -69,8 +69,8 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
 		$table['dataalign'] = array('left', 'left', 'left', 'center');
 	}
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-		$divq = $pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' AND id='" . $r->projectdivisions_id . "'");
-		$divq->execute();
+		$divq = $pdo->prepare("SELECT division,division_shortform FROM projectdivisions WHERE year=? AND id=?");
+		$divq->execute([$config['FAIRYEAR'],$r->projectdivisions_id]);
 		$divr = $divq->fetch(PDO::FETCH_OBJ);
 
 		$sq = $pdo->prepare("SELECT students.firstname,
@@ -78,9 +78,9 @@ if ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$r->reg_id'
+					students.registrations_id=?
 				");
-		$sq->execute();
+		$sq->execute([$r->reg_id]);
 
 		$students = '';
 		$studnum = 0;
diff --git a/admin/fair_stats.php b/admin/fair_stats.php
index 1ad88f60..7e88994d 100644
--- a/admin/fair_stats.php
+++ b/admin/fair_stats.php
@@ -96,8 +96,8 @@ else
 	$fairs_id = -1;
 
 if ($fairs_id != -1) {
-	$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+	$q->execute([$fairs_id]);
 	$fair = $q->fetch(PDO::FETCH_ASSOC);
 }
 
@@ -225,8 +225,8 @@ if (is_array(get_value_from_array($data, 'stats'))) {
 /* And now, overwrite all the stuff we pulled down with stats we can compute */
 
 // number of schools
-$q = $pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year='$year'");
-$q->execute();
+$q = $pdo->prepare("SELECT COUNT(id) AS num FROM schools WHERE year=?");
+$q->execute([$year]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $stats['schools_total'] = $r->num;
 
@@ -235,10 +235,10 @@ $q = $pdo->prepare("SELECT DISTINCT(students.schools_id) AS sid, schools.*
  \t\t \tFROM students 
 				LEFT JOIN registrations ON students.registrations_id=registrations.id 
 				LEFT JOIN schools ON students.schools_id=schools.id
-			WHERE students.year='$year' 
-				AND registrations.year='$year' 
+			WHERE students.year=? 
+				AND registrations.year=? 
 				AND (registrations.status='complete' OR registrations.status='paymentpending')");
-$q->execute();
+$q->execute([$year,$year]);
 $stats['schools_active'] = $q->rowCount();
 $stats['schools_public'] = 0;
 $stats['schools_private'] = 0;
@@ -262,10 +262,10 @@ $q = $pdo->prepare("SELECT students.*,schools.*
 \t \t\tFROM students
 				LEFT JOIN registrations ON students.registrations_id=registrations.id 
 				LEFT JOIN schools on students.schools_id=schools.id
-			WHERE students.year='$year' 
-				AND registrations.year='$year' 
+			WHERE students.year=? 
+				AND registrations.year=? 
 				AND (registrations.status='complete' OR registrations.status='paymentpending')");
-$q->execute();
+$q->execute([$year,$year]);
 show_pdo_errors_if_any($pdo);
 $stats['students_total'] = $q->rowCount();
 $stats['students_public'] = 0;
@@ -304,12 +304,12 @@ foreach ($unknown as $g => $a) {
 $q = $pdo->prepare("SELECT MAX(students.grade) AS grade FROM students
 \t \t\tLEFT JOIN registrations ON students.registrations_id=registrations.id 
 			LEFT JOIN projects ON projects.registrations_id=registrations.id 
-		WHERE  students.year='$year' 
-			AND registrations.year='$year' 
-			AND projects.year='$year' 
+		WHERE  students.year=? 
+			AND registrations.year=? 
+			AND projects.year=? 
 			AND (registrations.status='complete' OR registrations.status='paymentpending') 
 			GROUP BY projects.id");
-$q->execute();
+$q->execute([$year,$year,$year]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 	$stats["projects_{$grademap[$r['grade']]}"]++;
@@ -318,20 +318,20 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 $q = $pdo->prepare("SELECT COUNT(id) AS num FROM users 
  \t\t\t\tLEFT JOIN users_committee ON users_committee.users_id=users.id
 \t \t\tWHERE types LIKE '%committee%' 
-				AND year='$year' 
+				AND year=? 
 				AND users_committee.committee_active='yes'
 				AND deleted='no'");
-$q->execute();
+$q->execute([$year]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $stats['committee_members'] = $r->num;
 
 $q = $pdo->prepare("SELECT COUNT(id) AS num FROM users LEFT JOIN users_judge ON users_judge.users_id=users.id 
- \t\t\t\t\tWHERE users.year='$year' 
+ \t\t\t\t\tWHERE users.year=? 
 						AND users.types LIKE '%judge%'
 						AND users.deleted='no'
 						AND users_judge.judge_complete='yes' 
 						AND users_judge.judge_active='yes'");
-$q->execute();
+$q->execute([$year]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $stats['judges'] = $r->num;
 
diff --git a/admin/fair_stats_select.php b/admin/fair_stats_select.php
index 2cb55b3a..3be42ac5 100644
--- a/admin/fair_stats_select.php
+++ b/admin/fair_stats_select.php
@@ -52,8 +52,8 @@
 		}
 	}
 	$s = join(',', $_POST['stats']);
-	$q = $pdo->prepare("UPDATE fairs SET gather_stats='$s' WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE fairs SET gather_stats=? WHERE id=?");
+	$q->execute([$s,$id]);
 	show_pdo_errors_if_any($pdo);
 	echo "UPDATE fairs SET gather_stats='$s' WHERE id='$id'";
 	happy_("Saved");
@@ -63,8 +63,8 @@
  /* Load the user we're editting */
  $u = user_load($_SESSION['embed_edit_id']);
  /* Load the fair attached to the user */
- $q = $pdo->prepare("SELECT * FROM fairs WHERE id={$u['fairs_id']}");
- $q->execute();
+ $q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+ $q->execute([$u['fairs_id']]);
  $f = $q->fetch(PDO::FETCH_ASSOC);
 
 ?>
diff --git a/admin/fundraising.php b/admin/fundraising.php
index 6724afd9..9c881115 100644
--- a/admin/fundraising.php
+++ b/admin/fundraising.php
@@ -32,8 +32,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 
 <h3><?= i18n('Fundraising Purposes and Progress Year to Date') ?></h3>
 <?
-    $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY deadline");
-    $q->execute();
+    $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY deadline");
+    $q->execute([$config['FISCALYEAR']]);
 ?>
 <table class="tableview">
  <thead>
@@ -48,8 +48,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
  <?
     while ($r = $q->fetch(PDO::FETCH_OBJ)) {
         // lookup all donations made towards this goal
-        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
-        $recq->execute();
+        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=? AND status='received'");
+        $recq->execute([$r->goal,$config['FISCALYEAR']]);
         show_pdo_errors_if_any($pdo);
         $recr = $recq->fetch(PDO::FETCH_OBJ);
         $received = $recr->received;
@@ -84,15 +84,15 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
  </tr>
  </thead>
 <?
-    $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'");
-    $q->execute();
+    $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
+    $q->execute([$config['FISCALYEAR']]);
 
     while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-        $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $goalq->execute();
+        $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
+        $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
         $goalr = $goalq->fetch(PDO::FETCH_OBJ);
-        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
-        $recq->execute();
+        $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
+        $recq->execute([$r->id,$config['FISCALYEAR']]);
         show_pdo_errors_if_any($pdo);
         $recr = $recq->fetch(PDO::FETCH_OBJ);
         $received = $recr->received;
@@ -133,10 +133,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 \tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth
     FROM fundraising_donations
     WHERE thanked='no' AND status='received'
-    AND fiscalyear='{$config['FISCALYEAR']}' 
+    AND fiscalyear=? 
     ORDER BY datereceived
     ");
-    $q->execute();
+    $q->execute([$config['FISCALYEAR']]);
     show_pdo_errors_if_any($pdo);
 
     if ($q->rowCount()) {
@@ -149,8 +149,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
         echo "</tr></thead>\n";
 
         while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'");
-            $dq->execute();
+            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?");
+            $dq->execute([$r->sponsors_id]);
             $dr = $dq->fetch(PDO::FETCH_OBJ);
             if ($r->twomonth)
                 $s = 'style="background-color: ' . colour_to_percent(0) . ';"';
@@ -190,10 +190,10 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
 \tDATE_ADD(datereceived, INTERVAL 2 MONTH) < NOW() AS twomonth
     FROM fundraising_donations
     WHERE (receiptrequired='yes' AND receiptsent='no') AND status='received'
-    AND fiscalyear='{$config['FISCALYEAR']}' 
+    AND fiscalyear=? 
     ORDER BY datereceived
     ");
-    $q->execute();
+    $q->execute([$config['FISCALYEAR']]);
     show_pdo_errors_if_any($pdo);
     if ($q->rowCount()) {
         echo '<table class="tableview">';
@@ -204,8 +204,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
         echo "</tr>\n";
 
         while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id='$r->sponsors_id'");
-            $dq->execute();
+            $dq = $pdo->prepare("SELECT organization AS name FROM sponsors WHERE id=?");
+            $dq->execute([$r->sponsors_id]);
             $dr = $dq->fetch(PDO::FETCH_OBJ);
             if ($r->twomonth)
                 $s = 'style="background-color: ' . colour_to_percent(0) . ';"';
@@ -280,8 +280,8 @@ if (get_value_from_array($_GET, 'action') == 'refresh') {
     exit;
 } else if (get_value_from_array($_POST, 'thanked')) {
     foreach ($_POST['thanked'] AS $t) {
-        $stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id='$t'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("UPDATE fundraising_donations SET thanked='yes' WHERE id=?");
+        $stmt->execute([$t]);
     }
 }
 
diff --git a/admin/fundraising_campaigns.php b/admin/fundraising_campaigns.php
index b9b28805..86e4a3d5 100644
--- a/admin/fundraising_campaigns.php
+++ b/admin/fundraising_campaigns.php
@@ -35,8 +35,8 @@ switch (get_value_from_array($_GET, 'action')) {
 
     case 'modify':
         echo "<div id=\"campaignaccordion\" style=\"width: 780px;\">\n";
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ORDER BY name");
+        $q->execute([$config['FISCALYEAR']]);
         while ($r = $q->fetch(PDO::FETCH_OBJ)) {
             echo '<h3><a href="#">' . htmlspecialchars($r->name) . "</a></h3>\n";
             echo "<div id=\"campaign_{$r->id}\">\n";
@@ -92,14 +92,14 @@ case 'managelist':
  </tr>
  </thead>
 <?
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fiscalyear=?");
+        $q->execute([$config['FISCALYEAR']]);
         while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-            $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='{$r->fundraising_goal}' AND fiscalyear='{$config['FISCALYEAR']}'");
-            $goalq->execute();
+            $goalq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
+            $goalq->execute([$r->fundraising_goal,$config['FISCALYEAR']]);
             $goalr = $goalq->fetch(PDO::FETCH_OBJ);
-            $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
-            $recq->execute();
+            $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
+            $recq->execute([$r->id,$config['FISCALYEAR']]);
             show_pdo_errors_if_any($pdo);
             $recr = $recq->fetch(PDO::FETCH_OBJ);
             $received = $recr->received;
@@ -139,8 +139,8 @@ case 'managelist':
             exit;
         }
         $id = intval($_GET['id']);
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$id'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=?");
+        $q->execute([$id]);
         $campaign = $q->fetch(PDO::FETCH_OBJ);
         echo "<h3>$campaign->name</h3>\n";
 ?>
@@ -171,12 +171,12 @@ case 'managelist':
 
     case 'manage_tab_overview':
         $campaign_id = intval($_GET['id']);
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+        $q->execute([$campaign_id,$config['FISCALYEAR']]);
         if ($r = $q->fetch(PDO::FETCH_OBJ)) {
             $goalr = getGoal($r->fundraising_goal);
-            $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id='$r->id' AND fiscalyear='{$config['FISCALYEAR']}' AND status='received'");
-            $recq->execute();
+            $recq = $pdo->prepare("SELECT SUM(value) AS received FROM fundraising_donations WHERE fundraising_campaigns_id=? AND fiscalyear=? AND status='received'");
+            $recq->execute([$r->id,$config['FISCALYEAR']]);
             show_pdo_errors_if_any($pdo);
             $recr = recq->fetch(PDO::FETCH_OBJ);
             $received = $recr->received;
@@ -209,8 +209,8 @@ case 'managelist':
 
     case 'manage_tab_donations':
         $campaign_id = intval($_GET['id']);
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+        $q->execute([$campaign_id,$config['FISCALYEAR']]);
         if ($campaign = $q->fetch(PDO::FETCH_OBJ)) {
             echo '<table class="tableview">';
             echo '<thead>';
@@ -227,8 +227,8 @@ case 'managelist':
 \t\t\tAND status='received' ORDER BY datereceived DESC");
             while ($r = $q->fetch(PDO::FETCH_OBJ)) {
                 $goal = getGoal($r->fundraising_goal);
-                $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$r->sponsors_id}'");
-                $sq->execute();
+                $sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+                $sq->execute([$r->sponsors_id]);
                 $sponsor = $sq->fetch(PDO::FETCH_OBJ);
                 echo '<tr><td>' . format_date($r->datereceived) . "</td>\n";
                 echo '    <td>' . $sponsor->organization . "</td>\n";
@@ -258,8 +258,8 @@ case 'managelist':
             'mentor' => 'Mentor (not implemented)',
         );
         $campaign_id = intval($_GET['id']);
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+        $q->execute([$campaign_id,$config['FISCALYEAR']]);
         $campaign = $q->fetch(PDO::FETCH_OBJ);
         if ($campaign->filterparameters) {
             echo '<h4>' . i18n('User List') . "</h4>\n";
@@ -307,8 +307,8 @@ case 'managelist':
             echo '<br />';
             echo "<form id=\"prospectremoveform\" onsubmit=\"return removeselectedprospects()\">\n";
             echo "<input type=\"hidden\" name=\"fundraising_campaigns_id\" value=\"$campaign_id\" />\n";
-            $q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaign_id'");
-            $q->execute();
+            $q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+            $q->execute([$campaign_id]);
             while ($r = $q->fetch(PDO::FETCH_OBJ)) {
                 $u = user_load_by_uid($r->users_uid);
                 // hopefully this never returns false, but who knows..
@@ -359,8 +359,8 @@ case 'managelist':
         </td></tr>
         <tr><td><?= i18n('Donation Level') ?>:</td><td>
             <?
-            $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY min");
-            $q->execute();
+            $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY min");
+            $q->execute([$config['FISCALYEAR']]);
             while ($r = $q->fetch(PDO::FETCH_OBJ)) {
                 echo "<label><input onchange=\"return prospect_search()\" disabled=\"disabled\" type=\"checkbox\" name=\"donationlevel[]\" value=\"$r->level\" >" . i18n($r->level) . ' (' . format_money($r->min, false) . ' - ' . format_money($r->max, false) . ")</label><br />\n";
             }
@@ -408,8 +408,8 @@ case 'managelist':
 
     case 'manage_tab_communications':
         $campaign_id = intval($_GET['id']);
-        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id='$campaign_id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE id=? AND fiscalyear=?");
+        $q->execute([$campaign_id,$config['FISCALYEAR']]);
         if ($r = $q->fetch(PDO::FETCH_OBJ)) {
         }
         $communications = array('initial' => 'Initial Communication',
@@ -418,8 +418,8 @@ case 'managelist':
         foreach ($communications as $key => $name) {
             echo '<h4>' . i18n($name) . "</h4>\n";
             // check if they have one in the emails database
-            $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$campaign_id' AND val='$key'");
-            $q->execute();
+            $q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
+            $q->execute([$campaign_id,$key]);
             if ($email = $q->fetch(PDO::FETCH_OBJ)) {
                 echo '<div style="float: right; margin-right: 15px;">';
                 echo "<a title=\"Edit\" href=\"#\" onclick=\"return opencommunicationeditor(null,$email->id,$campaign_id)\"><img src=\"" . $config['SFIABDIRECTORY'] . '/images/16/edit.' . $config['icon_extension'] . '" border=0></a>';
@@ -465,18 +465,18 @@ case 'managelist':
         print_r($_POST);
         if (is_array($_POST['prospectremovefromlist'])) {
             $uidlist = implode(',', $_POST['prospectremovefromlist']);
-            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid' AND users_uid IN ($uidlist)";
+            $query = "DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=? AND users_uid IN ($uidlist)";
             $stmt = $pdo->prepare($query);
-            $stmt->execute();
+            $stmt->execute([$campaignid]);
             show_pdo_errors_if_any($pdo);
         }
         // if theres nobody left in the list we need to reset the filter params as well
-        $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT COUNT(*) AS num FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+        $q->execute([$campaignid]);
         $r = $q->fetch(PDO::FETCH_OBJ);
         if ($r->num == 0) {
-            $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'");
-            $stmt->execute();
+            $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
+            $stmt->execute([$campaignid]);
         }
 
         happy_('Selected users removed from list');
@@ -485,10 +485,10 @@ case 'managelist':
 
     case 'prospect_removeall':
         $campaignid = intval($_POST['fundraising_campaigns_id']);
-        $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$campaignid'");
-        $stmt->execute();
-        $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id='$campaignid'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("DELETE FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+        $stmt->execute([$campaignid]);
+        $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=NULL WHERE id=?");
+        $stmt->execute([$campaignid]);
         happy_('All users removed from list');
         exit;
         break;
@@ -496,14 +496,14 @@ case 'managelist':
     case 'communication_remove':
         $emails_id = $_POST['id'];
         // check if its been sent, if so, it cannot be deleted, sorry!
-        $q = $pdo->prepare("SELECT * FROM emails WHERE id='$emails_id'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM emails WHERE id=?");
+        $q->execute([$emails_id]);
         $e = $q->fetch(PDO::FETCH_OBJ);
         if ($e->lastsent) {
             error_('Cannot remove an email that has already been sent');
         } else {
-            $stmt = $pdo->prepare("DELETE FROM emails WHERE id='$emails_id'");
-            $stmt->execute();
+            $stmt = $pdo->prepare("DELETE FROM emails WHERE id=?");
+            $stmt->execute([$emails_id]);
             happy_('Communicaton removed');
         }
 
@@ -523,10 +523,10 @@ function save_campaign_info()
         $startdate = $_POST['startdate'];
 
     if (!$_GET['id']) {
-        $query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES ('" . stripslashes($_POST['name']) . "','{$config['FISCALYEAR']}')";
+        $query = "INSERT INTO fundraising_campaigns (name, fiscalyear) VALUES (?,?)";
         echo $query;
         $stmt = $pdo->prepare($query);
-        $stmt->execute();
+        $stmt->execute([stripslashes($_POST['name']),$config['FISCALYEAR']]);
         $id = $pdo->lastInsertId();
         happy_('Appeal Created');
     } else {
@@ -534,15 +534,15 @@ function save_campaign_info()
         happy_('Appeal Saved');
     }
     $stmt = $pdo->prepare("UPDATE fundraising_campaigns SET 
-       name='" . stripslashes($_POST['name']) . "',
-       `type`='" . $_POST['type'] . "',
-       startdate='" . $startdate . "',
-       followupdate='" . $_POST['followupdate'] . "',
-       enddate='" . $_POST['enddate'] . "',
-       target='" . $_POST['target'] . "',
-       fundraising_goal='" . $_POST['fundraising_goal'] . "'
-       WHERE id='$id'");
-    $stmt->execute();
+       name=?,
+       `type`=?,
+       startdate=?,
+       followupdate=?,
+       enddate=?,
+       target=?,
+       fundraising_goal=?
+       WHERE id=?");
+    $stmt->execute([stripslashes($_POST['name']),$_POST['type'],$startdate,$_POST['followupdate'],$_POST['enddate'],$_POST['target'],$_POST['fundraising_goal'],$id]);
 }
 
 send_header('Appeal Management',
@@ -800,8 +800,8 @@ function display_campaign_form($r = null)
 			<td><?= i18n('Target') ?></td><td>$<input type="text" id="target" name="target" size="10" value="<?= get_value_property_or_default($r, 'target') ?>" /></td>
 			<td><?= i18n('Default Purpose') ?></td><td colspan="3">
             <?
-            $fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
-            $fgq->execute();
+            $fgq = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
+            $fgq->execute([$config['FISCALYEAR']]);
             echo '<select name="fundraising_goal">';
             echo '<option value="">' . i18n('Choose Default Purpose') . "</option>\n";
             while ($fgr = $fgq->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/fundraising_campaigns_prospecting.php b/admin/fundraising_campaigns_prospecting.php
index b81a1954..8ea06c32 100644
--- a/admin/fundraising_campaigns_prospecting.php
+++ b/admin/fundraising_campaigns_prospecting.php
@@ -140,8 +140,8 @@ $thisyearlist = $userslist;
 
 foreach ($neverlist AS $uid => $u) {
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=?");
+		$q->execute([$u['sponsors_id']]);
 		if ($q->rowCount()) {
 			//		echo "removing $uid because they have donated in the past <br />";
 			unset($neverlist[$uid]);
@@ -155,8 +155,8 @@ foreach ($neverlist AS $uid => $u) {
 
 foreach ($pastlist AS $uid => $u) {
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=?");
+		$q->execute([$u['sponsors_id']]);
 		if (!$q->rowCount()) {
 			//		echo "removing $uid because they have NOT donated in the past <br />";
 			unset($pastlist[$uid]);
@@ -171,8 +171,8 @@ $lastyear = $config['FISCALYEAR'] - 1;
 
 foreach ($lastyearlist AS $uid => $u) {
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='$lastyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=? AND fiscalyear=?");
+		$q->execute([$u['sponsors_id'],$lastyear]);
 		if (!$q->rowCount()) {
 			//		echo "removing $uid because they have NOT donated last year <br />";
 			unset($lastyearlist[$uid]);
@@ -185,8 +185,8 @@ foreach ($lastyearlist AS $uid => $u) {
 
 foreach ($thisyearlist AS $uid => $u) {
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id='{$u['sponsors_id']}' AND fiscalyear='{$config['FISCALYEAR']}'");
-		$q->execcute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE status='received' AND sponsors_id=? AND fiscalyear=?");
+		$q->execute([$u['sponsors_id'],$config['FISCALYEAR']]);
 		if (!$q->rowCount()) {
 			//		echo "removing $uid because they have NOT donated this year <br />";
 			unset($thisyearlist[$uid]);
@@ -216,12 +216,12 @@ if ($_GET['generatelist']) {
 	$campaignid = $_POST['fundraising_campaigns_id'];
 	$params = serialize($_POST);
 	echo "params=$params";
-	$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters='{$params}' WHERE id='$campaignid'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE fundraising_campaigns SET filterparameters=? WHERE id=?");
+	$stmt->execute([$params,$campaignid]);
 	$uids = array_keys($userslist);
 	foreach ($uids AS $u) {
-		$stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES ('$campaignid','$u')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO fundraising_campaigns_users_link (fundraising_campaigns_id, users_uid) VALUES (?,?)");
+		$stmt->execute([$campaignid,$u]);
 	}
 
 	echo 'List created';
diff --git a/admin/fundraising_common.inc.php b/admin/fundraising_common.inc.php
index 81bfb04b..55b68ba1 100644
--- a/admin/fundraising_common.inc.php
+++ b/admin/fundraising_common.inc.php
@@ -5,8 +5,8 @@ $salutations = array('Mr.', 'Mrs.', 'Ms', 'Dr.', 'Professor');
 function getGoal($goal)
 {
 	global $config, $pdo;
-	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}' LIMIT 1");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=? LIMIT 1");
+	$q->execute([$goal,$config['FISCALYEAR']]);
 	return $q->fetch(PDO::FETCH_OBJ);
 }
 
diff --git a/admin/fundraising_goals_handler.inc.php b/admin/fundraising_goals_handler.inc.php
index 982bcc89..0b38be3c 100644
--- a/admin/fundraising_goals_handler.inc.php
+++ b/admin/fundraising_goals_handler.inc.php
@@ -2,16 +2,16 @@
 if ($_POST['action'] == 'funddelete' && $_POST['delete']) {
 	// first lookup all the sponsorships inside the fund
 	$id = intval($_POST['delete']);
-	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND year='" . $config['FISCALYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=? AND year=?");
+	$q->execute([$id,$config['FISCALYEAR']]);
 	$f = $q->fetch(PDO::FETCH_OBJ);
 	// hold yer horses, no deleting system funds!
 	if ($f) {
 		if ($f->system == 'no') {
-			$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal='" . $f->type . "' AND fiscalyear='" . $config['FISCALYEAR'] . "'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=?");
+			$stmt->execute([$f->type,$config['FISCALYEAR']]);
+			$stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id=?");
+			$stmt->execute([$id]);
 			if ($pdo->rowCount())
 				happy_('Successfully removed fund %1', array($f->name));
 		} else {
@@ -23,8 +23,8 @@ if ($_POST['action'] == 'funddelete' && $_POST['delete']) {
 if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') {
 	$fundraising_id = intval($_POST['fundraising_id']);
 	if ($fundraising_id) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$fundraising_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=?");
+		$q->execute([$fundraising_id]);
 		$f = $q->fetch(PDO::FETCH_OBJ);
 		$system = $f->system;
 	}
@@ -37,11 +37,11 @@ if ($_POST['action'] == 'fundedit' || $_POST['action'] == 'fundadd') {
 if ($_POST['action'] == 'fundedit') {
 	if (($system == 'yes' && $budget) || ($system == 'no' && $budget && $goal && $name)) {
 		if ($system == 'yes') {
-			$stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description' WHERE id='$fundraising_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE fundraising SET budget=?, description=? WHERE id=?");
+			$stmt->execute([$budget,$description,$fundraising_id]);
 		} else {
-			$stmt = $pdo->prepare("UPDATE fundraising SET budget='$budget', description='$description', goal='$goal', name='$name' WHERE id='$fundraising_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE fundraising SET budget=?, description=?, goal=?, name=? WHERE id=?");
+			$stmt->execute([$budget,$description,$goal,$name,$fundraising_id]);
 		}
 
 		if ($pdo->errorInfo())
@@ -55,8 +55,8 @@ if ($_POST['action'] == 'fundedit') {
 }
 if ($_POST['action'] == 'fundadd') {
 	if ($goal && $type && $name) {
-		$stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES ('$goal','$name','$description','no','$budget','{$config['FISCALYEAR']}')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO fundraising_goals (goal,name,description,system,budget,fiscalyear) VALUES (?,?,?,'no',?,?)");
+		$stmt->execute([$goal,$name,$description,$budget,$config['FISCALYEAR']]);
 		happy_('Added new fund');
 	} else
 		error_('Required fields were missing, please try again');
diff --git a/admin/fundraising_main.inc.php b/admin/fundraising_main.inc.php
index f5e775f0..f7f74535 100644
--- a/admin/fundraising_main.inc.php
+++ b/admin/fundraising_main.inc.php
@@ -1,8 +1,8 @@
 <?
 if ($_GET['action'] == 'fundraisingmain') {
 	// this table is eventually going to be massive, and probably not in a tableview format, it'll show goals as well as all ongoing fund pledges, probabilities, etc as well as over/under, etc, all prettily colour coded.. basically a good overview of the total fundraising status of the fair.
-	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY system DESC,goal");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY system DESC,goal");
+	$q->execute([$config['FISCALYEAR']]);
 	echo '<table class="fundraisingtable">';
 
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -25,23 +25,24 @@ if ($_GET['action'] == 'fundraisingmain') {
 		$typetotal = 0;
 		$typeprobtotal = 0;
 		$sq = $pdo->prepare("
-            SELECT fundraising_donations.id, sponsors.organization AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
-	\t FROM fundraising_donations
-	\t JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
-	\t  WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql) 
-	\t  AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
+			(SELECT fundraising_donations.id, sponsors.organization AS name, 
+					fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+			FROM fundraising_donations
+			JOIN sponsors ON fundraising_donations.sponsors_id = sponsors.id
+			WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?) 
+			AND fundraising_donations.fiscalyear = ?)
 
-          UNION
+			UNION
 
-        SELECT fundraising_donations.id, CONCAT(users.firstname,' ',users.lastname) AS name, fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
-	\t FROM fundraising_donations
-	\t JOIN users ON fundraising_donations.users_uid=users.uid
-	\t  WHERE (fundraising_donations.fundraising_goal='$r->goal' $orsql) 
-	\t  AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
+			(SELECT fundraising_donations.id, CONCAT(users.firstname, ' ', users.lastname) AS name, 
+					fundraising_donations.value, fundraising_donations.status, fundraising_donations.probability
+			FROM fundraising_donations
+			JOIN users ON fundraising_donations.users_uid = users.uid
+			WHERE (fundraising_donations.fundraising_goal = ? OR fundraising_donations.fundraising_goal = ?) 
+			AND fundraising_donations.fiscalyear = ?)
 
-	\t  ORDER BY status DESC, probability DESC, name
-            ");
-		$sq->execute();
+			ORDER BY status DESC, probability DESC, name");
+		$sq->execute([$r->goal, $orsql, $config['FISCALYEAR'], $r->goal, $orsql, $config['FISCALYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
 			echo "<tr id=\"sponsorships_$sr->id\" class=\"fundraising{$sr->status}\">";
diff --git a/admin/fundraising_reports.php b/admin/fundraising_reports.php
index 4e3d216f..505a43c2 100644
--- a/admin/fundraising_reports.php
+++ b/admin/fundraising_reports.php
@@ -84,8 +84,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
   <select name="goal">
    <option value="">All purposes</option>
    <?
-$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
+$q->execute([$config['FISCALYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
     echo "<option value=\"$r->goal\">$r->name</option>\n";
 }
diff --git a/admin/fundraising_reports_std.php b/admin/fundraising_reports_std.php
index 4a71faf7..e738050c 100644
--- a/admin/fundraising_reports_std.php
+++ b/admin/fundraising_reports_std.php
@@ -44,13 +44,13 @@ if ($id && $type) {
 				$rep->newPage();
 				$rep->setFontSize(8);
 			}
-			$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear='{$config['FISCALYEAR']}' ";
+			$sql = "SELECT * FROM fundraising_campaigns WHERE fiscalyear=? ";
 			if ($_GET['fundraising_campaigns_id']) {
-				$sql .= " AND id='" . intval($_GET['fundraising_campaigns_id']) . "'";
+				$sql .= " AND id=?";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute();
+			$q->execute([$config['FISCALYEAR'],intval($_GET['fundraising_campaigns_id'])]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$rep->heading($r->name);
@@ -62,8 +62,8 @@ if ($id && $type) {
 				$thisyear = $config['FISCALYEAR'];
 				$lastyear = $config['FISCALYEAR'] - 1;
 
-				$pq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$r->id'");
-				$pq->execute();
+				$pq = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+				$pq->execute([$r->id]);
 				while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {
 					$u = user_load_by_uid($pr->users_uid);
 					// hopefully this never returns false, but who knows..
@@ -75,16 +75,16 @@ if ($id && $type) {
 						// gah i dont know what the heck to do here
 
 						if ($u['sponsors_id']) {
-							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND fundraising_campaigns_id='$r->id' AND status='received' AND fiscalyear='$thisyear'");
-							$cq->execute();
+							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND fundraising_campaigns_id=? AND status='received' AND fiscalyear=?");
+							$cq->execute([$u['sponsors_id'],$r->id,$thisyear]);
 							$cr = $cq->fetch(PDO::FETCH_OBJ);
 							$thisappeal = $cr->total;
-							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND status='received' AND fiscalyear='$thisyear'");
-							$cq->execute();
+							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
+							$cq->execute([$u['sponsors_id'],$thisyear]);
 							$cr = $cq->fetch(PDO::FETCH_OBJ);
 							$thisyeartotal = $cr->total;
-							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id='{$u['sponsors_id']}' AND status='received' AND fiscalyear='$lastyear'");
-							$cq->execute();
+							$cq = $pdo->prepare("SELECT SUM(value) AS total FROM fundraising_donations WHERE sponsors_id=? AND status='received' AND fiscalyear=?");
+							$cq->execute([$u['sponsors_id'],$lastyear]);
 							$cr = $cq->fetch(PDO::FETCH_OBJ);
 							$lastyeartotal = $cr->total;
 							if ($lastyeartotal)
@@ -126,13 +126,13 @@ if ($id && $type) {
 				$rep->newPage();
 				$rep->setFontSize(8);
 			}
-			$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ";
+			$sql = "SELECT * FROM fundraising_goals WHERE fiscalyear=? ";
 			if ($_GET['goal']) {
-				$sql .= " AND goal='" . $_GET['goal'] . "'";
+				$sql .= " AND goal=?";
 			}
 			$sql .= ' ORDER BY name';
 			$q = $pdo->prepare($sql);
-			$q->execute();
+			$q->execute([$config['FISCALYEAR'],$_GET['goal']]);
 			show_pdo_errors_if_any($pdo);
 
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -143,8 +143,8 @@ if ($id && $type) {
 				$table['widths'] = array(1.5, 0.5, 0.5, 0.75, 0.9, 0.9, 0.9, 0.5);
 				$table['dataalign'] = array('left', 'right', 'right', 'center', 'center', 'center', 'center', 'right');
 
-				$cq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}'");
-				$cq->execute();
+				$cq = $pdo->prepare("SELECT * FROM fundraising_campaigns WHERE fundraising_goal=? AND fiscalyear=?");
+				$cq->execute([$r->goal,$config['FISCALYEAR']]);
 				while ($cr = $cq->fetch(PDO::FETCH_OBJ)) {
 					$table['data'][] = array(
 						$cr->name,
diff --git a/admin/fundraising_setup.php b/admin/fundraising_setup.php
index c5d72ebf..bda0cb82 100644
--- a/admin/fundraising_setup.php
+++ b/admin/fundraising_setup.php
@@ -28,45 +28,45 @@ require_once ('../user.inc.php');
 user_auth_required('committee', 'admin');
 
 // first, insert any default fundraising donor levels
-$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='" . $config['FISCALYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=?");
+$q->execute([$config['FISCALYEAR']]);
 if (!$q->rowCount()) {
     $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='-1'");
     $q->execute();
     while ($r = $q->fetch(PDO::FETCH_OBJ)) {
         $pdo->prepare("INSERT INTO fundraising_donor_levels (`level`,`min`,`max`,`description`,`fiscalyear`) VALUES (
-            '" . $r->level . "',
-            '" . $r->min . "',
-            '" . $r->max . "',
-            '" . $r->description . "',
-            '" . $config['FISCALYEAR'] . ")')");
+            ?,
+            ?,
+            ?,
+            ?,
+            ?)')");
 
-        $pdo->execute();
+        $pdo->execute([$r->level,$r->min,$r->max,$r->description,$config['FISCALYEAR']]);
     }
 }
 
 // first, insert any default fundraising goals
-$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='" . $config['FISCALYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=?");
+$q->execute([$config['FISCALYEAR']]);
 if (!$q->rowCount()) {
     $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='-1'");
     $q->execute();
     while ($r = $q->fetch(PDO::FETCH_OBJ)) {
         $stmt = $pdo->prepare("INSERT INTO fundraising_goals (`goal`,`name`,`description`,`system`,`budget`,`fiscalyear`) VALUES (
-            '" . stripslashes($r->goal) . "',
-            '" . stripslashes($r->name) . "',
-            '" . stripslashes($r->description) . "',
-            '" . $r->system . "',
-            '" . $r->budget . "',
-            '" . $config['FISCALYEAR'] . "')");
-        $stmt->execute();
+            ?,
+            ?,
+            ?,
+            ?,
+            ?,
+            ?)");
+        $stmt->execute([stripslashes($r->goal),stripslashes($r->name),stripslashes($r->description),$r->system,$r->budget, $config['FISCALYEAR']]);
     }
 }
 
 switch (get_value_from_array($_GET, 'gettab')) {
     case 'levels':
-        $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY max");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE fiscalyear=? ORDER BY max");
+        $q->execute([$config['FISCALYEAR']]);
         echo "<div id=\"levelaccordion\" style=\"width: 75%;\">\n";
         while ($r = $q->fetch(PDO::FETCH_OBJ)) {
             echo "<h3><a href=\"#\">$r->level (" . format_money($r->min, false) . ' to ' . format_money($r->max, false) . ")</a></h3>\n";
@@ -120,8 +120,8 @@ switch (get_value_from_array($_GET, 'gettab')) {
         break;
 
     case 'goals':
-        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear='{$config['FISCALYEAR']}' ORDER BY name");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE fiscalyear=? ORDER BY name");
+        $q->execute([$config['FISCALYEAR']]);
         echo "<div id=\"goalaccordion\" style=\"width: 75%;\">\n";
         while ($r = $q->fetch(PDO::FETCH_OBJ)) {
             echo "<h3><a href=\"#\">$r->name (" . format_money($r->budget, false) . ') Deadline: ' . format_date($r->deadline) . "</a></h3>\n";
@@ -225,30 +225,30 @@ switch (get_value_from_array($_GET, 'action')) {
 
         if ($id) {
             $stmt = $pdo->prepare("UPDATE fundraising_donor_levels SET
-                    min='" . $_POST['min'] . "',
-                    max='" . $_POST['max'] . "',
-                    level='" . stripslashes($_POST['level']) . "',
-                    description='" . stripslashes($_POST['description']) . "'
-                    WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
+                    min=?,
+                    max=?,
+                    level=?,
+                    description=?
+                    WHERE id=? AND fiscalyear=?
                     ");
-            $stmt->execute();
+            $stmt->execute([$_POST['min'],$_POST['max'],stripslashes($_POST['level']),stripslashes($_POST['description']),$id,$config['FISCALYEAR']]);
             happy_('Level Saved');
         } else {
             $stmt = $pdo->prepare("INSERT INTO fundraising_donor_levels (`level`,`min`,`max`,`description`,`fiscalyear`) VALUES (
-                '" . $_POST['level'] . "',
-                '" . $_POST['min'] . "',
-                '" . $_POST['max'] . "',
-                '" . $_POST['description'] . "',
-                '{$config['FISCALYEAR']}')");
-            $stmt->execute();
+                ?,
+                ?,
+                ?,
+                ?,
+                ?)");
+            $stmt->execute([$_POST['level'],$_POST['min'],$_POST['max'],$_POST['description'],$config['FISCALYEAR']]);
             happy_('Level Created');
         }
         exit;
         break;
     case 'level_delete':
         $id = $_POST['id'];
-        $stmt = $pdo->prepare("DELETE FROM fundraising_donor_levels WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("DELETE FROM fundraising_donor_levels WHERE id=? AND fiscalyear=?");
+        $stmt->execute([$id,$config['FISCALYEAR']]);
         happy_('Level Deleted');
         exit;
         break;
@@ -261,20 +261,20 @@ switch (get_value_from_array($_GET, 'action')) {
         }
         if ($id) {
             $stmt = $pdo->prepare("UPDATE fundraising_goals SET
-                    budget='" . $_POST['budget'] . "',
-                    deadline='" . $_POST['deadline'] . "',
-                    name='" . stripslashes($_POST['name']) . "',
-                    description='" . stripslashes($_POST['description']) . "'
-                    WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
+                    budget=?,
+                    deadline=?,
+                    name=?,
+                    description=?
+                    WHERE id=? AND fiscalyear=?
                     ");
-            $stmt->execute();
+            $stmt->execute([$_POST['budget'],$_POST['deadline'],stripslashes($_POST['name']),stripslashes($_POST['description']),$id,$config['FISCALYEAR']]);
             happy_('Purpose Saved');
         } else {
             $goal = strtolower($_POST['name']);
             $goal = preg_replace('[^a-z]', '', $goal);
             echo "SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}'";
-            $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal='$goal' AND fiscalyear='{$config['FISCALYEAR']}'");
-            $q->execute();
+            $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE goal=? AND fiscalyear=?");
+            $q->execute([$goal,$config['FISCALYEAR']]);
             show_pdo_errors_if_any($pdo);
             if ($q->rowCount()) {
                 error_('The automatically generated purpose key (%1) generated from (%2) is not unique.  Please try a different Purpose Name', array($goal, $_POST['name']));
@@ -282,13 +282,13 @@ switch (get_value_from_array($_GET, 'action')) {
             }
 
             $stmt = $pdo->prepare("INSERT INTO fundraising_goals (`goal`,`name`,`budget`,`deadline`,`description`,`fiscalyear`) VALUES (
-                '" . $goal . "',
-                '" . $_POST['name'] . "',
-                '" . $_POST['budget'] . "',
-                '" . $_POST['deadline'] . "',
-                '" . $_POST['description'] . "',
-                '{$config['FISCALYEAR']}')");
-            $stmt->execute();
+                ?,
+                ?,
+                ?,
+                ?,
+                ?,
+                ?)");
+            $stmt->execute([$goal,$_POST['name'],$_POST['budget'],$_POST['deadline'],$_POST['description'],$config['FISCALYEAR']]);
             happy_('Purpose Created');
         }
         exit;
@@ -296,8 +296,8 @@ switch (get_value_from_array($_GET, 'action')) {
     case 'goal_delete':
         $id = $_POST['id'];
         // they cant delete system ones
-        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_goals WHERE id=? AND fiscalyear=?");
+        $q->execute([$id,$config['FISCALYEAR']]);
         if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
             error_('Invalid goal to delete');
             exit;
@@ -306,15 +306,15 @@ switch (get_value_from_array($_GET, 'action')) {
             error_('Fundraising goals created automatically and used by the system cannot be deleted');
             exit;
         }
-        $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_goal='$r->goal' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE fundraising_goal=? AND fiscalyear=?");
+        $q->execute([$r->goal,$config['FISCALYEAR']]);
         if ($q->rowCount()) {
             error_('This goal already has donations assigned to it, it cannot be deleted');
             exit;
         }
 
-        $stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("DELETE FROM fundraising_goals WHERE id=? AND fiscalyear=?");
+        $stmt->execute([$id,$config['FISCALYEAR']]);
         happy_('Purpose Deleted');
         exit;
         break;
@@ -322,14 +322,14 @@ switch (get_value_from_array($_GET, 'action')) {
     case 'setup_save':
         $fye = sprintf('%02d-%02d', intval($_POST['fiscalendmonth']), intval($_POST['fiscalendday']));
 
-        $stmt = $pdo->prepare("UPDATE config SET val='$fye' WHERE var='fiscal_yearend' AND year='{$config['FAIRYEAR']}'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='fiscal_yearend' AND year=?");
+        $stmt->execute([$fye,$config['FAIRYEAR']]);
 
-        $stmt = $pdo->prepare("UPDATE config SET val='" . $_POST['registeredcharity'] . "' WHERE var='registered_charity' AND year='{$config['FAIRYEAR']}'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='registered_charity' AND year=?");
+        $stmt->execute([$_POST['registeredcharity'],$config['FAIRYEAR']]);
 
-        $stmt = $pdo->prepare("UPDATE config SET val='" . $_POST['charitynumber'] . "' WHERE var='charity_number' AND year='{$config['FAIRYEAR']}'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='charity_number' AND year=?");
+        $stmt->execute([$_POST['charitynumber'],$config['FAIRYEAR']]);
         happy_('Fundraising module setup saved');
         exit;
         break;
diff --git a/admin/fundraising_sponsorship.php b/admin/fundraising_sponsorship.php
index 3183829e..6495ec98 100644
--- a/admin/fundraising_sponsorship.php
+++ b/admin/fundraising_sponsorship.php
@@ -29,8 +29,8 @@ user_auth_required('committee', 'admin');
 
 if ($_GET['id']) {
 	$id = intval($_GET['id']);
-	$q = $pdo->prepare("SELECT fundraising_donations.*, sponsors.organization FROM fundraising_donations,sponsors WHERE fundraising_donations.id='$id' AND fundraising_donations.sponsors_id=sponsors.id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT fundraising_donations.*, sponsors.organization FROM fundraising_donations,sponsors WHERE fundraising_donations.id=? AND fundraising_donations.sponsors_id=sponsors.id");
+	$q->execute([$id]);
 	$sponsorship = $q->fetch(PDO::FETCH_OBJ);
 	$formaction = 'sponsorshipedit';
 } else {
diff --git a/admin/fundraising_sponsorship_handler.inc.php b/admin/fundraising_sponsorship_handler.inc.php
index 664e316d..a1a391cb 100644
--- a/admin/fundraising_sponsorship_handler.inc.php
+++ b/admin/fundraising_sponsorship_handler.inc.php
@@ -1,7 +1,7 @@
 <?
 if ($_POST['action'] == 'sponsorshipdelete') {
-	$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE id='" . intval($_POST['delete']) . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM fundraising_donations WHERE id=?");
+	$stmt->execute([intval($_POST['delete'])]);
 	if ($pdo->rowCount())
 		happy_('Successfully removed sponsorship');
 	exit;
@@ -24,8 +24,8 @@ if ($_POST['action'] == 'sponsorshipedit' || $_POST['action'] == 'sponsorshipadd
 
 if ($_POST['action'] == 'sponsorshipedit') {
 	if ($fundraising_donations_id && $fundraising_type && $value) {
-		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE id='$fundraising_donations_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fundraising_donations WHERE id=?");
+		$q->execute([$fundraising_donations_id]);
 		$current = $q->fetch(PDO::FETCH_OBJ);
 
 		unset($log);
@@ -43,15 +43,15 @@ if ($_POST['action'] == 'sponsorshipedit') {
 			$log[] = "Changed sponsorship probability from $current->probability to $probability";
 
 		if (count($log)) {
-			$stmt = $pdo->prepare("UPDATE fundraising_donations SET fundraising_type='$fundraising_type', value='$value', status='$status', probability='$probability' WHERE id='$fundraising_donations_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE fundraising_donations SET fundraising_type=?, value=?, status=?, probability=? WHERE id=?");
+			$stmt->execute([$fundraising_type,$value,$status,$probability,$fundraising_donations_id]);
 			foreach ($log AS $l) {
 				$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
-						'$current->sponsors_id',
+						?,
 						NOW(),
-						'" . $_SESSION['users_id'] . "',
-						'" . $l . "')");
-				$stmt->execute();
+						?,
+						?)");
+				$stmt->execute([$current->sponsors_id,$_SESSION['users_id'],$l]);
 			}
 			if ($pdo->errorInfo())
 				echo error_($pdo->errorInfo());
@@ -66,16 +66,12 @@ if ($_POST['action'] == 'sponsorshipedit') {
 }
 if ($_POST['action'] == 'sponsorshipadd') {
 	if ($sponsors_id && $fundraising_type && $value) {
-		$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES ('$sponsors_id','$fundraising_type','$value','$status','$probability','{$config['FISCALYEAR']}')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO fundraising_donations (sponsors_id,fundraising_type,value,status,probability,fiscalyear) VALUES (?,?,?,?,?,?)");
+		$stmt->execute([$sponsors_id,$fundraising_type,$value,$status,$probability,$config['FISCALYEAR']]);
 
-		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (
-		$stmt->execute();
-			'$sponsors_id',
-			NOW(),
-			'" . $_SESSION['users_id'] . "',
-			'" . "Created sponsorship: type=$fundraising_type, value=\$$value, status=$status, probability=$probability%") . "')";
+		$stmt = $pdo->prepare("INSERT INTO fundraising_donor_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),?, Created sponsorship: type=?, value=\$?, status=?, probability=?%) ");
 		happy_('Added new sponsorship');
+		$stmt->execute([$sponsors_id,$_SESSION['users_id'],$fundraising_type,$value,$status,$probability]);
 	} else
 		error_('Required fields were missing, please try again');
 	if ($pdo->errorInfo())
diff --git a/admin/fundraising_types.php b/admin/fundraising_types.php
index b50672a5..68e1429a 100644
--- a/admin/fundraising_types.php
+++ b/admin/fundraising_types.php
@@ -29,8 +29,8 @@ user_auth_required('committee', 'admin');
 
 if ($_GET['id']) {
 	$id = intval($_GET['id']);
-	$q = $pdo->prepare("SELECT * FROM fundraising WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fundraising WHERE id=?");
+	$q->execute([$id]);
 	//	echo "<h2>Edit Fund</h2>";
 	$fund = $q->fetch(PDO::FETCH_OBJ);
 	$formaction = 'fundedit';
diff --git a/admin/gettranslation.php b/admin/gettranslation.php
index 255f1f5f..11120790 100644
--- a/admin/gettranslation.php
+++ b/admin/gettranslation.php
@@ -30,8 +30,8 @@ $ret = array();
 foreach ($config['languages'] AS $l => $ln) {
         if ($l == $config['default_language'])
                 continue;
-        $q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='" . md5(iconv('ISO-8859-1', 'UTF-8', $_GET['str'])) . "'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
+        $q->execute([$l,md5(iconv('ISO-8859-1', 'UTF-8', $_GET['str']))]);
         if ($r = $q->fetch(PDO::FETCH_OBJ))
                 $ret[$l] = iconv('ISO-8859-1', 'UTF-8', $r->val);
         else
diff --git a/admin/judges.inc.php b/admin/judges.inc.php
index ac6f79d0..6f46aee6 100644
--- a/admin/judges.inc.php
+++ b/admin/judges.inc.php
@@ -8,10 +8,10 @@ function getJudgingTeams()
 			FROM 
 				judges_teams
 			WHERE 
-				judges_teams.year='" . $config['FAIRYEAR'] . "'
+				judges_teams.year=?
 			ORDER BY 
 				num,name");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 
 	$lastteamid = -1;
 	$lastteamnum = -1;
@@ -28,8 +28,8 @@ function getJudgingTeams()
 		$rounds = array();
 		$tq = $pdo->prepare("SELECT * FROM judges_teams_timeslots_link
 					LEFT JOIN judges_timeslots ON judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
-					WHERE judges_teams_timeslots_link.judges_teams_id='{$r->id}'");
-		$tq->execute();
+					WHERE judges_teams_timeslots_link.judges_teams_id=?");
+		$tq->execute([$r->id]);
 		$teams[$r->id]['timeslots'] = array();
 		$teams[$r->id]['rounds'] = array();
 
@@ -39,8 +39,8 @@ function getJudgingTeams()
 		}
 
 		foreach ($rounds as $round_id) {
-			$tq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='{$round_id}'");
-			$tq->execute();
+			$tq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+			$tq->execute([$round_id]);
 			$teams[$r->id]['rounds'][] = $tq->fetch(PDO::FETCH_ASSOC);
 		}
 
@@ -55,12 +55,12 @@ function getJudgingTeams()
 					judges_teams_link
 				WHERE 
 					judges_teams_link.users_id=users.id AND
-					judges_teams_link.judges_teams_id='$r->id'
+					judges_teams_link.judges_teams_id=?
 				ORDER BY 
 					captain DESC,
 					lastname,
 					firstname");
-		$mq->execute();
+		$mq->execute([$r->id]);
 		show_pdo_errors_if_any($pdo);
 
 		$teamlangs = array();
@@ -87,9 +87,9 @@ function getJudgingTeams()
 		$lq = $pdo->prepare("SELECT projects.language
 			FROM judges_teams_timeslots_projects_link 
 			LEFT JOIN projects ON judges_teams_timeslots_projects_link.projects_id=projects.id
-			WHERE judges_teams_timeslots_projects_link.year='{$config['FAIRYEAR']}' AND
-			judges_teams_id='$r->id' AND language!='' ");
-		$lq->execute();
+			WHERE judges_teams_timeslots_projects_link.year=? AND
+			judges_teams_id=? AND language!='' ");
+		$lq->execute([$config['FAIRYEAR'],$r->id]);
 		show_pdo_errors_if_any($pdo);
 		$projectlangs = array();
 		while ($lr = $lq->fetch(PDO::FETCH_OBJ)) {
@@ -113,13 +113,13 @@ function getJudgingTeams()
 					award_types
 				WHERE
 					judges_teams_awards_link.award_awards_id=award_awards.id
-					AND judges_teams_awards_link.judges_teams_id='$r->id'
+					AND judges_teams_awards_link.judges_teams_id=?
 					AND award_awards.award_types_id=award_types.id
-					AND award_types.year='{$config['FAIRYEAR']}'
+					AND award_types.year=?
 				ORDER BY
 					name
 				");
-		$aq->execute();
+		$aq->execute([$r->id,$config['FAIRYEAR']]);
 		while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
 			$teams[$r->id]['awards'][] = array(
 				'id' => $ar->id,
@@ -144,13 +144,13 @@ function getJudgingTeam($teamid)
 			FROM 
 				judges_teams
 			WHERE 
-				judges_teams.year='" . $config['FAIRYEAR'] . "' AND
-				judges_teams.id='$teamid'
+				judges_teams.year=? AND
+				judges_teams.id=?
 			ORDER BY 
 				num,
 				name
 				");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$teamid]);
 
 	$team = array();
 
@@ -172,12 +172,12 @@ function getJudgingTeam($teamid)
 			judges_teams_link
 		WHERE 
 			judges_teams_link.users_id=users.id AND
-			judges_teams_link.judges_teams_id='$r->id'
+			judges_teams_link.judges_teams_id=?
 		ORDER BY 
 			captain DESC,
 			lastname,
 			firstname");
-		$mq->execute();
+		$mq->execute([$r->id]);
 		show_pdo_errors_if_any($pdo);
 
 		while ($mr = $mq->fetch(PDO::FETCH_OBJ)) {
@@ -200,13 +200,13 @@ function getJudgingTeam($teamid)
 					award_types
 				WHERE
 					judges_teams_awards_link.award_awards_id=award_awards.id
-					AND judges_teams_awards_link.judges_teams_id='$r->id'
+					AND judges_teams_awards_link.judges_teams_id=?
 					AND award_awards.award_types_id=award_types.id
-					AND award_types.year='{$config['FAIRYEAR']}'
+					AND award_types.year=?
 				ORDER BY
 					name
 				");
-		$aq->execute();
+		$aq->execute([$r->id,$config['FAIRYEAR']]);
 		while ($ar = $aq->fetch(PDO::FETCH_OBJ)) {
 			$team['awards'][] = array(
 				'id' => $ar->id,
@@ -248,11 +248,11 @@ function judges_load_all()
 	$ret = array();
 
 	$query = "SELECT id FROM users WHERE types LIKE '%judge%' 
-				AND year='{$config['FAIRYEAR']}'
+				AND year=?
 				AND deleted='no'
 				ORDER BY lastname, firstname";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$config['FAIRYEAR']]);
 	while ($i = $r->fetch(PDO::FETCH_ASSOC)) {
 		$u = user_load($i['id']);
 		if ($u['judge_complete'] == 'no')
diff --git a/admin/judges_info.php b/admin/judges_info.php
index eb9a4c09..6d91a0fa 100644
--- a/admin/judges_info.php
+++ b/admin/judges_info.php
@@ -105,8 +105,8 @@ if ($id < 1) {
 // get their availability
 $availabilityText = '';
 if ($config['judges_availability_enable'] == 'yes') {
-	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=\"{$judgeinfo['id']}\" ORDER BY `start`");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
+	$q->execute([$judgeinfo['id']]);	
 	$sel = array();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$st = substr($r->start, 0, 5);
@@ -131,9 +131,9 @@ if ($judgeinfo['special_award_only'] == 'yes') {
 	$query = 'SELECT aa.name AS awardname FROM judges_specialaward_sel jss'
 		. ' JOIN users ON jss.users_id = users.id'
 		. ' JOIN award_awards aa ON aa.id = jss.award_awards_id'
-		. ' WHERE users.id=' . $id;
+		. ' WHERE users.id=?';
 	$results = $pdo->prepare($query);
-	$results . execute();
+	$results->execute([$id]);
 	while ($record = $results . fetch()) {
 		$awardList[] = $record['awardname'];
 	}
@@ -143,8 +143,8 @@ if ($judgeinfo['special_award_only'] == 'yes') {
 }
 
 // get their preference for age category
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 
 $catPreferenceText = $pdo->errorInfo() . '<ul>';
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -188,8 +188,8 @@ $catPreferenceText .= '</ul>';
 <?php
 
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $divs = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
@@ -203,8 +203,8 @@ foreach ($divs as $div) {
 
 	echo '<td>';
 	$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE 
-				projectdivisions_id='$div' AND year='{$config['FAIRYEAR']}' ORDER BY subdivision");
-	$subq->execute();
+				projectdivisions_id=? AND year=? ORDER BY subdivision");
+	$subq->execute([$div,$config['FAIRYEAR']]);
 	$sd = array();
 	while ($subr = $subq->fetch(PDO::FETCH_OBJ)) {
 		if ($u['div_prefs_sub'][$subr->id] == 1) {
diff --git a/admin/judges_jdiv.php b/admin/judges_jdiv.php
index 32696626..8e393cd6 100644
--- a/admin/judges_jdiv.php
+++ b/admin/judges_jdiv.php
@@ -56,16 +56,16 @@ function newbuttonclicked(jdivs)
 
 $div = array();
 $divshort = array();
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divshort[$r->id] = $r->division_shortform;
 	$div[$r->id] = $r->division;
 }
 
 $cat = array();
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$cat[$r->id] = $r->category;
 }
@@ -74,8 +74,8 @@ $dkeys = array_keys($div);
 $ckeys = array_keys($cat);
 
 if ($config['filterdivisionbycategory'] == 'yes') {
-	$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
+	$q->execute([$config['FAIRYEAR']]);
 	$divcat = array();
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@@ -133,13 +133,13 @@ function get_all_divs()
 			 * unassigned anymore
 			 */
 			$stmt = $pdo->prepare('INSERT INTO judges_jdiv (id, jdiv_id, projectdivisions_id, projectcategories_id, lang) '
-				. " VALUES('', 0, '$y', '$x', '$z')");
-			$stmt->execute();
+				. " VALUES('', 0,?,?,?)");
+			$stmt->execute([$y,$x,$z]);
 			$q = $pdo->prepare('SELECT id FROM judges_jdiv WHERE '
-				. " projectdivisions_id='$y' "
-				. " AND projectcategories_id='$x' "
-				. " AND lang='$z' ");
-			$q->execute();
+				. " projectdivisions_id=?"
+				. " AND projectcategories_id=?"
+				. " AND lang=?");
+			$q->execute([$y,$x,$z]);
 			$r = $q->fetch(PDO::FETCH_OBJ);
 
 			$cdl[$r->id]['id'] = $r->id;
@@ -159,13 +159,13 @@ function get_all_divs()
 		$y = $divshort[$cdl[$id]['div']];
 		$z = $div[$cdl[$id]['div']];
 		$q = $pdo->prepare('SELECT count(projects.id) AS cnt FROM projects,registrations WHERE '
-			. " projectdivisions_id='{$cdl[$id]['div']}' "
-			. " AND projectcategories_id='{$cdl[$id]['cat']}' "
-			. " AND language='{$cdl[$id]['lang']}' "
-			. " AND registrations.year='{$config['FAIRYEAR']}'"
+			. " projectdivisions_id=?"
+			. " AND projectcategories_id=?"
+			. " AND language=?"
+			. " AND registrations.year=?"
 			. ' AND projects.registrations_id=registrations.id'
 			. " AND (registrations.status='complete' OR registrations.status='paymentpending')");
-		$q->execute();
+		$q->execute([$cdl[$id]['div'],$cdl[$id]['cat'],$cdl[$id]['lang'],$config['FAIRYEAR']]);
 
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		show_pdo_errors_if_any($pdo);
@@ -180,21 +180,21 @@ function get_all_divs()
 
 if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'jdiv_id') && count(get_value_from_array($_POST, 'cdllist', [])) > 0) {
 	foreach ($_POST['cdllist'] AS $selectedcdl) {
-		$q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id='{$_POST['jdiv_id']}' WHERE "
-			. " id='$selectedcdl' ");
-		$q->execute();
+		$q = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=? WHERE "
+			. " id=?");
+		$q->execute([$_POST['jdiv_id'],$selectedcdl]);
 	}
 	echo happy(i18n('Judging Division(s) successfully added'));
 }
 
 if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'cdl_id')) {
-	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id='{$_GET['cdl_id']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE id=?");
+	$stmt->execute([$_GET['cdl_id']]);
 }
 
 if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'jdiv_id')) {
-	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id='{$_GET['jdiv_id']}' ");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE judges_jdiv SET jdiv_id=0 WHERE jdiv_id=?");
+	$stmt->execute([$_GET['jdiv_id']]);
 	echo happy(i18n('Emptied all divisions from Judging Division Group %1', array($_GET['jdiv_id'])));
 }
 
diff --git a/admin/judges_sa.php b/admin/judges_sa.php
index 84336ab6..11f47c91 100644
--- a/admin/judges_sa.php
+++ b/admin/judges_sa.php
@@ -63,9 +63,9 @@ function set_status($txt)
 {
 	global $pdo;
 	TRACE("Status: $txt\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='judge_scheduler_activity' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$txt]);
 }
 
 $set_percent_last_percent = -1;
@@ -78,9 +78,9 @@ function set_percent($n)
 	if ($p == $set_percent_last_percent)
 		return;
 	TRACE("Progress: $p\%\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='judge_scheduler_percent' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$p]);
 	$set_percent_last_percent = $p;
 }
 
@@ -413,8 +413,8 @@ set_status('Loading Data From Database...');
 TRACE("\n\n");
 $div = array();
 TRACE("Loading Project Divisions...\n");
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divshort[$r->id] = $r->division_shortform;
 	$div[$r->id] = $r->division;
@@ -423,8 +423,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 
 TRACE("Loading Project Age Categories...\n");
 $cat = array();
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$cat[$r->id] = $r->category;
 	TRACE("   {$r->id} - {$r->category}\n");
@@ -442,14 +442,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 TRACE("Loading Judging Round time data...\n");
 $round_special_awards = array();
 $round = array();
-$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
+$q->execute([$config['FAIRYEAR']]);
 /* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
 while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 	TRACE("   id:{$r['id']} type:{$r['type']} name:{$r['name']}\n");
 
-	$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
-	$qq->execute();
+	$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
+	$qq->execute([$r['id']]);
 	if ($qq->rowCount() == 0) {
 		echo "ERROR: Round type:{$r['type']} name:{$r['name']} has no judging timeslots!  Abort.\n";
 		exit;
@@ -497,13 +497,13 @@ foreach ($keys as $jdiv_id) {
 			TRACE("\t- ");
 		TRACE($cat[$d['cat']] . ' ' . $div[$d['div']] . ' - ' . $langr[$d['lang']]);
 		$qp = $pdo->prepare('SELECT projects.* FROM projects, registrations WHERE '
-			. " projects.year='" . $config['FAIRYEAR'] . "' AND "
-			. " projectdivisions_id='{$d['div']}' AND "
-			. " projectcategories_id='{$d['cat']}' AND "
-			. " language='{$d['lang']}' AND "
+			. " projects.year=? AND "
+			. " projectdivisions_id=? AND "
+			. " projectcategories_id=? AND "
+			. " language=? AND "
 			. ' registrations.id = projects.registrations_id '
 			. getJudgingEligibilityCode());
-		$qp->execute();
+		$qp->execute([$config['FAIRYEAR'],$d['div'],$d['cat'],$d['lang']]);
 		$count = 0;
 		while ($rp = $qp->fetch(PDO::FETCH_OBJ)) {
 			$jdiv[$jdiv_id]['projects'][$rp->id] = array(
@@ -524,37 +524,37 @@ foreach ($keys as $jdiv_id) {
 
 /* Clean out the judging teams that were autocreated in a previous run */
 TRACE('Deleting autocreated divisional and special award judging teams:');
-$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_teams WHERE autocreate_type_id=1 AND year=?");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$id = $r->id;
 	print (" $id");
 	/* Clean out the judges_teams_link */
 
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	/* Awards */
 
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	/* Timeslots */
 
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	/* Timeslots projects */
 
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$id' AND year={$config['FAIRYEAR']}");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 }
 echo "\n";
 
 /* Finally, delete all the autocreated judges teams */
-$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year={$config['FAIRYEAR']}");
-$stmt->execute();
+$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE autocreate_type_id=1 AND year=?");
+$stmt->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 /*
@@ -564,14 +564,14 @@ show_pdo_errors_if_any($pdo);
 $q = $pdo->prepare("SELECT judges_teams_link.id, judges_teams.id AS judges_teams_id 
 			FROM judges_teams_link 
 			LEFT JOIN judges_teams ON judges_teams_link.judges_teams_id=judges_teams.id 
-			WHERE judges_teams_link.year={$config['FAIRYEAR']}");
+			WHERE judges_teams_link.year=?");
 
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $n = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	if (!$r->judges_teams_id) {
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id='$r->id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE id=?");
+		$stmt->execute([$r->id]);
 		$n++;
 	}
 }
@@ -595,9 +595,9 @@ foreach ($judges as &$j) {
 	}
 
 	$q = $pdo->prepare("SELECT users_id FROM judges_teams_link WHERE 
-				users_id='{$j['id']}'
-				AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+				users_id=?
+				AND year=?");
+	$q->execute([$j['id'],$config['FAIRYEAR']]);
 	if ($q->rowCount() != 0) {
 		TRACE("   {$j['name']} is already on a judging team, skipping.\n");
 		unset($judges[$j['id']]);
@@ -605,8 +605,8 @@ foreach ($judges as &$j) {
 	}
 	if ($config['judges_availability_enable'] == 'yes') {
 		/* Load the judge time availability */
-		$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='{$j['id']}' ORDER BY `start`");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
+		$q->execute([$j['id']]);
 		if ($q->rowCount() == 0) {
 			TRACE("   {$j['name']} hasn't selected any time availability, POTENTIAL BUG (they shouldn't be marked as complete).\n");
 			TRACE("      Ignoring this judge.\n");
@@ -624,9 +624,9 @@ foreach ($judges as &$j) {
 				judges_specialaward_sel,award_awards 
 				WHERE
 				award_awards.id=judges_specialaward_sel.award_awards_id
-				AND judges_specialaward_sel.users_id='{$j['id']}'
-				AND award_awards.year='{$config['FAIRYEAR']}'");
-	$q->execute();
+				AND judges_specialaward_sel.users_id=?
+				AND award_awards.year=?");
+	$q->execute([$j['id'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	if ($j['special_award_only'] == 'yes') {
@@ -676,8 +676,8 @@ if (count($judges) == 0) {
  * Load the numbers for any user-defined judge teams that already exist,
  * these numbers will be off-limits for auto-assigning numbers
  */
-$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year={$config['FAIRYEAR']}");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 $used_judges_teams_numbers = array();
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	$used_judges_teams_numbers[] = $i['num'];
@@ -725,11 +725,9 @@ function judge_team_create($num, $name)
 function judge_team_add_judge($team_id, $users_id)
 {
 	global $config, $judges;
-	$stmt = $pdo->prepare("INSERT INTO judges_teams_link
-		\t (users_id,judges_teams_id,captain,year) 
-	\t VALUES ('$users_id','$team_id','{$judges[$users_id]['willing_chair']}',
-				'{$config['FAIRYEAR']}')");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id, judges_teams_id, captain, year) VALUES (?, ?, ?, ?)");
+	$stmt->execute([$users_id, $team_id, $judges[$users_id]['willing_chair'], $config['FAIRYEAR']]);
+	
 	show_pdo_errors_if_any($pdo);
 }
 
@@ -919,20 +917,20 @@ for ($x = 1; $x < count($jteam); $x++) {
 						award_awards_projectcategories,
 						award_awards_projectdivisions
 					WHERE 
-						award_awards.year='{$config['FAIRYEAR']}'
+						award_awards.year=?
 						AND award_awards.id=award_awards_projectcategories.award_awards_id
 						AND award_awards.id=award_awards_projectdivisions.award_awards_id
-						AND award_awards_projectcategories.projectcategories_id='{$cfg['cat']}'
-						AND award_awards_projectdivisions.projectdivisions_id='{$cfg['div']}'
+						AND award_awards_projectcategories.projectcategories_id=?
+						AND award_awards_projectdivisions.projectdivisions_id=?
 						AND award_awards.award_types_id='1'
 					");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$cfg['cat'],$cfg['div']]);
 		if ($q->rowCount() != 1) {
 			echo error(i18n('Cannot find award for %1 - %2', array($cat[$cfg['cat']], $div[$cfg['div']])));
 		} else {
 			$r = $q->fetch(PDO::FETCH_OBJ);
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
+			$stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]);
 			/* Add the award ID to the jdiv, if it's not already there */
 			if (!in_array($r->id, $jdiv[$t['jdiv_id']]['award_ids'])) {
 				$jdiv[$t['jdiv_id']]['award_ids'][] = $r->id;
@@ -1008,8 +1006,8 @@ if ($round_divisional2 == NULL) {
 
 		/* Assign all the awards in this jdiv */
 		foreach ($jd['award_ids'] as $aid) {
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$aid','$team_id','{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
+			$stmt->execute([$aid,$team_id,$config['FAIRYEAR']]);
 		}
 	}
 }
@@ -1134,14 +1132,14 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
 	/* Load special awards */
 	$q = "SELECT award_awards.name,award_awards.id FROM award_awards,award_types
 		WHERE 
-			award_awards.year='{$config['FAIRYEAR']}'
+			award_awards.year=?
 			AND award_types.id=award_awards.award_types_id
 			AND award_awards.schedule_judges='yes'
-			AND award_types.year='{$config['FAIRYEAR']}'
+			AND award_types.year=?
 			AND award_types.type='Special' 
 		";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	print ($pdo->errorInfo());
 	/* sa_jteam for leftover judges, if any */
 	$sa_jteam = array();
@@ -1179,8 +1177,8 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
 
 		/* Link the award to this team */
 		$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) 
-				VALUES ('{$i->id}','{$sa_jteam[$x]['id']}','{$config['FAIRYEAR']}')");
-		$stmt->execute();
+				VALUES (?,?,?)");
+		$stmt->execute([$i->id,$sa_jteam[$x]['id'],$config['FAIRYEAR']]);
 
 		TRACE("Created Team: {$i->name}, " . count($projects) . " projects => $min judges needed (db id:{$sa_jteam[$x]['id']}) \n");
 		$x++;
@@ -1397,16 +1395,16 @@ if ($config['scheduler_enable_sa_scheduling'] == 'yes') {
 			/* Do timeslot and project timeslot assignment */
 			$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link 
 							(judges_teams_id,judges_timeslots_id,year)
-							VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '{$config['FAIRYEAR']}')");
-			$stmt->execute();
+							VALUES (?,?,?)");
+			$stmt->execute([$t['id'],$r['timeslots'][0]['id'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 
 			foreach ($t['projects'] as $proj) {
 				$pid = $proj['id'];
 				$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link 
 								(judges_teams_id,judges_timeslots_id,projects_id,year)
-								VALUES ('{$t['id']}', '{$r['timeslots'][0]['id']}', '$pid', '{$config['FAIRYEAR']}')");
-				$stmt->execute();
+								VALUES (?,?,?,?)");
+				$stmt->execute([$t['id'],$r['timeslots'][0]['id'],$pid,$config['FAIRYEAR']]);
 				show_pdo_errors_if_any($pdo);
 			}
 			$ids = $a->bucket[$x];
@@ -1437,11 +1435,11 @@ TRACE("Loading Divisional1 Timeslot Data\n");
 $available_timeslots = array();
 
 $q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE 
-			round_id='{$round_divisional1['id']}' 
-			AND year='{$config['FAIRYEAR']}' 
+			round_id=? 
+			AND year=? 
 			AND type='timeslot'
 			ORDER BY date,starttime");
-$q->execute();
+$q->execute([$round_divisional1['id'],$config['FAIRYEAR']]);
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$available_timeslots[] = array('id' => $r->id,
@@ -1620,19 +1618,11 @@ for ($k = 0; $k < $keys_count; $k++) {
 				continue;
 
 			/* if jteam_id isn't 0, instert it into the db */
-			$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_link '
-				. ' (judges_teams_id,judges_timeslots_id,year)'
-				. " VALUES ('{$jteam[$jteam_id]['team_id']}', "
-				. " '{$available_timeslots[$y]['id']}', "
-				. " '{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year) VALUES (?,?,?)');
+			$stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$config['FAIRYEAR']]);
 
-			$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_projects_link '
-				. ' (judges_teams_id,judges_timeslots_id,projects_id,year) '
-				. " VALUES ('{$jteam[$jteam_id]['team_id']}', "
-				. " '{$available_timeslots[$y]['id']}', "
-				. " '$pid', '{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare('INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES (?,?,?,?)');
+			$stmt->execute([$jteam[$jteam_id]['team_id'],$available_timeslots[$y]['id'],$pid,$config['FAIRYEAR']]);
 		}
 		printf("\n");
 	}
diff --git a/admin/judges_schedulerconfig_check.inc.php b/admin/judges_schedulerconfig_check.inc.php
index 2d835d9d..6e1f83a1 100644
--- a/admin/judges_schedulerconfig_check.inc.php
+++ b/admin/judges_schedulerconfig_check.inc.php
@@ -5,13 +5,13 @@ function judges_scheduler_check_timeslots()
 	global $config, $pdo;
 
 	$q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE '
-		. " year='" . $config['FAIRYEAR'] . "'"
+		. " year=?"
 		. " AND `type`='divisional1'");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$round = $q->fetch(PDO::FETCH_OBJ);
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'");
+		$q->execute([$round->id]);
 		return $q->rowCount();
 	} else
 		return 0;
@@ -23,13 +23,13 @@ function judges_scheduler_check_timeslots_sa()
 	$rows = 0;
 
 	$q = $pdo->prepare('SELECT * FROM judges_timeslots WHERE '
-		. " year='" . $config['FAIRYEAR'] . "'"
+		. " year=?"
 		. " AND `type`='special'");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		while (($round = $q->fetch(PDO::FETCH_OBJ))) {
-			$rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='$round->id' AND type='timeslot'");
-			$rq->execute();
+			$rq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? AND type='timeslot'");
+			$rq->execute([$round->id]);
 			$rows += $rq->rowCount();
 		}
 	}
@@ -40,13 +40,13 @@ function judges_scheduler_check_awards()
 {
 	global $config, $pdo;
 
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$div[$r->id] = $r->division;
 
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$cat[$r->id] = $r->category;
 
@@ -54,8 +54,8 @@ function judges_scheduler_check_awards()
 	$ckeys = array_keys($cat);
 
 	if ($config['filterdivisionbycategory'] == 'yes') {
-		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY projectdivisions_id,projectcategories_id");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=? ORDER BY projectdivisions_id,projectcategories_id");
+		$q->execute([$config['FAIRYEAR']]);
 		$divcat = array();
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$divcat[] = array('c' => $r->projectcategories_id, 'd' => $r->projectdivisions_id);
@@ -78,16 +78,16 @@ function judges_scheduler_check_awards()
 							award_awards_projectcategories,
 							award_awards_projectdivisions
 						WHERE 
-							award_awards.year='{$config['FAIRYEAR']}'
-							AND award_awards_projectcategories.year='{$config['FAIRYEAR']}'
-							AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}'
+							award_awards.year=?
+							AND award_awards_projectcategories.year=?
+							AND award_awards_projectdivisions.year=?
 							AND award_awards.id=award_awards_projectcategories.award_awards_id
 							AND award_awards.id=award_awards_projectdivisions.award_awards_id
-							AND award_awards_projectcategories.projectcategories_id='$c'
-							AND award_awards_projectdivisions.projectdivisions_id='$d'
+							AND award_awards_projectcategories.projectcategories_id=?
+							AND award_awards_projectdivisions.projectdivisions_id=?
 							AND award_awards.award_types_id='1'
 						");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$c,$d]);
 		show_pdo_errors_if_any($pdo);
 		if ($q->rowCount() != 1) {
 			$missing_awards[] = "{$cat[$c]} - {$div[$d]} (" . i18n('%1 found', array($q->rowCount())) . ')';
@@ -128,13 +128,13 @@ function judges_scheduler_check_judges()
 		$l = $r->lang;
 
 		$qp = $pdo->prepare('SELECT COUNT(projects.id) as cnt FROM projects, registrations WHERE '
-			. " projects.year='" . $config['FAIRYEAR'] . "' AND "
-			. " projectdivisions_id='$d' AND "
-			. " projectcategories_id='$c' AND "
-			. " language='$l' AND "
+			. " projects.year=? AND "
+			. " projectdivisions_id=? AND "
+			. " projectcategories_id=? AND "
+			. " language=? AND "
 			. ' registrations.id = projects.registrations_id '
 			. getJudgingEligibilityCode());
-		$qp->execute();
+		$qp->execute([$config['FAIRYEAR'],$d,$c,$l]);
 		$qr = $qp->fetch(PDO::FETCH_OBJ);
 
 		// if (get_value_from_3d_array($jdiv, $r->jdiv_id, 'num_projects', 'total') !== null){
diff --git a/admin/judges_teams.php b/admin/judges_teams.php
index 822a3df3..75e06575 100644
--- a/admin/judges_teams.php
+++ b/admin/judges_teams.php
@@ -40,16 +40,16 @@ if (get_value_from_array($_POST, 'action'))
 if ($action == 'delete' && get_value_from_array($_GET, 'delete')) {
 	// ALSO DELETE: team members, timeslots, projects, awards
 
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='" . $_GET['delete'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?");
+	$stmt->execute([$_GET['delete'],$config['FAIRYEAR']]);
 	message_push(happy(i18n('Judge team successfully removed, and all of its corresponding members, timeslots, projects and awards unlinked from team')));
 }
 
@@ -58,25 +58,26 @@ if (get_value_or_default($action) == 'deletealldivisional') {
 				FROM \t
 					judges_teams
 				WHERE 
-					year='" . $config['FAIRYEAR'] . "'
+					year=?
 					AND autocreate_type_id='1'
 					");
+	$q2->execute([$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$numdeleted = 0;
 	while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 		// okay now we can start deleting things! whew!
 		// first delete any linkings to the team
 
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
 		$numdeleted++;
 	}
 	if ($numdeleted)
@@ -89,24 +90,24 @@ if (get_value_or_default($action) == 'deleteall') {
 	$q2 = $pdo->prepare("SELECT *
 				FROM \tjudges_teams
 				WHERE 
-					year='" . $config['FAIRYEAR'] . "'
+					year=?
 					");
-	$q2->execute();
+	$q2->execute([$config['FAIRYEAR']]);
 	$numdeleted = 0;
 	while ($r2 = $q2->FETCH(PDO::FETCH_OBJ)) {
 		// okay now we can start deleting things! whew!
 		// first delete any linkings to the team
 
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id='$r2->id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM judges_teams WHERE id=? AND year=?");
+		$stmt->execute([$r2->id,$config['FAIRYEAR']]);
 		$numdeleted++;
 	}
 	if ($numdeleted)
@@ -120,8 +121,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
 	// but when we're done, if we're "assign" then go back to edit that team
 	// if we're save, then go back to the team list
 	$err = false;
-	$q = $pdo->prepare("UPDATE judges_teams SET num='" . $_POST['team_num'] . "', name='" . (stripslashes($_POST['team_name'])) . "' WHERE id='$edit'");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE judges_teams SET num=?, name=? WHERE id=?");
+	$q->execute([ $_POST['team_num'],(stripslashes($_POST['team_name'])),$edit]);
 	if ($pdo->errorInfo()) {
 		$err = true;
 		message_push(error($pdo->errorInfo()));
@@ -133,8 +134,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
 		// the judges wouldnt know which projects to judge for which award.  This doesnt apply for divisions
 		// because the category/division is obvious based on project numbesr.  A divisional judge team could easily
 		// be assigned to do all of Comp Sci - Junior, Intermediate and Senior without any problems.
-		$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.award_types_id=award_types.id AND award_awards.id='" . $_POST['award'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.award_types_id=award_types.id AND award_awards.id=?");
+		$q->execute([$_POST['award']]);
 		$aw = $q->fetch(PDO::FETCHH_OBJ);
 
 		$addaward = true;
@@ -144,12 +145,12 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
 							award_awards,
 							award_types
 						WHERE
-							judges_teams_awards_link.judges_teams_id='$edit'
+							judges_teams_awards_link.judges_teams_id=?
 							AND judges_teams_awards_link.award_awards_id=award_awards.id
 							AND award_awards.award_types_id=award_types.id
 							AND award_types.type='Special'
 						");
-			$q->exxecute();
+			$q->exxecute([$edit]);
 			$r = $q->fetch(PDO::FETCHH_OBJ);
 			echo "special awards: $r->num";
 			if ($r->num) {
@@ -162,8 +163,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
 
 		if ($addaward) {
 			// link up the award
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('" . $_POST['award'] . "','$edit','" . $config['FAIRYEAR'] . "')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
+			$stmt->execute([$_POST['award'],$edit,$config['FAIRYEAR']]);
 			message_push(happy(i18n('Award assigned to team')));
 		}
 	}
@@ -182,8 +183,8 @@ if ((get_value_or_default($action) == 'save' || $action == 'assign') && $edit) {
 }
 
 if (get_value_or_default($action) == 'unassign') {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id='$edit' AND award_awards_id='" . $_GET['unassign'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_awards_link WHERE judges_teams_id=? AND award_awards_id=? AND year=?");
+	$stmt->execute([$edit,$_GET['unassign'],$config['FAIRYEAR']]);
 	message_push(happy(i18n('Award unassigned from judge team')));
 	// keep editing the same team
 	$action = 'edit';
@@ -191,8 +192,8 @@ if (get_value_or_default($action) == 'unassign') {
 
 if (get_value_or_default($action) == 'createall') {
 	// first make sure we dont have any non-divisional award teams (dont want people hitting refresh and adding all the teams twice
-	$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->c) {
 		message_push(error(i18n("Cannot 'Create All' teams when any divisional teams currently exist.  Try deleting all existing non-divisional teams first.")));
@@ -207,18 +208,18 @@ if (get_value_or_default($action) == 'createall') {
 						award_types 
 					WHERE \t
 						award_awards.award_types_id=award_types.id 
-						AND award_awards.year='" . $config['FAIRYEAR'] . "' 
-						AND award_types.year='" . $config['FAIRYEAR'] . "' 
+						AND award_awards.year=? 
+						AND award_types.year=? 
 						AND award_types_id!='1'
 					ORDER BY 
 						award_types_order, 
 						award_awards.order,
 						name");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 		// startat
-		$q2 = $pdo->prepare("SELECT MAX(num) AS lastnum FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
-		$q2->execute();
+		$q2 = $pdo->prepare("SELECT MAX(num) AS lastnum FROM judges_teams WHERE year=?");
+		$q2->execute([$config['FAIRYEAR']]);
 		$r2 = $q2->fetch(PDO::FETCH_OBJ);
 		if ($r2->lastnum)
 			$num = $r2->lastnum + 1;
@@ -239,8 +240,8 @@ if (get_value_or_default($action) == 'createall') {
 			$team_id = $pdo->lastInsertId();
 			if ($team_id) {
 				// now link the new team to the award
-				$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES ('$r->id','$team_id','" . $config['FAIRYEAR'] . "')");
-				$stmt->execute();
+				$stmt = $pdo->prepare("INSERT INTO judges_teams_awards_link (award_awards_id,judges_teams_id,year) VALUES (?,?,?)");
+				$stmt->execute([$r->id,$team_id,$config['FAIRYEAR']]);
 				message_push(happy(i18n('Created team #%1: %2', array($num, $name))));
 			} else {
 				message_push(error(i18n('Error creating team #%1: %2', array($num, $name))));
@@ -251,8 +252,8 @@ if (get_value_or_default($action) == 'createall') {
 }
 
 if (get_value_or_default($action) == 'add' && $_GET['num']) {
-	$stmt = $pdo->prepare("INSERT INTO judges_teams(num,year) VALUES ('" . $_GET['num'] . "','" . $config['FAIRYEAR'] . "')");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO judges_teams(num,year) VALUES (?,?)");
+	$stmt->execute([$_GET['num'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$edit = $pdo->lastInsertId();
 	$action = 'edit';
@@ -342,10 +343,10 @@ function addclicked()
 					)
 					LEFT JOIN judges_teams_awards_link ON award_awards.id = judges_teams_awards_link.award_awards_id
 				WHERE 
-					award_awards.year='" . $config['FAIRYEAR'] . "' AND 
+					award_awards.year=? AND 
 					judges_teams_awards_link.award_awards_id IS NULL
 					AND award_types.id=award_awards.award_types_id
-					AND award_types.year='{$config['FAIRYEAR']}'
+					AND award_types.year=?
 				ORDER BY 
 					award_type_order,
 					name";
@@ -353,7 +354,7 @@ function addclicked()
 
 	echo '<tr><td colspan=2>';
 	$q = $pdo->prepare($querystr);
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 	show_pdo_errors_if_any($pdo);
 	echo '<select name="award">';
@@ -395,8 +396,8 @@ function addclicked()
 
 	echo '<table width="95%">';
 	echo '<tr><td>';
-	$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT COUNT(*) AS c FROM judges_teams WHERE autocreate_type_id!='1' AND year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if (!$r->c) {
 		echo '<a href="judges_teams.php?action=createall">' . i18n('Automatically create one new team for every non-divisional award') . '</a><br />';
diff --git a/admin/judges_teams_members.php b/admin/judges_teams_members.php
index b5f95f52..d33d313f 100644
--- a/admin/judges_teams_members.php
+++ b/admin/judges_teams_members.php
@@ -108,8 +108,8 @@ jQuery(document).ready(function(){
 
 if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_POST, 'team_num') && count(get_value_from_array($_POST, 'judgelist', [])) > 0) {
 	// first check if this team exists.
-	$q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num='" . $_POST['team_num'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id,name FROM judges_teams WHERE num=? AND year=?");
+	$q->execute([$_POST['team_num'],$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$team_id = $r->id;
@@ -127,14 +127,14 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO
 	foreach ($_POST['judgelist'] AS $selectedjudge) {
 		// before we insert them, we need to make sure they dont already belong to this team.  We can not have the same judge assigned to the same team multiple times.
 
-		$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id='$selectedjudge' AND judges_teams_id='$team_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE users_id=? AND judges_teams_id=?");
+		$q->execute([$selectedjudge,$team_id]);
 		if ($q->rowCount()) {
 			echo notice(i18n('Judge (%1) already belongs to judging team: %2', array($selectedjudge, $team_name)));
 		} else {
 			// lets make the first one we add a captain, the rest, non-captains :)
-			$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$selectedjudge','$team_id','$captain','" . $config['FAIRYEAR'] . "')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,?,?)");
+			$stmt->execute([$selectedjudge,$team_id,$captain,$config['FAIRYEAR']]);
 			$added++;
 		}
 		// if this is alreayd no, then who cares, but if its the first one that is going into the new team, then
@@ -151,13 +151,13 @@ if (get_value_from_array($_POST, 'action') == 'add' && get_value_from_array($_PO
 }
 
 if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id') && get_value_from_array($_GET, 'users_id')) {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='" . $_GET['users_id'] . "' AND judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=? AND judges_teams_id=? AND year=?");
+	$stmt->execute([$_GET['users_id'],$_GET['team_id'],$config['FAIRYEAR']]);
 	echo happy(i18n('Removed judge from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name'])));
 
 	// if there is still members left in the team, make sure we have a captain still
-	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
+	$q->execute([$_GET['team_id'],$config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		// make sure the team still has a captain!
 		// FIXME: this might best come from the "i am willing to be a team captain" question under the judges profile
@@ -176,24 +176,24 @@ if (get_value_from_array($_GET, 'action') == 'del' && get_value_from_array($_GET
 		}
 		if (!$gotcaptain) {
 			// make the first judge the captain
-			$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='$firstjudge' AND year='" . $config['FAIRYEAR'] . "'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=? AND year=?");
+			$stmt->execute([$_GET['team_id'],$firstjudge,$config['FAIRYEAR']]);
 			echo notice(i18n('Team captain was removed. A new team captain has been automatically assigned'));
 		}
 	}
 }
 
 if (get_value_from_array($_GET, 'action') == 'empty' && get_value_from_array($_GET, 'team_num') && get_value_from_array($_GET, 'team_id')) {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id='" . $_GET['team_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE judges_teams_id=? AND year=?");
+	$stmt->execute([$_GET['team_id'],$config['FAIRYEAR']]);
 	echo happy(i18n('Emptied all judges from team #%1 (%2)', array($_GET['team_num'], $_GET['team_name'])));
 }
 
 if (get_value_from_array($_POST, 'action') == 'saveteamnames') {
 	if (count($_POST['team_names'])) {
 		foreach ($_POST['team_names'] AS $team_id => $team_name) {
-			$stmt = $pdo->prepare("UPDATE judges_teams SET name='" . stripslashes($team_name) . "' WHERE id='$team_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE judges_teams SET name=? WHERE id=?");
+			$stmt->execute([stripslashes($team_name),$team_id]);
 		}
 		echo happy(i18n('Team names successfully saved'));
 	}
@@ -201,20 +201,20 @@ if (get_value_from_array($_POST, 'action') == 'saveteamnames') {
 
 if (get_value_from_array($_GET, 'action') == 'addcaptain') {
 	// teams can have as many captains as they want, so just add it.
-	$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE judges_teams_link SET captain='yes' WHERE judges_teams_id=? AND users_id=?");
+	$stmt->execute([ $_GET['team_id'],$_GET['judge_id']]);
 	echo happy(i18n('Team captain assigned'));
 }
 
 if (get_value_from_array($_GET, 'action') == 'removecaptain') {
 	// teams must always have at least one captain, so if we only have one, and we are trying to remove it, dont let them!
-	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id='" . $_GET['team_id'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE captain='yes' AND judges_teams_id=?");
+	$q->execute([$_GET['team_id']]);
 	if ($q->rowCount() < 2) {
 		echo error(i18n('A judge team must always have at least one captain'));
 	} else {
-		$pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id='" . $_GET['team_id'] . "' AND users_id='" . $_GET['judge_id'] . "'");
-		$pdo->execute();
+		$pdo->prepare("UPDATE judges_teams_link SET captain='no' WHERE judges_teams_id=? AND users_id=?");
+		$pdo->execute([$_GET['team_id'],$_GET['judge_id']]);
 		echo happy(i18n('Team captain removed'));
 	}
 }
@@ -225,16 +225,16 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') {
 
 	/* Load all the teams */
 	$teams = array();
-	$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 		$teams[$i['id']] = $i;
 	}
 
 	/* And the links */
 	$links = array();
-	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 		$judgelist[$i['users_id']]['teams_links'][] = $i;
 	}
@@ -254,12 +254,12 @@ if (get_value_from_array($_GET, 'action') == 'autoassignspecial') {
 			foreach ($j['special_award_selected'] AS $awardid) {
 				echo "Looking for a team for award $awardid <br />";
 				// find the award id linked to a team
-				$q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id='{$awardid}' AND year='{$config['FAIRYEAR']}'");
-				$q->execute();
+				$q = $pdo->prepare("SELECT * FROM judges_teams_awards_link WHERE award_awards_id=? AND year=?");
+				$q->execute([$awardid,$config['FAIRYEAR']]);
 				if ($q->rowCount()) {
 					while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-						$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES ('$jid','$r->judges_teams_id','yes','{$config['FAIRYEAR']}')");
-						$stmt->execute();
+						$stmt = $pdo->prepare("INSERT INTO judges_teams_link (users_id,judges_teams_id,captain,year) VALUES (?,?,'yes',?)");
+						$stmt->execute([$jid,$r->judges_teams_id,$config['FAIRYEAR']]);
 						echo happy(i18n('%1 %2 to their special award(s) team(s)', array($j['firstname'], $j['lastname'])));
 					}
 				} else {
@@ -308,16 +308,16 @@ $judgelist = judges_load_all();
 
 /* Load all the teams */
 $teams = array();
-$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_teams WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	$teams[$i['id']] = $i;
 }
 
 /* And the links */
 $links = array();
-$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
 	$judgelist[$i['users_id']]['teams_links'][] = $i;
 }
diff --git a/admin/judges_teams_projects.php b/admin/judges_teams_projects.php
index 1dde4495..c3427b83 100644
--- a/admin/judges_teams_projects.php
+++ b/admin/judges_teams_projects.php
@@ -81,20 +81,20 @@ if (get_value_from_array($_GET, 'judges_projects_list_eligible'))
 	$_SESSION['viewstate']['judges_projects_list_eligible'] = $_GET['judges_projects_list_eligible'];
 
 if (get_value_from_array($_GET, 'action') == 'delete' && $_GET['delete'] && $_GET['edit']) {
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id='" . $_GET['delete'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_projects_link WHERE id=?");
+	$stmt->execute([$_GET['delete']]);
 	echo happy(i18n('Judging team project successfully removed'));
 	$action = 'edit';
 }
 
 if (get_value_from_array($_POST, 'action') == 'assign' && $_POST['edit'] && $_POST['timeslot'] && $_POST['project_id']) {
-	$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES ('" . $_POST['edit'] . "','" . $_POST['timeslot'] . "','" . $_POST['project_id'] . "','" . $config['FAIRYEAR'] . "')");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_projects_link (judges_teams_id,judges_timeslots_id,projects_id,year) VALUES (?,?,?,?)");
+	$stmt->execute([$_POST['edit'],$_POST['timeslot'],$_POST['project_id'],$config['FAIRYEAR']]);
 	echo happy(i18n('Project assigned to team timeslot'));
 }
 
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@@ -155,13 +155,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 				judges_teams,
 				judges_teams_timeslots_link
 			WHERE
-				judges_teams.id='" . $team['id'] . "' AND
+				judges_teams.id=? AND
 				judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 				judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 			ORDER BY
 				date,starttime
 			");
-	$q->execute();
+	$q->execute([$team['id']]);
 
 	$numslots = $q - rowCount();
 	if ($numslots) {
@@ -201,7 +201,7 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					projectnumber is not null 
 					' . getJudgingEligibilityCode() . " AND
 					projects.registrations_id=registrations.id AND
-					projects.year='" . $config['FAIRYEAR'] . "'
+					projects.year=?
 				ORDER BY
 					projectnumber";
 		} else if ($_SESSION['viewstate']['judges_projects_list_show'] == 'unassigned') {
@@ -219,13 +219,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					' . getJudgingEligibilityCode(). ' AND
 					projects.registrations_id=registrations.id AND
 					judges_teams_timeslots_projects_link.projects_id IS NULL AND
-					projects.year='" . $config['FAIRYEAR'] . "'
+					projects.year=?
 				ORDER BY
 					projectnumber";
 		}
 
 		$pq = $pdo->prepare($querystr);
-		$pq->execute();
+		$pq->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 
 		$eligibleprojects = getProjectsEligibleOrNominatedForAwards($award_ids);
@@ -284,14 +284,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 						projects,
 						judges_teams_timeslots_projects_link
 					WHERE
-						judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
-						judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+						judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
+						judges_teams_timeslots_projects_link.judges_teams_id=? AND
 						judges_teams_timeslots_projects_link.projects_id=projects.id AND
-						judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+						judges_teams_timeslots_projects_link.year=?
 					ORDER BY
 						projectnumber
 					");
-			$projq->execute();
+			$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 
 			show_pdo_errors_if_any($pdo);
 			while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@@ -357,13 +357,13 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-		$q->execute();
+		$q->execute([$team['id']]);
 		$numslots = $q->rowCount();
 
 		echo '<a href="judges_teams_projects.php?action=edit&edit=' . $team['id'] . '">' . i18n('Edit team project assignments') . '</a>';
@@ -391,14 +391,14 @@ if (($action == 'edit' || $action == 'assign') && $edit) {
 					projects,
 					judges_teams_timeslots_projects_link
 				WHERE
-					judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
-					judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+					judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
+					judges_teams_timeslots_projects_link.judges_teams_id=? AND
 					judges_teams_timeslots_projects_link.projects_id=projects.id AND
-					judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					projectnumber
 				");
-			$projq->execute();
+			$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 
 			show_pdo_errors_if_any($pdo);
 			while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/judges_teams_timeslots.php b/admin/judges_teams_timeslots.php
index 49ff8398..8c0c8e15 100644
--- a/admin/judges_teams_timeslots.php
+++ b/admin/judges_teams_timeslots.php
@@ -42,15 +42,15 @@ if (array_key_exists('action', $_POST))
 
 if (get_value_from_array($_GET, 'action') && $action == 'delete') {
 	$id = intval($_GET['delete']);
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id='$id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE id=?");
+	$stmt->execute([$id]);
 	message_push(happy(i18n('Judging team timeslot successfully removed')));
 }
 
 if (array_key_exists('empty', $_GET) && $action == 'empty') {
 	$id = intval($_GET['empty']);
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id='$id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_timeslots_link WHERE judges_teams_id=?");
+	$stmt->execute([$id]);
 	message_push(happy(i18n('Judging team timeslots successfully removed')));
 }
 
@@ -61,8 +61,8 @@ if ($action == 'assign') {
 		foreach ($_POST['teams'] AS $tm) {
 			foreach ($_POST['timeslots'] AS $ts) {
 				$stmt = $pdo->prepare("INSERT INTO judges_teams_timeslots_link (judges_teams_id,judges_timeslots_id,year) 
-						VALUES ('$tm','$ts','{$config['FAIRYEAR']}')");
-				$stmt->execute();
+						VALUES (?,?,?)");
+				$stmt->execute([$tm,$ts,$config['FAIRYEAR']]);
 			}
 		}
 		message_push(happy(i18n('%1 Timeslots assigned to %2 teams', array(count($_POST['timeslots']), count($_POST['teams'])))));
@@ -126,8 +126,8 @@ echo '<a href="" onclick="return checknone(\'timeslots\')">select none</a>';
 echo '&nbsp;|&nbsp';
 echo '<a href="" onclick="return checkinvert(\'timeslots\')">invert selection</a>';
 
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@@ -143,16 +143,16 @@ echo '<th>' . i18n('End Time') . '</th>';
 echo "</tr>\n";
 
 $q = $pdo->prepare("SELECT * FROM judges_timeslots 
-			WHERE year='{$config['FAIRYEAR']}' 
+			WHERE year=? 
 			AND round_id='0' ORDER BY date,starttime");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr>';
 	$span = $show_date ? 4 : 3;
 	echo "<td colspan=\"$span\">{$r->name} (" . $round_str[$r->type] . ')</td>';
 	$qq = $pdo->prepare("SELECT * FROM judges_timeslots 
-					WHERE round_id='{$r->id}' ORDER BY date,starttime");
-	$qq->execute();
+					WHERE round_id=? ORDER BY date,starttime");
+	$qq->execute([$r->id]);
 	while ($rr = $qq->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
 		echo "<td><input type=\"checkbox\" name=\"timeslots[]\" value=\"{$rr->id}\" /></td>";
@@ -213,13 +213,13 @@ foreach ($teams AS $team) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$team['id']]);
 	$numslots = $q->rowCount();
 
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/judges_timeslots.php b/admin/judges_timeslots.php
index ef42ce0c..c022df8c 100644
--- a/admin/judges_timeslots.php
+++ b/admin/judges_timeslots.php
@@ -92,16 +92,16 @@ if ($action == 'saveround') {
 	if ($save == true) {
 		if ($round_id == 0) {
 			/* New entry */
-			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,year) VALUES('0','{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,year) VALUES('0',?)");
+			$stmt->execute([$config['FAIRYEAR']]);
 			$round_id = $pdo->lastInsertId();
 		}
 
-		$stmt = $pdo->prepare("UPDATE judges_timeslots SET `date`='$date', 
-								starttime='$starttime', endtime='$endtime',
-								`name`='$name',
-								`type`='$type' WHERE id='$round_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE judges_timeslots SET `date`=?, 
+								starttime=?, endtime=?,
+								`name`=?,
+								`type`=? WHERE id=?");
+		$stmt->execute([$date,$starttime,$endtime,$name,$type,$round_id]);
 
 		show_pdo_errors_if_any($pdo);
 		message_push(happy(i18n('Round successfully saved')));
@@ -110,18 +110,18 @@ if ($action == 'saveround') {
 }
 
 if ($action == 'deleteround') {
-	$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id='$round_id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id=?");
+	$stmt->execute([$round_id]);
 	/* Also delete all timeslots */
 
-	$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE round_id='$round_id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE round_id=?");
+	$stmt->execute([$round_id]);
 	message_push(happy(i18n('Round successfully removed')));
 	$action = '';
 }
 if ($action == 'deletetimeslot') {
-	$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id='$timeslot_id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_timeslots WHERE id=?");
+	$stmt->execute([$timeslot_id]);
 	message_push(happy(i18n('Timeslot successfully removed')));
 	$action = '';
 }
@@ -129,8 +129,8 @@ if ($action == 'deletetimeslot') {
 if ($action == 'savetimeslot') {
 	$save = true;
 
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+	$q->execute([$round_id]);
 	$round_data = $q->fetch(PDO::FETCH_ASSOC);
 
 	$date = $round_data['date'];
@@ -152,15 +152,15 @@ if ($action == 'savetimeslot') {
 	if ($save == true) {
 		if ($timeslot_id == 0) {
 			/* New entry */
-			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,date,type,year) VALUES('$round_id',
-								'$date','timeslot','{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,date,type,year) VALUES(?,
+								?,'timeslot',?)");
+			$stmt->execute([$round_id,$date,$config['FAIRYEAR']]);
 			$timeslot_id = $pdo->lastInsertId();
 		}
 
-		$stmt = $pdo->prepare("UPDATE judges_timeslots SET starttime='$starttime', endtime='$endtime'
-								WHERE id='$timeslot_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE judges_timeslots SET starttime=?, endtime=?
+								WHERE id=?");
+		$stmt->execute([$starttime,$endtime,$timeslot_id]);
 
 		show_pdo_errors_if_any($pdo);
 		message_push(happy(i18n('Timeslot successfully saved')));
@@ -176,8 +176,8 @@ if ($action == 'savemultiple') {
 	$break = intval($_POST['break']);
 
 	if (array_key_exists('starttime_hour', $_POST) && array_key_exists('starttime_minute', $_POST) && $addnum && $duration) {
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+		$q->execute([$round_id]);
 		$round_data = $q->fetch(PDO::FETCH_ASSOC);
 
 		$date = $round_data['date'];
@@ -188,9 +188,15 @@ if ($action == 'savemultiple') {
 		$tt = $duration + $break;
 
 		for ($x = 0; $x < $addnum; $x++) {
-			$q = $pdo->prepare("SELECT \tDATE_ADD('$date $hr:$min:00', INTERVAL $duration MINUTE) AS endtime, 
-						DATE_ADD('$date $hr:$min:00', INTERVAL $tt MINUTE) AS startnext ");
-			$q->execute();
+			$q = $pdo->prepare("SELECT 
+					DATE_ADD(?, INTERVAL ? MINUTE) AS endtime, 
+					DATE_ADD(?, INTERVAL ? MINUTE) AS startnext");
+
+			$q->execute([
+				"$date $hr:$min:00", $duration, 
+				"$date $hr:$min:00", $tt
+			]);
+
 			show_pdo_errors_if_any($pdo);
 			$r = $q->fetch(PDO::FETCH_OBJ);
 			list($ed, $et) = split(' ', $r->endtime);
@@ -199,10 +205,10 @@ if ($action == 'savemultiple') {
 			$starttime = sprintf('%02d:%02d:00', $hr, $min);
 
 			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (date,type,round_id,starttime,endtime,year) VALUES (
-					'$date','timeslot','{$round_data['id']}',
-					'$starttime', '$et',
-					'{$config['FAIRYEAR']}')");
-			$stmt->execute();
+					?,'timeslot',?,
+					?,?,
+					?)");
+			$stmt->execute([$date,$round_data['id'],$starttime,$et,$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$date = $nd;
 			list($s_h, $s_m, $s_s) = split(':', $nt);
@@ -242,8 +248,8 @@ if ($action == 'addround' || $action == 'editround') {
 		$r['date'] = $config['dates']['fairdate'];
 	} else {
 		echo '<h3>Edit Judging Round</h3>';
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+		$q->execute([$round_id]);
 		if ($q->rowCount() != 1) {
 			echo "UNKNOWN ROUND $round_id";
 			exit;
@@ -289,8 +295,8 @@ if ($action == 'addtimeslot' || $action == 'edittimeslot') {
 	echo "<input type=\"hidden\" name=\"round_id\" value=\"$round_id\">\n";
 	echo "<input type=\"hidden\" name=\"timeslot_id\" value=\"$timeslot_id\">\n";
 
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+	$q->execute([$round_id]);
 	$round_data = $q->fetch(PDO::FETCH_ASSOC);
 
 	if ($action == 'addtimeslot') {
@@ -299,8 +305,8 @@ if ($action == 'addtimeslot' || $action == 'edittimeslot') {
 		$r['date'] = $round_data['date'];
 	} else {
 		echo '<h3>Edit Judging Timeslot</h3>';
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$timeslot_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+		$q->execute([$timeslot_id]);
 		if ($q->rowCount() != 1) {
 			echo "UNKNOWN ROUND $round_id";
 			exit;
@@ -334,8 +340,8 @@ if ($action == 'addmultiple') {
 	echo "<input type=\"hidden\" name=\"round_id\" value=\"$round_id\">\n";
 	echo "<input type=\"hidden\" name=\"timeslot_id\" value=\"$timeslot_id\">\n";
 
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id='$round_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE id=?");
+	$q->execute([$round_id]);
 	$round_data = $q->fetch(PDO::FETCH_ASSOC);
 
 	echo '<table border="0">';
@@ -375,12 +381,12 @@ if ($action == '') {
 	echo '<th>' . i18n('Actions') . '</th>';
 	echo '</tr>';
 
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='{$config['FAIRYEAR']}' AND `type`!='timeslot' ORDER BY date,starttime");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND `type`!='timeslot' ORDER BY date,starttime");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
-		$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r->id}' ORDER BY `date`,`starttime`");
-		$qq->execute();
+		$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=? ORDER BY `date`,`starttime`");
+		$qq->execute([$r->id]);
 		$c = $qq->rowCount() + 1;
 
 		echo "<td rowspan=\"$c\"><b>" . format_date($r->date) . '</b></td>';
diff --git a/admin/judging_score_edit.php b/admin/judging_score_edit.php
index 8f6ba0b4..bea4e119 100644
--- a/admin/judging_score_edit.php
+++ b/admin/judging_score_edit.php
@@ -51,10 +51,10 @@ if ($_GET['projectid']) {
 				$score_error = '*** ERROR **** You entered a value greater than 100.00';
 			}
 			$stmt = $pdo->prepare("UPDATE judges_teams_timeslots_projects_link 
-			\t \t\t\t\t\tSET score=" . $score
-				. ' WHERE judges_teams_id = ' . $_POST['team_' . $curr_team . '_id']
-				. " and projects_id =$project_id and year=$year");
-			$stmt->execute();
+			SET score=?
+			WHERE judges_teams_id =?
+			and projects_id =? and year=?");
+			$stmt->execute([$score,$_POST['team_' . $curr_team . '_id'],$project_id,$year]);
 			show_pdo_errors_if_any($pdo);
 		}
 		$curr_team--;
@@ -64,18 +64,18 @@ if ($_GET['projectid']) {
 ?>
 <?
 if ($project_id) {
-	$q = $pdo->prepare("SELECT * FROM projects WHERE projects.id = '" . $project_id . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projects WHERE projects.id =?");
+	$q->execute([$project_id]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$project_number = $r->projectnumber;
 	$project_title = $r->title;
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+	$q->execute([$year]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ))
 		$cats[$r->id] = $r->category;
 
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+	$q->execute([$year]);
 
 	$q = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id, 
 											\t score, 
@@ -83,8 +83,8 @@ if ($project_id) {
 		\t            FROM judges_teams_timeslots_projects_link, 
 								\t     judges_teams
 		\t            WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id 
-								\t     AND projects_id = " . $project_id . ' ORDER BY judges_teams_id');
-	$q->execute();
+								\t     AND projects_id =?  ORDER BY judges_teams_id");
+	$q->execute([$project_id]);
 	show_pdo_errors_if_any($pdo);
 	echo 'Project# ' . $project_number . '  ' . $project_title . '<br />';
 	if ($score_error != '') {
diff --git a/admin/judging_score_entry.php b/admin/judging_score_entry.php
index 1d0e3750..e7c4f8ae 100644
--- a/admin/judging_score_entry.php
+++ b/admin/judging_score_entry.php
@@ -44,13 +44,13 @@ if ($_GET['csv'] == 'yes') {
 }
 ?>
 <?
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$cats[$r->id] = $r->category;
 
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$divs[$r->id] = $r->division;
 
@@ -74,13 +74,13 @@ $q = $pdo->prepare("SELECT  registrations.id AS reg_id,
 				left outer join projects on projects.registrations_id=registrations.id
 				left outer join judges_teams_timeslots_projects_link on projects.id=judges_teams_timeslots_projects_link.projects_id
 			WHERE
-				registrations.year='$year' "
+				registrations.year=?"
 	. getJudgingEligibilityCode() . " 
 			GROUP BY projectid
 			ORDER BY
 				$ORDERBY
 			");
-$q->execute();
+$q->execute([$year]);
 show_pdo_errors_if_any($pdo);
 
 if ($_GET['csv'] != 'yes') {
@@ -101,15 +101,15 @@ if ($_GET['csv'] != 'yes') {
 
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	if ($_GET['csv'] == 'yes') {
-		echo "$r->projectnumber \t $r->title \t" . $cats[$r->projectcategories_id] . "\t" . $divs[$r->projectdivisions_id] . " \t $r->score \t $r->norm_score ";
-		$p = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id, 
-							\t    \t\t\t\t score, 
-											\t     judges_teams.num
-		\t                FROM judges_teams_timeslots_projects_link, 
-								\t         judges_teams
-		\t                WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id 
-								\t          AND projects_id = " . $r->projectid . ' ORDER BY judges_teams_id');
-		$p->execute();
+		echo "$r->projectnumber \t ? \t ? \t ? \t ? \t ? ";
+		$p = $pdo->prepare("SELECT judges_teams_timeslots_projects_link.judges_teams_id, score, judges_teams.num 
+                    FROM judges_teams_timeslots_projects_link, judges_teams 
+                    WHERE judges_teams_timeslots_projects_link.judges_teams_id = judges_teams.id 
+                    AND projects_id = ? 
+                    ORDER BY judges_teams_id");
+
+		$p->execute([$r->title, $cats[$r->projectcategories_id], $divs[$r->projectdivisions_id], $r->score, $r->norm_score, $r->projectid]);
+
 		show_pdo_errors_if_any($pdo);
 		while ($s = $p->fetch(PDO::FETCH_OBJ)) {
 			$team = getJudgingTeam($s->judges_teams_id);
diff --git a/admin/project_editor.php b/admin/project_editor.php
index 3efd2810..0ce453c9 100644
--- a/admin/project_editor.php
+++ b/admin/project_editor.php
@@ -47,11 +47,11 @@ if ($auth_type == 'fair') {
 		/* Make sure they have permission to laod this student, check
 		the master copy of the fairs_id in the project */
 		$q = $pdo->prepare("SELECT * FROM projects WHERE 
-				registrations_id='$registrations_id' 
-				AND year='{$config['FAIRYEAR']}'
-				AND fairs_id=$fairs_id");
+				registrations_id=? 
+				AND year=?
+				AND fairs_id=?");
 
-		$q->execute();
+		$q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
 		if ($q->rowCount() != 1) {
 			echo 'permission denied.';
 			exit;
@@ -69,22 +69,22 @@ switch ($action) {
 		project_save();
 
 		/* Now generate */
-		$q = $pdo->prepare("SELECT id FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projects WHERE registrations_id=? AND year=?");
+		$q->execute([$registrations_id,$config['FAIRYEAR']]);
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		$id = $i['id'];
 
 		$stmt = $pdo->prepare("UPDATE projects SET projectnumber=NULL,projectsort=NULL,
 				projectnumber_seq='0',projectsort_seq='0'
-				WHERE id='$id'");
-		$stmt->execute();
+				WHERE id=?");
+		$stmt->execute([$id]);
 		show_pdo_errors_if_any($pdo);
 		list($pn, $ps, $pns, $pss) = generateProjectNumber($registrations_id);
 		//	print("Generated Project Number [$pn]");
-		$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$pn',projectsort='$ps',
-				projectnumber_seq='$pns',projectsort_seq='$pss'
-				WHERE id='$id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,projectsort=?,
+				projectnumber_seq=?,projectsort_seq=?
+				WHERE id=?");
+		$stmt->execute([$pn,$ps,$pns,$pss,$id]);
 		happy_("Generated and Saved Project Number: $pn");
 		break;
 
@@ -102,8 +102,8 @@ function project_save()
 	global $registrations_id, $config, $pdo;
 
 	// first, lets make sure this project really does belong to them
-	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='{$registrations_id}' AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
+	$q->execute([$registrations_id,$config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 	if (!projectinfo) {
 		echo error(i18n('Invalid project to update'));
@@ -121,13 +121,13 @@ function project_save()
 	if (empty($_POST['feedback'])) {
 		$stmt = $pdo->prepare('UPDATE projects SET '
 			. "flagged='0'"
-			. "WHERE id='" . intval($_POST['id']) . "'");
-		$stmt->execute();
+			. "WHERE id=?");
+		$stmt->execute([intval($_POST['id'])]);
 	} else {
 		$stmt = $pdo->prepare('UPDATE projects SET '
 			. "flagged='1'"
-			. "WHERE id='" . intval($_POST['id']) . "'");
-		$stmt->execute();
+			. "WHERE id=?");
+		$stmt->execute([intval($_POST['id'])]);
 	}
 	show_pdo_errors_if_any($pdo);
 	happy_('Flagging process successfully updated');
@@ -138,36 +138,54 @@ function project_save()
 	} else
 		$title = stripslashes($_POST['title']);
 
-	$stmt = $pdo->prepare('UPDATE projects SET '
-		. "title='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $title) . "', "
-		. "projectdivisions_id='" . intval($_POST['projectdivisions_id'] . "', "
-			. "projecttype='" . stripslashes($_POST['projecttype']) . "', "
-			. "language='" . stripslashes($_POST['language']) . "', "
-			. "req_table='" . stripslashes($_POST['req_table']) . "', "
-			. "req_electricity='" . stripslashes($_POST['req_electricity']) . "', "
-			. "req_special='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['req_special'])) . "', "
-			. "human_participants='" . stripslashes($_POST['human_participants']) . "', "
-			. "animal_participants='" . stripslashes($_POST['animal_participants']) . "', "
-			. "summary='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['summary'])) . "', "
-			. "summarycountok='$summarycountok',"
-			. "feedback='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['feedback'])) . "', "
-			. "projectsort='" . stripslashes($_POST['projectsort']) . "'"
-			. "WHERE id='" . intval($_POST['id'])) . "'");
+		$stmt = $pdo->prepare("UPDATE projects SET 
+		title=?, 
+		projectdivisions_id=?, 
+		projecttype=?,
+		language=?, 
+		req_table=?, 
+		req_electricity=?, 
+		req_special=?, 
+		human_participants=?, 
+		animal_participants=?, 
+		summary=?, 
+		summarycountok=?, 
+		feedback=?, 
+		projectsort=? 
+		WHERE id=?");
+		
+		$stmt->execute([
+		iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['title']),
+		intval($_POST['projectdivisions_id']),
+		$_POST['projecttype'],
+		$_POST['language'],
+		$_POST['req_table'],
+		$_POST['req_electricity'],
+		$_POST['req_special'],
+		$_POST['human_participants'],
+		$_POST['animal_participants'],
+		iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['summary']),
+		$_POST['summarycountok'],
+		iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['feedback']),
+		$_POST['projectsort'],
+		intval($_POST['id'])
+		]);
+		
 	show_pdo_errors_if_any($pdo);
 	happy_('Project information successfully updated');
 
 	// check if they changed the project number
 	if ($_POST['projectnumber'] != $projectinfo->projectnumber) {
 		// check if hte new one is available
-		$q = $pdo->prepare("SELECT * FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber='" . $_POST['projectnumber'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projects WHERE year=?' AND projectnumber=?");
+		$q->execute([$config['FAIRYEAR'],$_POST['projectnumber']]);
 		if ($q->rowCount()) {
 			error_('Could not change project number.  %1 is already in use', array($_POST['projectnumber']));
 		} else {
 			$stmt = $pdo->prepare("UPDATE projects SET
-					projectnumber='" . $_POST['projectnumber'] . "'
-					WHERE id='" . $_POST['id'] . "'");
-			$stmt->execute();
+					projectnumber=?
+					WHERE id=?");
+			$stmt->execute([$_POST['projectnumber'],$_POST['id']]);
 			happy_('Project number successfully changed to %1', array($_POST['projectnumber']));
 		}
 	}
@@ -178,13 +196,13 @@ function project_load()
 	global $registrations_id, $config, $pdo, $projectcategories_id;
 	// $projectcategories_id=null;
 	// now lets find out their MAX grade, so we can pre-set the Age Category
-	$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='" . $registrations_id . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id=?");
+	$q->execute([$registrations_id]);
 	$gradeinfo = $q->fetch(PDO::FETCH_OBJ);
 
 	// now lets grab all the age categories, so we can choose one based on the max grade
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		// save these in an array, just incase we need them later (FIXME: remove this array if we dont need it)
 		$agecategories[$r->id]['category'] = $r->category;
@@ -196,24 +214,24 @@ function project_load()
 	}
 
 	// now select their project info
-	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $registrations_id . "' AND year='" . $config['FAIRYEAR'] . "'");
+	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
 	// check if it exists, if we didnt find any record, lets insert one
-	$q->execute();
+	$q->execute([$registrations_id,$config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 	if (!$projectinfo) {
-		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $registrations_id . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')");
+		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES (?,?,?)");
 		// and then pull it back out
-		$stmt->execute();
-		$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $registrations_id . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$stmt->execute([$registrations_id,$projectcategories_id,$config['FAIRYEAR']]);
+		$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
+		$q->execute([ $registrations_id,$config['FAIRYEAR']]);
 		$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 	}
 
 	// make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly
 	if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) {
 		echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category'])));
-		$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id=? WHERE id=?");
+		$stmt->execute([$projectcategories_id,$projectinfo->id]);
 	}
 
 	// output the current status
@@ -293,13 +311,13 @@ function countwords()
 <?
 	// ###### Feature Specific - filtering divisions by category
 	if ($config['filterdivisionbycategory'] == 'yes') {
-		$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year='" . $config['FAIRYEAR'] . "' AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' ORDER BY division");
-		$q->execute();
+		$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=? AND projectdivisions.year=? AND projectcategoriesdivisions_link.year=? ORDER BY division');
+		$q->execute([$projectcategories_id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		// ###
 	} else
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division");
-	$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
+	$q->execute([$config['FAIRYEAR']]);
 
 	echo '<select name="projectdivisions_id">';
 	echo '<option value="">' . i18n('Select a division') . "</option>\n";
diff --git a/admin/registration_list.php b/admin/registration_list.php
index f4604ffd..2c5ab799 100644
--- a/admin/registration_list.php
+++ b/admin/registration_list.php
@@ -39,14 +39,14 @@ if (get_value_from_array($_GET, 'year'))
 else
 	$year = $config['FAIRYEAR'];
 
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$year]);
 
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$cats[$r->id] = $r->category;
 
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$year]);
 
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$divs[$r->id] = $r->division;
@@ -62,34 +62,34 @@ switch ($action) {
 
 	case 'delete':
 		$regid = intval($_GET['id']);
-		$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='$regid'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
+		$q->execute([$regid]);
 		if ($q->rowCount()) {
 			$p = $q->fetch(PDO::FETCH_ASSOC);
-			$stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id='{$p['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM winners WHERE projects_id=?");
+			$stmt->execute([$p['id']]);
 		}
 
-		$stmt = $pdo->prepare("DELETE FROM registrations WHERE id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM registrations WHERE id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM questions_answers WHERE registrations_id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id='$regid' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id=? AND year=?");
+		$stmt->execute([$regid,$config['FAIRYEAR']]);
 		happy_('Registration and all related data successfully deleted');
 		exit;
 }
@@ -444,29 +444,30 @@ function list_query($year, $wherestatus, $reg_id)
 		$fair = "AND projects.fairs_id='{$_SESSION['fairs_id']}'";
 	}
 
-	$q = $pdo->prepare("SELECT  registrations.id AS reg_id,
-				registrations.num AS reg_num,
-				registrations.status,
-				registrations.email,
-				projects.title,
-				projects.projectnumber,
-				projects.projectcategories_id,
-				projects.projectdivisions_id,
-				projects.feedback,
-				projects.flagged
-			FROM
-				registrations
-				left outer join projects on projects.registrations_id=registrations.id
-			WHERE
-				1
-				AND registrations.year='$year' 
-				$wherestatus
-				$reg $fair
-			ORDER BY
-				registrations.status DESC, projects.title
-			");
+	$q = $pdo->prepare("
+		SELECT 
+			registrations.id AS reg_id,
+			registrations.num AS reg_num,
+			registrations.status,
+			registrations.email,
+			projects.title,
+			projects.projectnumber,
+			projects.projectcategories_id,
+			projects.projectdivisions_id,
+			projects.feedback,
+			projects.flagged
+		FROM
+			registrations
+		LEFT OUTER JOIN projects ON projects.registrations_id = registrations.id
+		WHERE
+			registrations.year = ?
+			AND registrations.status = ?
+			AND registrations.num = ?
+			AND registrations.fair = ?
+		ORDER BY
+			registrations.status DESC, projects.title ");
+	$q->execute([$year, $wherestatus, $reg, $fair]);
 
-	$q->execute();
 
 	// FIXME
 	show_pdo_errors_if_any($pdo);
@@ -516,11 +517,11 @@ function print_row($r)
 			FROM
 				students,schools
 			WHERE
-				students.registrations_id='$r->reg_id'
+				students.registrations_id=?
 				AND
 				students.schools_id=schools.id
 			");
-	$sq->execute();
+	$sq->execute([$r->reg_id]);
 	show_pdo_errors_if_any($pdo);
 
 	$studnum = 1;
diff --git a/admin/registration_receivedforms.php b/admin/registration_receivedforms.php
index f5d3380a..d1cd724a 100644
--- a/admin/registration_receivedforms.php
+++ b/admin/registration_receivedforms.php
@@ -41,8 +41,8 @@ echo '<br />';
 
 $showformatbottom = true;
 if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array($_POST, 'registration_number')) {
-	$q = $pdo->prepare("SELECT * FROM registrations WHERE num='" . $_POST['registration_number'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
+	$q->execute([$_POST['registration_number'],$config['FAIRYEAR']]);
 	if ($q->rowCount() == 1) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$reg_id = $r->id;
@@ -77,7 +77,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 						FROM
 							projects,projectcategories,projectdivisions
 						WHERE
-							projects.registrations_id='$reg_id'
+							projects.registrations_id=?
 							AND
 							projects.projectcategories_id=projectcategories.id
 							AND
@@ -87,7 +87,7 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 							AND
 							projectdivisions.year=projects.year
 						");
-				$q->execute();
+				$q->execute([$reg_id]);
 
 				show_pdo_errors_if_any($pdo);
 				$projectinfo = $q->fetch(PDO::FETCH_OBJ);
@@ -116,11 +116,11 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 						FROM
 							students,schools
 						WHERE
-							students.registrations_id='$reg_id'
+							students.registrations_id=?
 							AND
 							students.schools_id=schools.id
 						");
-				$q->execute();
+				$q->execute([$reg_id]);
 
 				$studnum = 1;
 				while ($studentinfo = $q->fetch(PDO::FETCH_OBJ)) {
@@ -193,14 +193,14 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	$checkNumQuery = $pdo->prepare("SELECT projectnumber
 					FROM projects, registrations 
 					WHERE projects.registrations_id = registrations.id 
-						AND num='$regnum'
-						AND registrations.year='{$config['FAIRYEAR']}'");
-	$checkNumQuery->execute();
+						AND num=?
+						AND registrations.year=?");
+	$checkNumQuery->execute([$regnum,$config['FAIRYEAR']]);
 	$checkNumResults = $checkNumQuery->fetch(PDO::FETCH_OBJ);
 	$projectnum = $checkNumResults->projectnumber;
 
-	$q = $pdo->prepare("SELECT id FROM registrations WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM registrations WHERE num=? AND year=?");
+	$q->execute([$regnum, $config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$reg_id = $r->id;
 
@@ -218,8 +218,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 
 	if ($_POST['action'] == 'receivedyes') {
 		// actually set it to 'complete'
-		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
+		$stmt->execute([$regnum,$config['FAIRYEAR']]);
 		foreach ($recipients AS $recip) {
 			$to = $recip['to'];
 			$subsub = array();
@@ -238,8 +238,8 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 		echo happy(i18n('Registration of form %1 successfully completed', array($regnum)));
 	} else if ($_POST['action'] == 'receivedyesnocash') {
 		// actually set it to 'paymentpending'
-		$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num='$regnum' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE registrations SET status='paymentpending' WHERE num=? AND year=?");
+		$stmt->execute([$regnum,$config['FAIRYEAR']]);
 		foreach ($recipients AS $recip) {
 			$to = $recip['to'];
 			$subsub = array();
@@ -261,13 +261,13 @@ if (get_value_from_array($_POST, 'action') == 'received' && get_value_from_array
 	echo notice(i18n('Registration of form %1 cancelled', array($_POST['registration_number'])));
 } else if (get_value_from_array($_GET, 'action') == 'unregister' && get_value_from_array($_GET, 'registration_number')) {
 	$reg_num = intval(trim($_GET['registration_number']));
-	$q = $pdo - prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year='{$config['FAIRYEAR']}' AND registrations.num='$reg_num'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT registrations.id AS reg_id, projects.id AS proj_id FROM projects,registrations WHERE projects.registrations_id=registrations.id AND registrations.year=? AND registrations.num=?");
+	$q->execute([$config['FAIRYEAR'],$reg_num]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
-	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id='$r->proj_id' AND year='{$config['FAIRYEAR']}'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->reg_id' AND year='{$config['FAIRYEAR']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=null, projectsort=null, projectnumber_seq=0, projectsort_seq=0 WHERE id=? AND year=?");
+	$stmt->execute([$r->proj_id,$config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=? AND year=?");
+	$stmt->execute([$r->reg_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Successfully unregistered project'));
 }
 
@@ -305,9 +305,9 @@ if ($showformatbottom) {
 
 if (get_value_from_array($_POST, 'action') == 'receive_all') {
 	// Grab all projects that don't have project numbers. Status should therefor be open or new but not complete
-	$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =' . $config['FAIRYEAR'] . '');
+	$query_noprojectnumber = $pdo->prepare('SELECT * FROM projects WHERE projectnumber IS NULL AND year =?');
 	// Define arrays to append to later
-	$query_noprojectnumber->execute();
+	$query_noprojectnumber->execute([$config['FAIRYEAR']]);
 	$completed_students = array();
 	$incomplete_students = array();
 	$newstatus_students = array();
@@ -315,8 +315,8 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
 	// loop through each project that doesn't have a project number
 	while ($studentproject = $query_noprojectnumber->fetch(PDO::FETCH_ASSOC)) {
 		// Grab registration information about the current project
-		$q = $pdo->prepare("SELECT * FROM registrations WHERE id='" . $studentproject['registrations_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM registrations WHERE id=? AND year=?");
+		$q->execute([$studentproject['registrations_id'],$config['FAIRYEAR']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$reg_id = $r->id;
 		$reg_num = $r->num;
@@ -347,18 +347,18 @@ if (get_value_from_array($_POST, 'action') == 'receive_all') {
 			) {
 				// Generate project number and update it in data base
 				list($projectnumber, $ps, $pns, $pss) = generateProjectNumber($reg_id);
-				$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$projectnumber',
-							projectsort='$ps',projectnumber_seq='$pns',projectsort_seq='$pss'
-							WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE projects SET projectnumber=?,
+							projectsort=?,projectnumber_seq=?,projectsort_seq=?
+							WHERE registrations_id=? AND year=?");
+				$stmt->execute([$projectnumber,$ps,$pns,$pss,$reg_id,$config['FAIRYEAR']]);
 
 				// email stuff
 				// get all students with this registration number
 				// $recipients=getEmailRecipientsForRegistration($reg_id);
 
 				// Set status to 'complete'
-				$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num='$reg_num' AND year='{$config['FAIRYEAR']}'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE num=? AND year=?");
+				$stmt->execute([$reg_num,$config['FAIRYEAR']]);
 				/*foreach($recipients AS $recip) {
 					$to=$recip['to'];
 					$subsub=array();
diff --git a/admin/registration_stats.php b/admin/registration_stats.php
index dd4383bb..80a6a2a4 100644
--- a/admin/registration_stats.php
+++ b/admin/registration_stats.php
@@ -63,13 +63,13 @@ foreach ($status_str as $s => $str) {
 echo '</select>';
 echo '</form>';
 
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$cats[$r->id] = $r->category;
 
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$year]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$divs[$r->id] = $r->division;
 
@@ -133,12 +133,12 @@ $q = $pdo->prepare("SELECT  registrations.id AS reg_id,
 				left outer join projects on projects.registrations_id=registrations.id
 			WHERE
 				1
-				AND registrations.year='$year' 
+				AND registrations.year=?, 
 				$wherestatus
 			ORDER BY
 				$ORDERBY
 			");
-$q->execute();
+$q->execute([$year]);
 show_pdo_errors_if_any($pdo);
 
 $stats_totalprojects = 0;
@@ -188,10 +188,11 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students,schools
 				WHERE
-					students.registrations_id='$r->reg_id'
+					students.registrations_id=?
 					AND
 					students.schools_id=schools.id
 				");
+	$sq->execute([$r->reg_id]);
 	show_pdo_errors_if_any($pdo);
 
 	$studnum = 1;
diff --git a/admin/registration_webconsent.php b/admin/registration_webconsent.php
index d531ef49..43bcea80 100644
--- a/admin/registration_webconsent.php
+++ b/admin/registration_webconsent.php
@@ -44,12 +44,12 @@ if (get_value_from_array($_POST, 'changed')) {
 			$webphoto = get_value_from_2d_array($_POST, 'webphoto', $id) == 'yes' ? 'yes' : 'no';
 
 			$stmt = $pdo->prepare("UPDATE students SET 
-					webfirst='$webfirst',
-					weblast='$weblast',
-					webphoto='$webphoto'
+					webfirst=?,
+					weblast=?,
+					webphoto=?
 					WHERE
-					id='$id'");
-			$stmt->execute();
+					id=?");
+			$stmt->execute([$webfirst,$weblast,$webphoto,$id]);
 		}
 	}
 
@@ -87,12 +87,12 @@ $sq = $pdo->prepare("SELECT students.firstname,
 				students.registrations_id=registrations.id
 			AND\t( registrations.status = 'complete' OR registrations.status='paymentpending' )
 			AND\tprojects.registrations_id=registrations.id
-			AND \tregistrations.year='" . $config['FAIRYEAR'] . "' 
-			AND \tprojects.year='" . $config['FAIRYEAR'] . "' 
-			AND \tstudents.year='" . $config['FAIRYEAR'] . "' 
+			AND \tregistrations.year=? 
+			AND \tprojects.year=? 
+			AND \tstudents.year=? 
 			ORDER BY projectnumber
 			");
-$sq->execute();
+$sq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 echo '<form method="post" action="registration_webconsent.php">';
diff --git a/admin/reports.inc.php b/admin/reports.inc.php
index 1eef1ef5..e1e5e4e0 100644
--- a/admin/reports.inc.php
+++ b/admin/reports.inc.php
@@ -351,9 +351,9 @@ foreach($report_stock as $n=>$v) {
 
 	/* First delete all existing fields */
 	$stmt = $pdo->prepare("DELETE FROM reports_items 
-			WHERE `reports_id`='{$report['id']}'
-			AND `type`='$type'");
-	$stmt->execute();
+			WHERE `reports_id`=?
+			AND `type`=?");
+	$stmt->execute([$report['id'],$type]);
 	/* Now add new ones */
 
 	if(count($report[$type]) == 0) return;
@@ -385,9 +385,9 @@ foreach($report_stock as $n=>$v) {
 				`field`,`value`,`x`, `y`, `w`, `h`,
 				`lines`, `face`, `align`,`valign`,
 				`fontname`,`fontstyle`,`fontsize`,`on_overflow`) 
-			VALUES $q");
+			VALUES ?");
 
-	$stmt->execute();
+	$stmt->execute([$q]);
 	show_pdo_errors_if_any($pdo);
 	
  }
@@ -404,8 +404,8 @@ foreach($report_stock as $n=>$v) {
 
 	$report = array();
 
-	$q = $pdo->prepare("SELECT * FROM reports WHERE id='$report_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM reports WHERE id=?");
+	$q->execute([$report_id]);
 	$r = $q->fetch(PDO::FETCH_ASSOC);
 	$report['name'] = get_value_from_array($r, 'name');
 	$report['id'] = get_value_from_array($r, 'id');
@@ -430,9 +430,9 @@ foreach($report_stock as $n=>$v) {
 		$allow_fields=array();
 
  	$q = $pdo->prepare("SELECT * FROM reports_items 
-			WHERE reports_id='{$report['id']}' 
+			WHERE reports_id=? 
 			ORDER BY `ord`");
-	$q->execute();
+	$q->execute([$report['id']]);
 	show_pdo_errors_if_any($pdo);
 	
 	if($q->rowCount() == 0) return $report;
@@ -491,8 +491,8 @@ foreach($report_stock as $n=>$v) {
 	} else {
 		/* if the report['id'] is not zero, see if this is a
 		 * systeim report before doing anything. */
-		$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='{$report['id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
+		$q->execute([$report['id']]);
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		if(intval($i['system_report_id']) != 0) {
 			/* This is a system report, the editor (should)
@@ -513,12 +513,12 @@ foreach($report_stock as $n=>$v) {
 */
 
  	$stmt = $pdo->prepare("UPDATE reports SET 
-			`name`='".$report['name']."',
-			`desc`='".$report['desc']."',
-			`creator`='".$report['creator']."',
-			`type`='".$report['type']."'
-			WHERE `id`={$report['id']}");
-	$stmt->execute();
+			`name`=?,
+			`desc`=?,
+			`creator`=?,
+			`type`=?
+			WHERE `id`=?");
+	$stmt->execute([$report['name'],$report['desc'],$report['creator'],$report['type'],$report['id']]);
 
 	report_save_field($report, 'col', get_value_from_array($report, 'loc'));
 	report_save_field($report, 'group', array());
@@ -533,7 +533,7 @@ foreach($report_stock as $n=>$v) {
  {	global $pdo;
  	$ret = array();
  	$q = $pdo->prepare("SELECT * FROM reports ORDER BY `name`");
-
+	$q->execute();
 	while($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$report = array();
 	        $report['name'] = $r['name'];
@@ -551,8 +551,8 @@ foreach($report_stock as $n=>$v) {
  	$r = intval($report_id);
 	/* if the report['id'] is not zero, see if this is a
 	 * systeim report before doing anything. */
-	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id='$r'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT system_report_id FROM reports WHERE id=?");
+	$q->execute([$r]);
 	$i = $q->fetch(PDO::FETCH_ASSOC);
 	if(intval($i['system_report_id']) != 0) {
 		/* This is a system report, the editor (should)
@@ -563,10 +563,10 @@ foreach($report_stock as $n=>$v) {
 		echo "ERROR: attempt to delete a system report (reports.id=$r)";
 		exit;
 	}
- 	$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=$r");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=$r");
- $stmt->execute();}
+ 	$stmt = $pdo->prepare("DELETE FROM reports WHERE `id`=?");
+	$stmt->execute([$r]);
+	$stmt = $pdo->prepare("DELETE FROM reports_items WHERE `reports_id`=?");
+ $stmt->execute([$r]);
 
 
  function report_gen($report) 
diff --git a/admin/reports.php b/admin/reports.php
index 1dd4b7a2..6ae5a17a 100644
--- a/admin/reports.php
+++ b/admin/reports.php
@@ -39,8 +39,8 @@ switch (get_value_from_array($_GET, 'action')) {
 	case 'remove_report':
 		$id = intval($_GET['id']);
 		$stmt = $pdo->prepare("DELETE FROM reports_committee WHERE
-			users_id='{$_SESSION['users_uid']}' AND id='$id'");
-		$stmt->execute();
+			users_id=? AND id=?");
+		$stmt->execute([$_SESSION['users_uid'],$id]);
 		happy_('Report successfully removed');
 		exit;
 	case 'reload':
@@ -64,16 +64,17 @@ switch (get_value_from_array($_GET, 'action')) {
 			$ret['name'] = $report['name'];
 			$ret['category'] = '';
 		} else {
-			$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id='$id'");
+			$q = $pdo->prepare("SELECT * FROM reports_committee WHERE id=?");
+			$q->execute([$id]);
 			$ret = $q->fetch(PDO::FETCH_ASSOC);
 			$ret['type'] = $ret['format'];
 		}
 
 		/* Load available categories */
 		$q = $pdo->prepare("SELECT DISTINCT category FROM reports_committee
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
 			ORDER BY category");
-		$q->execute();
+		$q->execute([$_SESSION['users_uid']]);
 		while ($i = $q->fetch(PDO::FETCH_OBJ))
 			$ret['cat'][] = $i->category;
 		echo json_encode($ret);
@@ -87,8 +88,8 @@ switch (get_value_from_array($_GET, 'action')) {
 		if ($id == -1) {
 			/* New entry */
 			$stmt = $pdo->prepare("INSERT INTO `reports_committee` (`users_id`,`reports_id`) 
-			VALUES('{$_SESSION['users_uid']}','$reports_id');");
-			$stmt->execute();
+			VALUES(?,?);");
+			$stmt->execute([$_SESSION['users_uid'],$reports_id]);
 			show_pdo_errors_if_any($pdo);
 			$id = $pdo->lastInsertId();
 		}
@@ -124,12 +125,12 @@ switch (get_value_from_array($_GET, 'action')) {
 		}
 
 		$stmt = $pdo->prepare("UPDATE `reports_committee` SET
-			`category`='$category',
-			`comment`='$comment',
-			`format`='$type',
-			`stock`='$stock'
-			WHERE id='$id'");
-		$stmt->execute();
+			`category`=?,
+			`comment`=?,
+			`format`=?,
+			`stock`=?
+			WHERE id=?");
+		$stmt->execute([$category,$comment,$type,$stock,$id]);
 		happy_('Saved');
 		exit;
 }
@@ -248,9 +249,9 @@ global $edit_mode;
 $q = $pdo->prepare("SELECT reports_committee.*,reports.name
  \t\t\tFROM reports_committee 
 				LEFT JOIN reports ON reports.id=reports_committee.reports_id
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
+ \t\t\tWHERE users_id=?
 			ORDER BY category,id");
-$q->execute();
+$q->execute([$_SESSION['users_uid']]);
 show_pdo_errors_if_any($pdo);
 if ($q->rowCount() == 0) {
 	echo i18n('You have no reports saved');
diff --git a/admin/reports_acscript.php b/admin/reports_acscript.php
index 1b01da27..5ab33ea2 100644
--- a/admin/reports_acscript.php
+++ b/admin/reports_acscript.php
@@ -80,14 +80,14 @@ $q = $pdo->prepare("SELECT
 				award_types,
 				sponsors
 			WHERE 
-					award_awards.year='$foryear'
-				AND\taward_types.year='$foryear'
-				AND\taward_awards.award_types_id=award_types.id
-				AND\taward_awards.sponsors_id=sponsors.id
-				AND\taward_awards.excludefromac='0'
-				$awardtype
+					award_awards.year=?
+				AND award_types.year=?
+				AND award_awards.award_types_id=award_types.id
+				AND award_awards.sponsors_id=sponsors.id
+				AND award_awards.excludefromac='0',
+				?
 			ORDER BY awards_order");
-$q->execute();
+$q->execute([$foryear,$foryear,$awardtype]);
 
 show_pdo_errors_if_any($pdo);
 //	echo "<pre>";
@@ -114,14 +114,14 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 						LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 						LEFT JOIN projects ON projects.id=winners.projects_id
 					WHERE 
-						award_awards_id='{$r->id}' 
-						AND award_prizes.year='$foryear'
+						award_awards_id=? 
+						AND award_prizes.year=?
 						AND award_prizes.excludefromac='0'
-						AND ($and_categories)
+						AND (?)
 					ORDER BY 
 						`order`,
 						projects.projectnumber");
-	$pq->execute();
+	$pq->execute([$r->id,$foryear,$and_categories]);
 	show_pdo_errors_if_any($pdo);
 
 	$r->winners = array();
@@ -246,10 +246,10 @@ foreach ($awards as $r) {
 									students,
 									schools
 								WHERE
-									students.registrations_id='$pr->reg_id'
+									students.registrations_id=?
 									AND students.schools_id=schools.id
 								");
-				$sq->execute();
+				$sq->execute([$pr->reg_id]);
 
 				$students = '       Students: ';
 				$studnum = 0;
diff --git a/admin/reports_appeal_letters.php b/admin/reports_appeal_letters.php
index ff936674..0984bfdd 100644
--- a/admin/reports_appeal_letters.php
+++ b/admin/reports_appeal_letters.php
@@ -70,15 +70,16 @@ $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
 
 /* Load the users */
 $users = array();
-$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id='$fcid'");
+$q = $pdo->prepare("SELECT * FROM fundraising_campaigns_users_link WHERE fundraising_campaigns_id=?");
+$q->execute([$fcid]);
 while ($l = $q->fetch(PDO::FETCH_ASSOC)) {
 	$uid = $l['users_uid'];
 	$users[$uid] = user_load_by_uid($uid);
 }
 
 /* Grab all the emails */
-$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id='$fcid' AND val='$key'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM emails WHERE fundraising_campaigns_id=? AND val=?");
+$q->execute([$fcid,$key]);
 
 while ($e = $q->fetch(PDO::FETCH_ASSOC)) {
 	foreach ($users as $uid => &$u) {
diff --git a/admin/reports_ceremony.php b/admin/reports_ceremony.php
index 4f0d2bfe..06ecd0c9 100644
--- a/admin/reports_ceremony.php
+++ b/admin/reports_ceremony.php
@@ -61,8 +61,8 @@ echo "</td></tr>\n";
 echo '<tr>';
 // list award subsets to output
 echo '<td><b>' . i18n('Award Type') . ':</b></td> <td> <select name="awardtype" size=1>';
-$results = $pdo->prepare('SELECT type FROM award_types WHERE year=' . $config['FAIRYEAR'] . ' ORDER BY type');
-$results->execute();
+$results = $pdo->prepare('SELECT type FROM award_types WHERE year=? ORDER BY type');
+$results->execute([$config['FAIRYEAR']]);
 echo '<option value="All">' . i18n('All') . '</option>';
 while ($r = $results->fetch(PDO::FETCH_OBJ)) {
 	echo "<option value=\"$r->type\">" . i18n("$r->type") . '</option>';
@@ -94,8 +94,8 @@ echo '<td><input name="group_by_prize" type="checkbox" /></td></tr>';
 
 echo '<tr><td><b>' . i18n('Include the following age categories') . ':</b></td>';
 echo '<td>';
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo "<input name=\"show_category[{$r->id}]\" type=\"checkbox\" checked=\"checked\" />";
 	echo '' . i18n($r->category) . '<br />';
diff --git a/admin/reports_gen.php b/admin/reports_gen.php
index eaf16dee..51fbf010 100644
--- a/admin/reports_gen.php
+++ b/admin/reports_gen.php
@@ -40,8 +40,8 @@ if ($year < 1000)
 /* If it's a system report, turn that into the actual report id */
 if (array_key_exists('sid', $_GET)) {
 	$sid = intval($_GET['sid']);
-	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id='$sid'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM reports WHERE system_report_id=?");
+	$q->execute([$sid]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$id = $r['id'];
 }
@@ -91,9 +91,9 @@ switch ($_GET['action']) {
 	<?
 	/* See if the report is in this committee member's list */
 	$q = $pd->prepare("SELECT * FROM reports_committee 
- \t\t\t\tWHERE users_id='{$_SESSION['users_uid']}'
-				AND reports_id='{$report['id']}'");
-	$q->execute();
+ \t\t\t\tWHERE users_id=?
+				AND reports_id=?");
+	$q->execute([$_SESSION['users_uid'],$report['id']]);
 	if ($q->rowCount() > 0) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		?>
@@ -223,9 +223,9 @@ echo "<td>{$report['creator']}</td></tr>";
 echo '<tr><td colspan="2"><hr /></td></tr>';
 /* See if the report is in this committee member's list */
 $q = $pdo->prepare("SELECT * FROM reports_committee 
- \t\t\tWHERE users_id='{$_SESSION['users_uid']}'
-			AND reports_id='{$report['id']}'");
-$q->execute();
+ \t\t\tWHERE users_id=?
+			AND reports_id=?");
+$q->execute([$_SESSION['users_uid'],$report['id']]);
 echo '<tr><td colspan="2"><h3>' . i18n('My Reports Info') . '</h3></td></tr>';
 if ($q->rowCount() > 0) {
 	/* Yes, it is */
diff --git a/admin/reports_judges.inc.php b/admin/reports_judges.inc.php
index 745bfa65..77826b62 100644
--- a/admin/reports_judges.inc.php
+++ b/admin/reports_judges.inc.php
@@ -48,8 +48,8 @@ function report_judges_load_divs($year)
 	/* Load divisions for this year, only once */
 	if (!array_key_exists($year, $report_judges_divs)) {
 		$report_judges_divs[$year] = array();
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
+		$q->execute([$year]);
 		while (($d = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_divs[$year][$d['id']] = $d;
 		}
@@ -61,8 +61,8 @@ function report_judges_load_cats($year)
 	global $report_judges_cats;
 	global $pdo;
 	if (!array_key_exists($year, $report_judges_cats)) {
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
+		$q->execute([$year]);
 		while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
 			$report_judges_cats[$year][$c['id']] = $c;
 		}
@@ -142,14 +142,14 @@ function report_judges_custom_question($report, $field, $text)
 	$users_id = $text;
 
 	/* Find the actual question ID */
-	$q = $pdo->prepare("SELECT * FROM questions WHERE year='$year' AND ord='$q_ord'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM questions WHERE year=? AND ord=?");
+	$q->execute([$year,$q_ord]);
 	if ($q->rowCount() != 1)
 		return 'Question not specified';
 	$question = $q->fetch(PDO::FETCH_ASSOC);
 
-	$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='{$question['id']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?");
+	$q->execute([$users_id,$question['id']]);
 	if ($q->rowCount() != 1)
 		return '';
 	$answer = $q->fetch(PDO::FETCH_ASSOC);
@@ -194,9 +194,9 @@ function report_judges_team_members($report, $field, $text)
 	$judges_teams_id = $text;
 	$q = $pdo->prepare("SELECT * FROM judges_teams_link 
 						LEFT JOIN users ON judges_teams_link.users_id=users.id
-						WHERE judges_teams_link.year='$year'
-						AND judges_teams_link.judges_teams_id='$judges_teams_id'");
-	$q->execute();
+						WHERE judges_teams_link.year=?
+						AND judges_teams_link.judges_teams_id=?");
+	$q->execute([$year,$judges_teams_id]);
 	$ret = '';
 	while (($m = $q->fetch(PDO::FETCH_ASSOC))) {
 		$add = false;
@@ -239,8 +239,8 @@ function report_judges_load_rounds($year)
 	if (count($report_judges_rounds))
 		return;
 
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='0' AND `year`=?");
+	$q->execute([$year]);
 	/* Loads judges_timeslots.id, .starttime, .endtime, .date, .name */
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$report_judges_rounds[] = $r;
@@ -258,8 +258,8 @@ function report_judges_specialaward($report, $field, $text)
 	global $config, $report_judges_rounds, $pdo;
 	$year = $report['year'];
 	$award_id = $text;
-	$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='" . intval($award_id) . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+	$q->execute([intval($award_id)]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->name;
 }
@@ -284,8 +284,8 @@ function report_judges_time_availability($report, $field, $text)
 			exit;
 	}
 
-	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id='$users_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=?");
+	$q->execute([$users_id]);
 	//	echo mysql_error();
 	while (($r = $q->fetch(PDO::FETCH_ASSOC))) {
 		if ($r['start'] <= $round['starttime'] &&
diff --git a/admin/reports_judges.php b/admin/reports_judges.php
index 1a34c26e..ab72bbc5 100644
--- a/admin/reports_judges.php
+++ b/admin/reports_judges.php
@@ -77,8 +77,8 @@ foreach ($keys as $qid) {
 }
 
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $numcats = $q->rowCount();
 $catheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -86,8 +86,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catheadings[] = "$r->category (out of 5)";
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $divheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
@@ -102,8 +102,8 @@ $times = array();
 $datetimeheadings = array();
 
 /* Load the judging rounds */
-$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type");
-$q->execute();
+$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type");
+$q->execute([$config['FAIRYEAR']]);
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$found = false;
@@ -138,13 +138,13 @@ $q = $pdo->prepare("SELECT
 				JOIN users_judge ON users.id=users_judge.users_id
 			WHERE 
 				users.deleted='no' AND 
-				users.year='" . $config['FAIRYEAR'] . "'
+				users.year=?
 				AND users.types LIKE '%judge%'
 
 			ORDER BY 
 				lastname,
 				firstname");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$u = user_load($r->id);
@@ -182,8 +182,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$qarray[] = $qans[$qid];
 	}
 
-	$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id="' . $r->id . '" ORDER BY `start`');
-	$tq->execute();
+	$tq = $pdo->prepare('SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`');
+	$tq->execute([$r->id]);
 
 	$sel = array();
 	$timedata = array();
diff --git a/admin/reports_judges_allyears.php b/admin/reports_judges_allyears.php
index 1a7e70e3..fc387a56 100644
--- a/admin/reports_judges_allyears.php
+++ b/admin/reports_judges_allyears.php
@@ -78,8 +78,8 @@ foreach ($keys as $qid) {
 }
 
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $numcats = $q->rowCount();
 $catheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -87,8 +87,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$catheadings[] = "$r->category (out of 5)";
 }
 // grab the list of divisions, because the last fields of the table will be the sub-divisions
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 $divheadings = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$divs[] = $r->id;
diff --git a/admin/reports_judges_teams_projects.php b/admin/reports_judges_teams_projects.php
index 03cfddfb..9f2193e7 100644
--- a/admin/reports_judges_teams_projects.php
+++ b/admin/reports_judges_teams_projects.php
@@ -45,8 +45,8 @@ if ($type == 'pdf') {
 
 $teams = getJudgingTeams();
 
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@@ -83,8 +83,8 @@ foreach ($teams AS $team) {
 			$rep->addText(i18n('Criteria') . ': ' . $award['criteria']);
 
 			// get category eligibility
-			$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id='{$award['id']}' AND award_awards_projectcategories.year='{$config['FAIRYEAR']}' AND projectcategories.year='{$config['FAIRYEAR']}' ORDER BY category");
-			$q->execute();
+			$q = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories WHERE award_awards_projectcategories.projectcategories_id=projectcategories.id AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.year=? AND projectcategories.year=? ORDER BY category");
+			$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$cats = '';
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -96,8 +96,8 @@ foreach ($teams AS $team) {
 			$rep->addText(i18n('Categories') . ": $cats");
 
 			// get division eligibility
-			$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id='{$award['id']}' AND award_awards_projectdivisions.year='{$config['FAIRYEAR']}' AND projectdivisions.year='{$config['FAIRYEAR']}' ORDER BY division_shortform");
-			$q->execute();
+			$q = $pdo->prepare("SELECT projectdivisions.division_shortform FROM projectdivisions, award_awards_projectdivisions WHERE award_awards_projectdivisions.projectdivisions_id=projectdivisions.id AND award_awards_projectdivisions.award_awards_id=? AND award_awards_projectdivisions.year=? AND projectdivisions.year=? ORDER BY division_shortform");
+			$q->execute([$award['id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$divs = '';
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -123,13 +123,13 @@ foreach ($teams AS $team) {
 					judges_teams,
 					judges_teams_timeslots_link
 				WHERE
-					judges_teams.id='" . $team['id'] . "' AND
+					judges_teams.id=? AND
 					judges_teams.id=judges_teams_timeslots_link.judges_teams_id AND
 					judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$team['id']]);
 	$numslots = $q->rowCount();
 
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -147,14 +147,14 @@ foreach ($teams AS $team) {
 					projects,
 					judges_teams_timeslots_projects_link
 				WHERE
-					judges_teams_timeslots_projects_link.judges_timeslots_id='$r->id' AND
-					judges_teams_timeslots_projects_link.judges_teams_id='" . $team['id'] . "' AND
+					judges_teams_timeslots_projects_link.judges_timeslots_id=? AND
+					judges_teams_timeslots_projects_link.judges_teams_id=? AND
 					judges_teams_timeslots_projects_link.projects_id=projects.id AND
-					judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					projectnumber
 				");
-		$projq->execute();
+		$projq->execute([$r->id,$team['id'],$config['FAIRYEAR']]);
 
 		while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 			$table['data'][] = array($timeslot, $proj->projectnumber, $proj->title);
diff --git a/admin/reports_mailinglabels_generator.php b/admin/reports_mailinglabels_generator.php
index cff44431..6d776137 100644
--- a/admin/reports_mailinglabels_generator.php
+++ b/admin/reports_mailinglabels_generator.php
@@ -83,11 +83,11 @@ if ($report) {
 						FROM
 							schools
 						WHERE
-							year='{$config['FAIRYEAR']}'
+							year=?
 						ORDER BY
 							school
 						");
-			$q->execute();
+			$q->execute([$config['FAIRYEAR']]);
 			break;
 
 		case 'sponsors':
@@ -129,11 +129,11 @@ if ($report) {
 							judges_years
 						WHERE
 							judges_years.judges_id=judges.id
-							AND judges_years.year='{$config['FAIRYEAR']}'
+							AND judges_years.year=?
 						ORDER BY
 							lastname,firstname
 						");
-			$q->execute();
+			$q->execute([$config['FAIRYEAR']]);
 			break;
 	}
 
diff --git a/admin/reports_program_awards.php b/admin/reports_program_awards.php
index 17e913fa..0f0f9ae9 100644
--- a/admin/reports_program_awards.php
+++ b/admin/reports_program_awards.php
@@ -30,13 +30,13 @@ $q = $pdo->prepare("SELECT
 				award_awards,
 				award_types
 			WHERE 
-					award_awards.year='" . $config['FAIRYEAR'] . "'
-				AND\taward_types.year='" . $config['FAIRYEAR'] . "'
+					award_awards.year=?
+				AND\taward_types.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND\taward_awards.excludefromac='0'
 				AND\t(award_types.type='special' OR award_types.type='grand')
 			ORDER BY awards_order");
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 show_pdo_errors_if_any($pdo);
 
@@ -45,8 +45,8 @@ if ($q->rowCount()) {
 		$rep->heading(i18n($r->name));
 
 		// get teh age categories
-		$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories  WHERE projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.year='" . $config['FAIRYEAR'] . "' AND award_awards_projectcategories.award_awards_id='$r->id' AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
-		$acq->execute();
+		$acq = $pdo->prepare("SELECT projectcategories.category FROM projectcategories, award_awards_projectcategories  WHERE projectcategories.year=? AND award_awards_projectcategories.year=? AND award_awards_projectcategories.award_awards_id=? AND award_awards_projectcategories.projectcategories_id=projectcategories.id ORDER BY projectcategories.id");
+		$acq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$r->id]);
 		show_pdo_errors_if_any($pdo);
 		$cats = '';
 		while ($acr = $acq->fetch(PDO::FETCH_OBJ)) {
@@ -64,12 +64,12 @@ if ($q->rowCount()) {
 					FROM 
 						award_prizes 
 					WHERE 
-						award_awards_id='$r->id' 
-						AND award_prizes.year='" . $config['FAIRYEAR'] . "'
+						award_awards_id=? 
+						AND award_prizes.year=?
 						AND award_prizes.excludefromac='0'
 					ORDER BY 
 						`order`");
-		$pq->execute();
+		$pq->execute([$r->id,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$prevprizeid = -1;
 		while ($pr = $pq->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/reports_projects_details.php b/admin/reports_projects_details.php
index 5578f5cd..added665 100644
--- a/admin/reports_projects_details.php
+++ b/admin/reports_projects_details.php
@@ -65,14 +65,15 @@ $projq = $pdo->prepare("SELECT
 				LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 
 			WHERE
-				projects.year='" . $config['FAIRYEAR'] . "' 
-				AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				projects.year=? 
+				AND projectdivisions.year=?
+				AND projectcategories.year=?
 				AND ( registrations.status='complete'
 			\t OR registrations.status='paymentpending' )
 			ORDER BY
 				projects.projectnumber
 			");
+$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 $totalprojects = $projq->rowCount();
@@ -85,9 +86,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$proj->reg_id'
+					students.registrations_id=?
 				");
-	$sq->execute();
+	$sq->execute([$proj->reg_id]);
 	$students = '';
 	$studnum = 0;
 	while ($studentinfo = $sq->fetch(PDO::FETCH_OBJ)) {
@@ -115,8 +116,8 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 	$rep->addTable($table);
 	unset($table);
 
-	$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $proj->reg_id . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=?");
+	$q->execute([$proj->reg_id]);
 	$rep->nextline();
 	$rep->heading(i18n('Mentor Information'));
 	$rep->nextline();
diff --git a/admin/reports_projects_judges_teams.php b/admin/reports_projects_judges_teams.php
index 8855065a..e1714fe4 100644
--- a/admin/reports_projects_judges_teams.php
+++ b/admin/reports_projects_judges_teams.php
@@ -49,8 +49,8 @@ if ($type == 'pdf') {
 
 $teams = getJudgingTeams();
 
-$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT DISTINCT(date) AS d FROM judges_timeslots WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() > 1)
 	$show_date = true;
 else
@@ -73,15 +73,15 @@ $projq = $pdo->prepare("SELECT
 				LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 
 			WHERE
-				projects.year='" . $config['FAIRYEAR'] . "' 
-				AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				projects.year=? 
+				AND projectdivisions.year=?
+				AND projectcategories.year=?
 				AND ( registrations.status='complete'
 			\t OR registrations.status='paymentpending' )
 			ORDER BY
 				projects.projectnumber
 			");
-$projq->execute();
+$projq->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
@@ -92,9 +92,9 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 				FROM
 					students
 				WHERE
-					students.registrations_id='$proj->reg_id'
+					students.registrations_id=?
 				");
-	$sq->execute();
+	$sq->execute([$proj->reg_id]);
 
 	$students = '';
 	$studnum = 0;
@@ -127,12 +127,12 @@ while ($proj = $projq->fetch(PDO::FETCH_OBJ)) {
 					LEFT JOIN judges_timeslots ON judges_teams_timeslots_projects_link.judges_timeslots_id=judges_timeslots.id
 					LEFT JOIN judges_teams ON judges_teams_timeslots_projects_link.judges_teams_id=judges_teams.id
 				WHERE
-					judges_teams_timeslots_projects_link.projects_id='$proj->id'
-					AND judges_teams_timeslots_projects_link.year='" . $config['FAIRYEAR'] . "'
+					judges_teams_timeslots_projects_link.projects_id=?
+					AND judges_teams_timeslots_projects_link.year=?
 				ORDER BY
 					date,starttime
 				");
-	$q->execute();
+	$q->execute([$proj->id,$config['FAIRYEAR']]);
 	$numslots = $q->rowCount();
 
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/admin/reports_students.inc.php b/admin/reports_students.inc.php
index 55398d64..6bfe34e7 100644
--- a/admin/reports_students.inc.php
+++ b/admin/reports_students.inc.php
@@ -81,9 +81,9 @@ function report_student_safety_question($report, $field, $text)
 			safety.answer
 		FROM safetyquestions
 		JOIN safety ON safetyquestions.id=safety.safetyquestions_id
-		WHERE safety.registrations_id='" . $regid . "' 
+		WHERE safety.registrations_id=? 
 		ORDER BY safetyquestions.ord LIMIT $q_ord,1");
-	$q->execute();
+	$q->execute([$regid]);
 
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	return $r->answer;
@@ -94,9 +94,9 @@ function reports_students_numstudents($report, $field, $text)
 	global $pdo;
 	$year = $report['year'];
 	$q = $pdo->prepare("SELECT students.id FROM students 
-				WHERE students.registrations_id='$text'
-					AND students.year='$year'");
-	$q->execute();
+				WHERE students.registrations_id=?
+					AND students.year=?");
+	$q->execute([$text,$year]);
 	return $q->rowCount();
 }
 
@@ -108,11 +108,11 @@ function reports_students_award_selfnom_num($report, $field, $text, $n)
 				projects 
 				LEFT JOIN project_specialawards_link ON project_specialawards_link.projects_id=projects.id
 				LEFT JOIN award_awards ON award_awards.id=project_specialawards_link.award_awards_id
-				WHERE projects.id='$text'
-					AND projects.year='$year'
-					AND project_specialawards_link.year='$year'
-				LIMIT $n,1");
-	$q->execute();
+				WHERE projects.id=?
+					AND projects.year=?
+					AND project_specialawards_link.year=?
+				LIMIT ?,1");
+	$q->execute([$text,$year,$year,$n]);
 	show_pdo_errors_if_any($pdo);
 	$i = $q->fetch(PDO::FETCH_OBJ);
 	return $i['name'];
@@ -157,8 +157,8 @@ function report_student_regfee_item($report, $field, $text)
 {
 	$year = $report['year'];
 	$id = intval(substr($field, 12));
-	$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id='$text' AND regfee_items_id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT regfee_items_id FROM regfee_items_link WHERE students_id=? AND regfee_items_id=?");
+	$q->execute([$text,$id]);
 	show_pdo_errors_if_any($pdo);
 	if ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		return i18n('Yes');
@@ -167,8 +167,8 @@ function report_student_regfee_item($report, $field, $text)
 	}
 }
 
-$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM regfee_items WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 $regfeeitems = array();
 $first = true;
 while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
diff --git a/admin/rerollprizes.php b/admin/rerollprizes.php
index 9586ac45..8349ac8d 100644
--- a/admin/rerollprizes.php
+++ b/admin/rerollprizes.php
@@ -40,122 +40,124 @@ $newfairyear = 2008;
 // first make sure they have indeed done the rollover...
 if ($config['FAIRYEAR'] == 2008) {
 	// make sure the number of awards are identical (aka they havent added any new ones)
-	$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$newfairyear'");
-	$nq1->execute();
-	$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
-	$nq2->execute();
+	$nq1 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+	$nq1->execute([$newfairyear]);
+	$nq2 = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+	$nq2->execute([$currentfairyear]);
 	if ($nq1->rowCount() == $nq2->rowcount()) {
-		$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$newfairyear'");
-		$npq1->execute();
-		$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear'");
-		$npq2->execute();
+		$npq1 = $pdo->prepare("SELECT * FROM award_prizes WHERE year?");
+		$npq1->execute([$newfairyear]);
+		$npq2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=?");
+		$npq2->execute([$currentfairyear]);
 
 		if ($npq2->rowCount() > 0 && $npq1->rowCount() == 0) {
 			echo '<br />';
 			echo notice(i18n('A BUG WAS IDENTIFIED IN YOUR PREVIOUS YEAR ROLLOVER WHICH CAUSED AWARD PRIZES TO NOT BE ROLLED OVER PROPERLY.  THEY ARE NOW BEING RE-ROLLED OVER WITH THE PROPER PRIZE INFORMATION.  THIS WILL ONLY HAPPEN ONCE.')) . '<br />';
-			$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_types WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year='$newfairyear'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year='$newfairyear'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM award_awards WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_prizes WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_contacts WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_types WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_awards_projectcategories WHERE year=?");
+			$stmt->execute([$newfairyear]);
+			$stmt = $pdo->prepare("DELETE FROM award_awards_projectdivisions WHERE year=?");
+			$stmt->execute([$newfairyear]);
 
 			echo i18n('Rolling awards') . '<br />';
 			// awards
-			$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 				$stmt = $pdo->prepare("INSERT INTO award_awards (award_sponsors_id,award_types_id,name,criteria,presenter,`order`,year,excludefromac,cwsfaward) VALUES (
-				'" . $r->award_sponsors_id . "',
-				'" . $r->award_types_i . "',
-				'" . $r->name . "',
-				'" . $r->criteria . "',
-				'" . $r->presenter . "',
-				'" . $r->order . "',
-				'" . $newfairyear . "',
-				'" . $r->excludefromac . "',
-				'" . $r->cwsfaward . "')");
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)");
+				$stmt->execute([$r->award_sponsors_id,$r->award_types_i ,$r->name,$r->criteria,$r->presenter,$r->order,$newfairyear,$r->excludefromac,$r->cwsfaward ]);
 				$award_awards_id = $pdo->lastInsertId();
 
-				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectcategories WHERE year=? AND award_awards_id=?");
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_awards_projectcategories (award_awards_id,projectcategories_id,year) VALUES (
-				'" . $award_awards_id . "',
-				'" . $r2->projectcategories_id . "',
-				'" . $newfairyear . "')");
-					$stmt->execute();
+				?,
+				?,
+				?)");
+					$stmt->execute([$award_awards_id,$r2->projectcategories_id,$newfairyear]);
 				}
 
-				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM award_awards_projectdivisions WHERE year=? AND award_awards_id=?");
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_awards_projectdivisions (award_awards_id,projectdivisions_id,year) VALUES (
-				'" . $award_awards_id . "',
-				'" . $r2->projectdivisions_id . "',
-				'" . $newfairyear . "')");
-					$stmt->execute();
+				?,
+				?,
+				?");
+					$stmt->execute([$award_awards_id,$r2->projectdivisions_id,$newfairyear]);
 				}
 
 				echo i18n('&nbsp; Rolling award prizes') . '<br />';
-				$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year='$currentfairyear' AND award_awards_id='$r->id'");
-				$q2->execute();
+				$q2 = $pdo->prepare("SELECT * FROM award_prizes WHERE year=? AND award_awards_id=?");
+				$q2->execute([$currentfairyear,$r->id]);
 				show_pdo_errors_if_any($pdo);
 				while ($r2 = $q2->fetch(PDO::FETCH_OBJ)) {
 					$stmt = $pdo->prepare("INSERT INTO award_prizes (award_awards_id,cash,scholarship,`value`,prize,number,`order`,year,excludefromac) VALUES (
-				'" . $award_awards_id . "',
-				'" . $r2->cash . "',
-				'" . $r2->scholarship . "',
-				'" . $r2->value . "',
-				'" . $r2->prize . "',
-				'" . $r2->number . "',
-				'" . $r2->order . "',
-				'" . $newfairyear . "',
-				'" . $r2->excludefromac . "')");
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)");
 				}
 			}
-
+			$q2->execute([$award_awards_id,$r2->cash,$r2->scholarship,$r2->value,$r2->prize,$r2->number,$r2->order,$newfairyear,$r2->excludefromac]);
 			echo i18n('Rolling award contacts') . '<br />';
 			// award contacts
-			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year='$currentfairyear'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_contacts WHERE year=?");
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_contacts (award_sponsors_id,salutation,firstname,lastname,position,email,phonehome,phonework,phonecell,fax,notes,year) VALUES (
-				'" . $r->award_sponsors_id . "',
-				'" . $r->salutation . "',
-				'" . $r->firstname . "',
-				'" . $r->lastname . "',
-				'" . $r->position . "',
-				'" . $r->email . "',
-				'" . $r->phonehome . "',
-				'" . $r->phonework . "',
-				'" . $r->phonecell . "',
-				'" . $r->fax . "',
-				'" . $r->notes . "',
-				'" . $newfairyear . "')");
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)");
 
+			$stmt->execute([$r->award_sponsors_id,$r->salutation,$r->firstname,$r->lastname,$r->position,$r->email,$r->phonehome,$r->phonework,$r->phonecell,$r->fax,$r->notes,$newfairyear]);
 			echo i18n('Rolling award types') . '<br />';
 			// award types
-			$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
+			$q->execute([$currentfairyear]);
 			show_pdo_errors_if_any($pdo);
 			while ($r = $q->fetch(PDO::FETCH_OBJ))
 				$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
-				'" . $r->id . "',
-				'" . $r->type . "',
-				'" . $r->order . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
 		}
 	}
 }
diff --git a/admin/schools.php b/admin/schools.php
index 93df26f0..c537d939 100644
--- a/admin/schools.php
+++ b/admin/schools.php
@@ -33,8 +33,8 @@ user_auth_required('committee', 'admin');
 
 if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POST, 'save') == 'add') {
 	if (get_value_from_array($_POST, 'save') == 'add') {
-		$q = $pdo->prepare("INSERT INTO schools (year) VALUES ('" . $config['FAIRYEAR'] . "')");
-		$q->execute();
+		$q = $pdo->prepare("INSERT INTO schools (year) VALUES (?)");
+		$q->execute([$config['FAIRYEAR']]);
 		$id = $pdo->lastInsertId();
 	} else
 		$id = intval(get_value_from_array($_POST, 'id'));
@@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 	 */
 
 	/* Get the uids for principal/science head */
-	$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT principal_uid,sciencehead_uid FROM schools WHERE id=?");
+	$q->execute([$id]);
 	$i = $q->fetch(PDO::FETCH_ASSOC);
 
 	$principal_update = '';
@@ -154,31 +154,54 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 		user_save($sh);
 	}
 
-	$exec = 'UPDATE schools SET '
-		. "school='" . get_value_from_array($_POST, 'school') . "', "
-		. "schoollang='" . get_value_from_array($_POST, 'schoollang') . "', "
-		. "designate='" . get_value_from_array($_POST, 'schooldesignate') . "', "
-		. "schoollevel='" . get_value_from_array($_POST, 'schoollevel') . "', "
-		. "school='" . get_value_from_array($_POST, 'school') . "', "
-		. "board='" . get_value_from_array($_POST, 'board') . "', "
-		. "district='" . get_value_from_array($_POST, 'district') . "', "
-		. "address='" . get_value_from_array($_POST, 'address') . "', "
-		. "city='" . get_value_from_array($_POST, 'city') . "', "
-		. "province_code='" . get_value_from_array($_POST, 'province_code') . "', "
-		. "postalcode='" . get_value_from_array($_POST, 'postalcode') . "', "
-		. "schoolemail='" . get_value_from_array($_POST, 'schoolemail') . "', "
-		. "phone='" . get_value_from_array($_POST, 'phone') . "', "
-		. "fax='" . get_value_from_array($_POST, 'fax') . "', "
-		. "registration_password='" . get_value_from_array($_POST, 'registration_password') . "', "
-		. "projectlimit='" . get_value_from_array($_POST, 'projectlimit') . "', "
-		. "projectlimitper='" . get_value_from_array($_POST, 'projectlimitper') . "', "
-		. "accesscode='" . get_value_from_array($_POST, 'accesscode') . "', "
-		. $sciencehead_update . $principal_update
-		. "atrisk='$atrisk' "
-		. "WHERE id='$id'";
-	$stmt = $pdo->prepare($exec);
-	$stmt->execute();
-	show_pdo_errors_if_any($pdo);
+	$exec = 'UPDATE schools SET 
+    school=?, 
+    schoollang=?, 
+    designate=?, 
+    schoollevel=?, 
+    board=?, 
+    district=?, 
+    address=?, 
+    city=?, 
+    province_code=?, 
+    postalcode=?, 
+    schoolemail=?, 
+    phone=?, 
+    fax=?, 
+    registration_password=?, 
+    projectlimit=?, 
+    projectlimitper=?, 
+    accesscode=?, 
+    sciencehead=?, 
+    principal=?, 
+    atrisk=? 
+    WHERE id=?';
+
+$stmt = $pdo->prepare($exec);
+$stmt->execute([
+    get_value_from_array($_POST, 'school'),
+    get_value_from_array($_POST, 'schoollang'),
+    get_value_from_array($_POST, 'designate'), // FIXED: Corrected key name
+    get_value_from_array($_POST, 'schoollevel'),
+    get_value_from_array($_POST, 'board'),
+    get_value_from_array($_POST, 'district'),
+    get_value_from_array($_POST, 'address'),
+    get_value_from_array($_POST, 'city'),
+    get_value_from_array($_POST, 'province_code'),
+    get_value_from_array($_POST, 'postalcode'),
+    get_value_from_array($_POST, 'schoolemail'),
+    get_value_from_array($_POST, 'phone'),
+    get_value_from_array($_POST, 'fax'),
+    get_value_from_array($_POST, 'registration_password'),
+    get_value_from_array($_POST, 'projectlimit'),
+    get_value_from_array($_POST, 'projectlimitper'),
+    get_value_from_array($_POST, 'accesscode'),
+    get_value_from_array($_POST, 'sciencehead'), // FIXED: Using function for consistency
+    get_value_from_array($_POST, 'principal'),
+    get_value_from_array($_POST, 'atrisk'),
+    get_value_from_array($_POST, 'id')
+]);
+
 
 	if (get_value_from_array($_POST, 'save') == 'add')
 		$notice = 'added';
@@ -187,24 +210,24 @@ if (get_value_from_array($_POST, 'save') == 'edit' || get_value_from_array($_POS
 }
 
 if (get_value_from_array($_GET, 'action') == 'delete' && get_value_from_array($_GET, 'delete', '')) {
-	$stmt = $pdo->prepare("DELETE FROM schools WHERE id='" . $_GET['delete'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM schools WHERE id=?");
+	$stmt->execute([$_GET['delete']]);
 	$notice = 'deleted';
 }
 
 if (get_value_from_array($_GET, 'action') == 'clearaccesscodes') {
-	$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year='{$config['FAIRYEAR']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE schools SET accesscode=NULL WHERE year=?");
+	$stmt->execute([$config['FAIRYEAR']]);
 	$notice = 'clearaccess';
 }
 
 if (get_value_from_array($_GET, 'action') == 'makeaccesscodes') {
-	$q = $pdo->prepare("SELECT id FROM schools WHERE year='{$config['FAIRYEAR']}' AND (accesscode IS NULL OR accesscode='')");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM schools WHERE year=? AND (accesscode IS NULL OR accesscode='')");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$ac = generatePassword(5);
-		$stmt = $pdo->prepare("UPDATE schools SET accesscode='$ac' WHERE id='$r->id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE schools SET accesscode=? WHERE id=? AND year=?");
+		$stmt->execute([$ac,$r->id,$config['FAIRYEAR']]);
 	}
 	$notice = 'makeaccess';
 }
@@ -217,8 +240,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 		'schools_management');
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		$buttontext = 'Save School';
-		$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . get_value_from_array($_GET, 'edit', '') . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM schools WHERE id=?");
+		$q->execute([get_value_from_array($_GET, 'edit', '')]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	} else if (get_value_from_array($_GET, 'action') == 'add') {
 		$buttontext = 'Add School';
@@ -371,8 +394,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <th>' . i18n('Action') . '</th>';
 	echo "</tr></thead>\n";
 
-	$q = $pdo->prepare("SELECT * FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE year=? ORDER BY school");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo "<tr>\n";
 		echo " <td>$r->school</td>\n";
diff --git a/admin/schoolsimport.php b/admin/schoolsimport.php
index 7c76c5b9..918d4c56 100644
--- a/admin/schoolsimport.php
+++ b/admin/schoolsimport.php
@@ -49,8 +49,8 @@ if (get_value_from_array($_POST, 'action') == 'import') {
 			// okay it looks like we have something.. lets dump the current stuff
 			if ($_POST['emptycurrent'] == 1) {
 				echo happy(i18n('Old school data erased'));
-				$stmt = $pdo->prepare("DELETE FROM schools WHERE year='" . $config['FAIRYEAR'] . "'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("DELETE FROM schools WHERE year=?");
+				$stmt->execute([$config['FAIRYEAR']]);
 			}
 
 			$loaded = 0;
@@ -87,26 +87,29 @@ if (get_value_from_array($_POST, 'action') == 'import') {
 					user_save($principal);
 				}
 				$stmt = $pdo->prepare("INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,schoolemail,accesscode,registration_password,projectlimit,projectlimitper,year,principal_uid,sciencehead_uid) VALUES (
-						'" . stripslashes($row[0]) . "',
-						'" . stripslashes($row[1]) . "',
-						'" . stripslashes($row[2]) . "',
-						'" . stripslashes($row[3]) . "',
-						'" . stripslashes($row[4]) . "',
-						'" . stripslashes($row[5]) . "',
-						'" . stripslashes($row[6]) . "',
-						'" . stripslashes($row[7]) . "',
-						'" . stripslashes($row[8]) . "',
-						'" . stripslashes($row[9]) . "',
-						'" . stripslashes($row[10]) . "',
-						'" . stripslashes($row[14]) . "',
-						'" . stripslashes($row[18]) . "',
-						'" . stripslashes($row[19]) . "',
-						'" . stripslashes($row[20]) . "',
-						'" . stripslashes($row[21]) . "',
-						'" . $config['FAIRYEAR'] . "',
-						'" . $principal['uid'] . "',
-						'" . $scienceHead['uid'] . "')");
-				$stmt->execute();
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?)");
+				$stmt->execute([stripslashes($row[0]),stripslashes($row[1],stripslashes($row[2]),stripslashes($row[3])),
+				stripslashes($row[4]),stripslashes($row[5]),stripslashes($row[6]),stripslashes($row[7]),stripslashes($row[8]),
+				stripslashes($row[9]),stripslashes($row[10]),stripslashes($row[14]),stripslashes($row[18]),stripslashes($row[19]),
+				stripslashes($row[20]),stripslashes($row[21]),$config['FAIRYEAR'],$principal['uid'],$scienceHead['uid']]);
 				if (!$pdo->errorInfo())
 					$loaded++;
 				else
diff --git a/admin/send_emailqueue.php b/admin/send_emailqueue.php
index 2f022089..c02e7ad5 100644
--- a/admin/send_emailqueue.php
+++ b/admin/send_emailqueue.php
@@ -44,8 +44,8 @@ if (!$config['emailqueue_lock']) {
 		$q->execute();
 		if ($q->rowCount()) {
 			$r = $q->fetch(PDO::FETCH_OBJ);
-			$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id='$r->emailqueue_id'");
-			$eq->execute();
+			$eq = $pdo->prepare("SELECT * FROM emailqueue WHERE id=?");
+			$eq->execute([$r->emailqueue_id]);
 			$email = $eq->fetch(PDO::FETCH_OBJ);
 
 			$blank = array();
@@ -73,31 +73,31 @@ if (!$config['emailqueue_lock']) {
 			$result = email_send_new($to, $email->from, $email->subject, $body, $bodyhtml);
 
 			if ($result) {
-				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id='$r->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET sent=NOW(), `result`='ok' WHERE id=?");
+				$stmt->execute([$r->id]);
 				show_pdo_errors_if_any($pdo);
 				$newnumsent = $email->numsent + 1;
-				$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=$newnumsent WHERE id='$email->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue SET numsent=? WHERE id=?");
+				$stmt->execute([$newnumsent,$email->id]);
 				show_pdo_errors_if_any($pdo);
 				echo "ok\n";
 			} else {
-				$stmt = Spdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id='$r->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue_recipients SET `sent`=NOW(), `result`='failed' WHERE id=?");
+				$stmt->execute([$r->id]);
 				show_pdo_errors_if_any($pdo);
 				$newnumfailed = $email->numfailed + 1;
-				$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=$newnumfailed WHERE id='$email->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue SET numfailed=? WHERE id=?");
+				$stmt->execute([$newnumfailed,$email->id]);
 				show_pdo_errors_if_any($pdo);
 				echo "failed\n";
 			}
 			// now check if we're done yet
-			$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id='$email->id'");
-			$rq->execute();
+			$rq = $pdo->prepare("SELECT COUNT(*) AS num FROM emailqueue_recipients WHERE sent IS NULL AND emailqueue_id=?");
+			$rq->execute([$email->id]);
 			$rr = $rq->fetch(PDO::FETCH_OBJ);
 			if ($rr->num == 0) {
-				$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id='$email->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE emailqueue SET finished=NOW() WHERE id=?");
+				$stmt->execute([$email->id]);
 			}
 			usleep(rand($sleepmin, $sleepmax));
 		} else
diff --git a/admin/settranslation.php b/admin/settranslation.php
index 74ab2f2f..0494b490 100644
--- a/admin/settranslation.php
+++ b/admin/settranslation.php
@@ -38,19 +38,19 @@ foreach ($config['languages'] AS $l => $ln) {
     $m = md5($_POST['translate_str_hidden']);
 
     if ($_POST['translate_' . $l]) {
-        $q = $pdo->prepare("SELECT * FROM translations WHERE lang='$l' AND strmd5='$m'");
-        $q->execute();
+        $q = $pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
+        $q->execute([$l,$m]);
 
         if ($q->rowCount()) {
-            $stmt = $pdo->prepare("UPDATE translations SET val='" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "' WHERE lang='$l' AND strmd5='$m'");
-            $stmt->execute();
+            $stmt = $pdo->prepare("UPDATE translations SET val=? WHERE lang=? AND strmd5=?");
+            $stmt->execute([iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])),$l,$m]);
         } else {
-            $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES ('$l','$m','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])) . "','" . iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l])) . "')");
-            $stmt->execute();
+            $stmt = $pdo->prepare("INSERT INTO translations (lang,strmd5,str,val) VALUES (?,?,?,?)");
+            $stmt->execute([$l,$m,iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_str_hidden'])),iconv('UTF-8', 'ISO-8859-1', stripslashes($_POST['translate_' . $l]))]);
         }
     } else {
-        $stmt = $pdo->prepare("DELETE FROM translations WHERE lang='$l' AND strmd5='$m'");
-        $stmt->execute();
+        $stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
+        $stmt->execute([$l,$m]);
     }
 }
 echo 'ok';
diff --git a/admin/sponsor_contacts.php b/admin/sponsor_contacts.php
index b92a94bf..8af6e8c3 100644
--- a/admin/sponsor_contacts.php
+++ b/admin/sponsor_contacts.php
@@ -73,11 +73,11 @@ if ($sponsors_id) {
 							FROM users_sponsor, users 
 							WHERE
 							users_sponsor.users_id=users.id
-							AND sponsors_id='$sponsors_id'
+							AND sponsors_id=?
 							AND `primary`='yes'
-							AND year='" . $config['FAIRYEAR'] . "'
-							AND users_id!='$id'");
-			$q->execute();
+							AND year=?
+							AND users_id!=?");
+			$q->execute([$sponsors_id,$config['FAIRYEAR'],$id]);
 			if ($q->rowCount() == 0) {
 				/* This must be the primary */
 				$p = 'yes';
@@ -85,8 +85,8 @@ if ($sponsors_id) {
 		} else {
 			/* Unset all other primaries */
 			$stmt = $pdo->prepare("UPDATE users_sponsor SET `primary`='no'
-						WHERE  sponsors_id='$sponsors_id'");
-			$stmt->execute();
+						WHERE  sponsors_id=?");
+			$stmt->execute([$sponsors_id]);
 		}
 
 		$u['primary'] = $p;
@@ -162,11 +162,11 @@ if ($sponsors_id) {
 		echo '<br />';
 
 		$q = $pdo->prepare("SELECT * FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
-				\t WHERE year='" . $config['FAIRYEAR'] . "' 
-				\t AND sponsors_id='$sponsors_id' 
+				\t WHERE year=? 
+				\t AND sponsors_id=? 
 				\t AND deleted='no' 
 				\t ORDER BY lastname,firstname");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$sponsors_id]);
 		show_pdo_errors_if_any($pdo);
 
 		if ($q->rowCount()) {
diff --git a/admin/student_editor.php b/admin/student_editor.php
index 014f9ffd..e68aac03 100644
--- a/admin/student_editor.php
+++ b/admin/student_editor.php
@@ -44,10 +44,10 @@ if ($auth_type == 'fair') {
 		/* Make sure they have permission to laod this student, check
 		the master copy of the fairs_id in the project */
 		$q = $pdo->prepare("SELECT * FROM projects WHERE 
-				registrations_id='$registrations_id' 
-				AND year='{$config['FAIRYEAR']}'
-				AND fairs_id=$fairs_id");
-		$q->execute();
+				registrations_id=? 
+				AND year=?
+				AND fairs_id=?");
+		$q->execute([$registrations_id,$config['FAIRYEAR'],$fairs_id]);
 		if ($q->rowCount() != 1) {
 			echo 'permission denied.';
 			exit;
@@ -75,8 +75,8 @@ switch ($action) {
 
 	case 'student_remove':
 		$remove_id = intval($_GET['students_id']);
-		$q = $pdo->prepare("SELECT id FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM students WHERE id=? AND registrations_id=?");
+		$q->execute([$remove_id,$registrations_id]);
 		if ($q->rowCount() != 1) {
 			error_('Invalid student to remove');
 			exit;
@@ -86,42 +86,42 @@ switch ($action) {
 			exit;
 		}
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+		$stmt->execute([$remove_id,$registrations_id]);
 
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		if ($q->rowCount() != 1) {
 			error_('Invalid student to remove');
 			exit;
 		}
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+		$stmt->execute([$remove_id,$registrations_id]);
 
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("DELETE FROM students WHERE id='$remove_id' AND registrations_id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM students WHERE id=? AND registrations_id=?");
+		$stmt->execute([$remove_id,$registrations_id]);
 
 		// now see if they have an emergency contact that also needs to be removed
-		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$q->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		// no need to error message if this doesnt exist
 		if ($q->rowCount() == 1)
-			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id='$remove_id' AND registrations_id='$registrations_id' AND year='{$config['FAIRYEAR']}'");
-		$stmt->execute();
+			$stmt = $do->prepare("DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?");
+		$stmt->execute([$remove_id,$registrations_id,$config['FAIRYEAR']]);
 		happy_('Student successfully removed');
 		exit;
 
@@ -141,8 +141,8 @@ function students_save()
 		if ($_POST['id'][$x] == 0) {
 			// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record.  for anything else they can choose the school on their own.
 			if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
-				$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='$registrations_id' AND YEAR='{$config['FAIRYEAR']}'");
-				$q->execute();
+				$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id=? AND YEAR=?");
+				$q->execute([$registrations_id,$config['FAIRYEAR']]);
 				$r = $q->fetch(PDO::FETCH_OBJ);
 				$schools_id = $r->schools_id;
 				$schoolvalue = "'$schools_id', ";
@@ -151,26 +151,34 @@ function students_save()
 			}
 			// INSERT new record
 			$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-			$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
-				. "'" . $registrations_id . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
-				. "'" . stripslashes($_POST['sex'][$x]) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', "
-				. "'" . stripslashes($_POST['postalcode'][$x]) . "', "
-				. "'" . stripslashes($_POST['phone'][$x]) . "', "
-				. "'$dob', "
-				. "'" . stripslashes($_POST['grade'][$x]) . "', "
-				. $schoolvalue
-				. "'" . stripslashes($_POST['tshirt'][$x]) . "', "
-				. "'" . stripslashes($_POST['medicalalert'][$x]) . "', "
-				. "'" . stripslashes($_POST['foodreq'][$x]) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', "
-				. "'" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', "
-				. "'" . $config['FAIRYEAR'] . "')");
+			$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,sex,email,address,city,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES (
+				?, 
+				?, 
+				?, 
+				?, 
+				?,
+				?,
+				?,
+				?, 
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)');
+			$stmt->execute([$registrations_id,iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])),
+			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),stripslashes($_POST['sex'][$x]),
+			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])),
+			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])),
+			stripslashes($_POST['postalcode'][$x]),stripslashes($_POST['phone'][$x]),$dob,stripslashes($_POST['grade'][$x]),
+			$schoolvalue,stripslashes($_POST['tshirt'][$x]),stripslashes($_POST['medicalalert'][$x]),stripslashes($_POST['foodreq'][$x]),
+			iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])),
+			$config['FAIRYEAR']]);
 
 			happy_('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x]));
 		} else {
@@ -184,26 +192,47 @@ function students_save()
 
 			// UPDATE existing record
 			$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-			$stmt = $pdo->prepare('UPDATE students SET '
-				. "firstname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])) . "', "
-				. "lastname='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])) . "', "
-				. "sex='" . stripslashes($_POST['sex'][$x]) . "', "
-				. "email='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])) . "', "
-				. "address='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])) . "', "
-				. "city='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])) . "', "
-				. "province='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])) . "', "
-				. "postalcode='" . stripslashes($_POST['postalcode'][$x]) . "', "
-				. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
-				. "dateofbirth='$dob', "
-				. "grade='" . stripslashes($_POST['grade'][$x]) . "', "
-				. $schoolquery
-				. "medicalalert='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['medicalalert'][$x])) . "', "
-				. "foodreq='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['foodreq'][$x])) . "', "
-				. "teachername='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])) . "', "
-				. "teacheremail='" . iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])) . "', "
-				. "tshirt='" . stripslashes($_POST['tshirt'][$x]) . "' "
-				. "WHERE id='" . $_POST['id'][$x] . "'");
-			$stmt->execute();
+			$stmt = $pdo->prepare('UPDATE students SET 
+				firstname=?, 
+				lastname=?, 
+				sex=?, 
+				email=?, 
+				address=?, 
+				city=?, 
+				province=?, 
+				postalcode=?, 
+				phone=?, 
+				dateofbirth=?, 
+				grade=?, 
+				schoolquery=?, 
+				medicalalert=?, 
+				foodreq=?, 
+				teachername=?, 
+				teacheremail=?, 
+				tshirt=? 
+				WHERE id=?');
+
+			$stmt->execute([
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['firstname'][$x])),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['lastname'][$x])),
+				stripslashes($_POST['sex'][$x]),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['email'][$x])),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['address'][$x])),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['city'][$x])),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['province'][$x])),
+				stripslashes($_POST['postalcode'][$x]),
+				stripslashes($_POST['phone'][$x]),
+				$dob,
+				stripslashes($_POST['grade'][$x]),
+				$schoolquery,  
+				stripslashes($_POST['medicalalert'][$x]),
+				stripslashes($_POST['foodreq'][$x]),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teachername'][$x])),
+				iconv('UTF-8', 'ISO-8859-1//TRANSLIT', stripslashes($_POST['teacheremail'][$x])),
+				stripslashes($_POST['tshirt'][$x]),
+				$_POST['id'][$x]
+			]);
+
 			happy_('%1 %2 successfully updated', array(iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['firstname'][$x]), iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $_POST['lastname'][$x])));
 		}
 		$x++;
@@ -216,9 +245,9 @@ function students_load()
 
 	// now query and display
 	$q = $pdo->prepare("SELECT * FROM students WHERE
-				registrations_id='$registrations_id' 
-				AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+				registrations_id=? 
+				AND year=?");
+	$q->execute([$registrations_id,$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	$numfound = $q->rowCount();
@@ -405,8 +434,8 @@ function students_load()
 		echo "<tr>\n";
 		echo ' <td>' . i18n('School') . '</td><td colspan="3">';
 		if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
-			$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
-			$schoolq->execute();
+			$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER by city,school");
+			$schoolq->execute([$config['FAIRYEAR']]);
 			echo "<select name=\"schools_id[$x]\">\n";
 			echo '<option value="">' . i18n('Choose School') . "</option>\n";
 			while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
@@ -418,8 +447,8 @@ function students_load()
 			}
 			echo '</select>' . REQUIREDFIELD;
 		} else {
-			$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'");
-			$schoolq->execute();
+			$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year=? AND id=?");
+			$schoolq->execute([$config['FAIRYEAR'],$studentinfo->schools_id]);
 			$r = $schoolq->fetch(PDO::FETCH_OBJ);
 			echo $r->school;
 		}
@@ -471,23 +500,23 @@ function registration_load()
 		/* Find a reg num */
 		do {
 			$regnum = rand(100000, 999999);
-			$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year={$config['FAIRYEAR']}");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
+			$q->execute([$regnum,$config['FAIRYEAR']]);
 		} while ($q->rowCount() > 0);
 
 		$r['num'] = $regnum;
 		echo notice(i18n('New registration number generated.'));
 		echo notice(i18n('This new registration will added when the "Save Registration Information" button is pressed below.  At that time the other tabs will become available.'));
 	} else {
-		$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM registrations WHERE id=?");
+		$q->execute([$registrations_id]);
 		if ($q->rowCount() != 1)
 			$r = array();
 		else {
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			/* Get the fair from the project */
-			$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id='$registrations_id'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE registrations_id=?");
+			$q->execute([$registrations_id]);
 			if ($q->rowCount() == 1) {
 				$p = $q->fetch(PDO::FETCH_ASSOC);
 				$r['fairs_id'] = $p['fairs_id'];
@@ -569,30 +598,30 @@ function registration_save()
 
 	if ($registrations_id == -1) {
 		$stmt = $pdo->prepare("INSERT INTO registrations (start,schools_id,year) VALUES (
-					NOW(), NULL, '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+					NOW(), NULL,?)");
+		$stmt->execute([$config['FAIRYEAR']]);
 		$registrations_id = $pdo->lastInsertId();
 
 		/* Create one student and a project */
 		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES (
 		
-					$registrations_id, '$registration_email', '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+					?,?,?)");
+		$stmt->execute([$registrations_id,$registration_email,$config['FAIRYEAR']]);
 		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,year) VALUES (
 		
-					$registrations_id, '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+					?,?)");
+		$stmt->execute([$registrations_id,$config['FAIRYEAR']]);
 		happy_('Created student and project record');
 	}
 
 	/* Update registration */
 	$stmt = $pdo->prepare("UPDATE registrations SET 
-					num='$registration_num',
-					status='$registration_status',
-					email='$registration_email'
+					num=?,
+					status=?,
+					email=?
 				WHERE 
-					id='$registrations_id'");
-	$stmt->execute();
+					id=?");
+	$stmt->execute([$registration_num,$registration_status,$registration_email,$registrations_id]);
 	show_pdo_errors_if_any($pdo);
 
 	/*
@@ -602,10 +631,10 @@ function registration_save()
 	if ($auth_type == 'fair')
 		$fairs_id = $_SESSION['fairs_id'];
 	$stmt = $pdo->prepare("UPDATE projects SET 
-					fairs_id='$fairs_id'
+					fairs_id=?
 				WHERE 
-					registrations_id='$registrations_id'");
-	$stmt->execute();
+					registrations_id=?");
+	$stmt->execute([$fairs_id,$registrations_id]);
 	show_pdo_errors_if_any($pdo);
 	happy_('Information Saved');
 	echo '<script language="javascript" type="text/javascript">';
diff --git a/admin/tours_assignments.php b/admin/tours_assignments.php
index 8a30970e..683f9a45 100644
--- a/admin/tours_assignments.php
+++ b/admin/tours_assignments.php
@@ -33,9 +33,9 @@ user_auth_required('committee', 'admin');
 
 /* Load Tours */
 $query = "SELECT * FROM tours WHERE 
-		year='{$config['FAIRYEAR']}'";
+		year=?";
 $r = $pdo->prepare($query);
-$r->execute();
+$r->execute([$config['FAIRYEAR']]);
 $tours = array();
 while ($i = $r->fetch(PDO::FETCH_OBJ)) {
 	$tours[$i->id]['name'] = $i->name;
@@ -45,20 +45,20 @@ while ($i = $r->fetch(PDO::FETCH_OBJ)) {
 if (get_value_from_array($_GET, 'action') == 'info') {
 	$sid = intval($_GET['id']);
 
-	$query = "SELECT * FROM students WHERE id='$sid'
-			AND year='{$config['FAIRYEAR']}'";
+	$query = "SELECT * FROM students WHERE id=?
+			AND year=?";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$sid,$config['FAIRYEAR']]);
 	$i = $r->fetch(PDO::FETCH_OBJ);
 
 	send_popup_header(i18n('Student Tour Rank Information - %1 %2',
 		array($i->firstname, $i->lastname)));
 	$query = "SELECT * FROM tours_choice
-				WHERE students_id='$sid'
-				AND year='{$config['FAIRYEAR']}'
+				WHERE students_id=?
+				AND year=?
 				ORDER BY rank";
 	$r = $pdo->prepare($query);
-	$r->execute();
+	$r->execute([$sid,$config['FAIRYEAR']]);
 	echo '<table>';
 	$count = $r->rowwCount();
 	while ($i = $r->fetch(PDO::FETCH_OBJ)) {
@@ -157,25 +157,25 @@ if (get_value_from_array($_POST, 'action') == 'add' && $tours_id != 0 && count($
 		$sid = intval($sid);
 
 		$q = $pdo->prepare("SELECT registrations_id FROM students 
-					WHERE id='$sid'");
-		$q->execute();
+					WHERE id=?");
+		$q->execute([$sid]);
 		$i = $q->fetch(PDO::FETCH_OBJ);
 		$rid = $i->registrations_id;
 
 		/* Delete any old linking */
 		$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE
-					students_id='$sid' AND
-					year='{$config['FAIRYEAR']}' AND
+					students_id=? AND
+					year=? AND
 					rank='0'");
-		$stmt->execute();
+		$stmt->execute([$sid,$config['FAIRYEAR']]);
 		/* Connect this student to this tour */
 		$stmt = $pdo->prepare("INSERT INTO tours_choice 
 					(`students_id`,`registrations_id`,
 						`tour_id`,`year`,`rank`)
 					VALUES (
-					'$sid', '$rid', '$tours_id',
-					'{$config['FAIRYEAR']}','0')");
-		$stmt->execute();
+					?,?,?,
+					?,'0')");
+		$stmt->execute([$sid,$rid,$tours_id,$config['FAIRYEAR']]);
 		$added++;
 	}
 	if ($added == 1)
@@ -193,20 +193,20 @@ $students_id = intval(get_value_from_array($_GET, 'students_id'));
 
 if (get_value_from_array($_GET, 'action') == 'del' && $tours_id > 0 && $students_id > 0) {
 	$stmt = $pdo->prepare("DELETE FROM tours_choice 
-				WHERE students_id='$students_id' 
-				AND year='{$config['FAIRYEAR']}'
+				WHERE students_id=? 
+				AND year=?
 				AND rank='0'");
-	$stmt->execute();
+	$stmt->execute([$students_id,$config['FAIRYEAR']]);
 
 	echo happy(i18n('Removed student from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
 }
 
 if (get_value_from_array($_GET, 'action') == 'empty' && $tours_id > 0) {
 	$stmt = $po->prepare("DELETE FROM tours_choice WHERE 
-				tour_id='$tours_id'
-				AND year='{$config['FAIRYEAR']}'
+				tour_id=?
+				AND year=?
 				AND rank='0'");
-	$stmt->execute();
+	$stmt->execute([$tours_id,$config['FAIRYEAR']]);
 	echo happy(i18n('Emptied all students from tour #%1 (%2)', array($tours[$tours_id]['num'], $tours[$tours_id]['name'])));
 }
 
@@ -243,8 +243,8 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
 				LEFT JOIN tours_choice ON (tours_choice.students_id=students.id AND tours_choice.rank=0)
 				LEFT JOIN registrations ON registrations.id=students.registrations_id
 			WHERE 
-				students.year='{$config['FAIRYEAR']}' AND
-				(tours_choice.year='{$config['FAIRYEAR']}' OR
+				students.year=? AND
+				(tours_choice.year=? OR
 			\t tours_choice.year IS NULL) AND
 				registrations.status='complete'
 			ORDER BY 
@@ -253,7 +253,7 @@ $querystr = "SELECT \tstudents.firstname, students.lastname,
 				tours_choice.rank";
 
 $q = $pdo->prepare($querystr);
-$q->execute();
+$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 
 show_pdo_errors_if_any($pdo);
 
diff --git a/admin/tours_manager.php b/admin/tours_manager.php
index 3e9c9ade..6c1da4e7 100644
--- a/admin/tours_manager.php
+++ b/admin/tours_manager.php
@@ -39,12 +39,12 @@ send_header('Tour Management',
 		'Tours' => 'admin/tours.php'));
 
 if ($_GET['action'] == 'renumber') {
-	$q = $pdo->prepare("SELECT id FROM tours WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM tours WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	$x = 1;
 	while ($i = $q->fetch(PDP::FETCH_OBJ)) {
-		$stmt = $pdo->prepare("UPDATE tours SET num='$x' WHERE id='{$i->id}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE tours SET num=? WHERE id=?");
+		$stmt->execute([$x,$i->id]);
 		$x++;
 	}
 	echo happy(i18n('Tours successfully renumbered'));
diff --git a/admin/tours_sa.php b/admin/tours_sa.php
index 84cfaa1c..1a0a4afa 100644
--- a/admin/tours_sa.php
+++ b/admin/tours_sa.php
@@ -53,9 +53,9 @@ TRACE('<pre>');
 function set_status($txt)
 {
 	TRACE("Status: $txt\n");
-	$stmt = $pdo->prepare("UPDATE config SET val='$txt' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='tours_assigner_activity' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$txt]);
 }
 
 $set_percent_last_percent = -1;
@@ -68,9 +68,9 @@ function set_percent($n)
 		return;
 	TRACE("Progress: $p\%\n");
 	$set_percent_last_percent = $p;
-	$stmt = $pdo->prepare("UPDATE config SET val='$p' WHERE 
+	$stmt = $pdo->prepare("UPDATE config SET val=? WHERE 
 			var='tours_assigner_percent' AND year=0");
-	$stmt->execute();
+	$stmt->execute([$p]);
 }
 
 set_status('Initializing...');
@@ -205,16 +205,16 @@ function tour_cost_function($annealer, $bucket_id, $ids)
 set_status('Cleaning existing tour assignments...');
 TRACE("\n\n");
 $q = $pdo->prepare("DELETE FROM tours_choice 
-		WHERE year='{$config['FAIRYEAR']}'
+		WHERE year=?
 		AND rank='0'");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 
 set_status('Loading Data From Database...');
 TRACE("\n\n");
 TRACE("Tours...\n");
 $tours = array();
-$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
-$q-- > execute();
+$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
+$q-> execute([$config['FAIRYEAR']]);
 $x = 0;
 
 /*
@@ -240,13 +240,13 @@ $q = $pdo->prepare("SELECT students.id,students.grade,
 		FROM students
 			LEFT JOIN registrations ON registrations.id=students.registrations_id
 		WHERE
-			students.year='{$config['FAIRYEAR']}'
+			students.year=?
 			AND ( registrations.status='complete'
 				OR registrations.status='paymentpending' )
 		ORDER BY
 			students.id
 			");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 $last_sid = -1;
 TRACE($pdo->errorInfo());
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -262,9 +262,9 @@ TRACE('   ' . (count($student_ids)) . " students loaded\n");
 
 TRACE("Loading Tour Selection Preferences...\n");
 $q = $pdo->prepare("SELECT * FROM tours_choice WHERE
-			tours_choice.year='{$config['FAIRYEAR']}' 
+			tours_choice.year=? 
 			ORDER BY rank ");
-$q->execute();
+$q->execute([$config['FAIRYEAR']]);
 TRACE($pdo->errorInfo());
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -303,11 +303,8 @@ foreach ($tours as $x => $t) {
 		$stmt = $pdo->prepare("INSERT INTO tours_choice 
 				(`students_id`,`registrations_id`,
 						`tour_id`,`year`,`rank`)
-				VALUES (
-				'$sid', '{$s['registrations_id']}', 
-				'{$t['id']}', '{$config['FAIRYEAR']}',
-				'0')");
-		$stmt->execute();
+				VALUES (?,?,?,?,0)");
+		$stmt->execute([$sid,$s['registrations_id'],$t['id'],$config['FAIRYEAR']]);
 	}
 }
 
diff --git a/admin/tours_sa_config.php b/admin/tours_sa_config.php
index bbf291e4..ac4fc264 100644
--- a/admin/tours_sa_config.php
+++ b/admin/tours_sa_config.php
@@ -58,8 +58,8 @@ function tours_check_tours()
 {
 	global $config;
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM tours WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM tours WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	return $q->rowCount();
 }
 
@@ -72,13 +72,13 @@ function tours_check_students()
 			LEFT JOIN tours_choice ON (tours_choice.students_id=students.id)
 			LEFT JOIN registrations ON (registrations.id=students.registrations_id)
 		WHERE
-			students.year='{$config['FAIRYEAR']}'
-			AND tours_choice.year='{$config['FAIRYEAR']}'
+			students.year=?
+			AND tours_choice.year=?
 			AND registrations.status='complete'
 		ORDER BY
 			students.id, tours_choice.rank
 			");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	return $q->rowCount();
 }
 
diff --git a/admin/translations.php b/admin/translations.php
index 80df5737..7add4c5d 100644
--- a/admin/translations.php
+++ b/admin/translations.php
@@ -57,15 +57,16 @@ if (get_value_from_array($_POST, 'action') == 'save') {
     // first, delete anything thats supposed to eb deleted
     if (count(get_value_from_array($_POST, 'delete', []))) {
         foreach ($_POST['delete'] AS $del) {
-            $stmt = $pdo->prepare("DELETE FROM translations WHERE lang='" . $_SESSION['translang'] . "' AND strmd5='" . $del . "'");
-            $stmt->execute();
+            $stmt = $pdo->prepare("DELETE FROM translations WHERE lang=? AND strmd5=?");
+            $stmt->execute([$_SESSION['translang'],$del]);
         }
         echo happy(i18n('Translation(s) deleted'));
     }
     if ($_POST['changedFields']) {
         $changed = split(',', $_POST['changedFields']);
         foreach ($changed AS $ch) {
-            $stmt = $pdo->prepare("UPDATE translations SET val='" . stripslashes($_POST['val'][$ch]) . "' WHERE strmd5='" . $ch . "' AND lang='" . $_SESSION['translang'] . "'");
+            $stmt = $pdo->prepare("UPDATE translations SET val=? WHERE strmd5=? AND lang=?");
+            $stmt->execute([stripslashes($_POST['val'][$ch]),$ch ,$_SESSION['translang']]);
         }
         echo happy(i18n('Translation(s) saved'));
     }
@@ -113,8 +114,8 @@ if ($show == 'missing')
 else
     $showquery = '';
 
-$q = $pdo->prepare("SELECT * FROM translations WHERE lang='" . get_value_from_array($_SESSION, 'translang') . "' $showquery ORDER BY str");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM translations WHERE lang=? $showquery ORDER BY str");
+$q->execute([get_value_from_array($_SESSION, 'translang')]);
 $num = $q->rowCount();
 echo i18n('Showing %1 translation strings', array($num), array('number of strings'));
 
diff --git a/admin/user_editor_window.php b/admin/user_editor_window.php
index c97e2c78..c14f3825 100644
--- a/admin/user_editor_window.php
+++ b/admin/user_editor_window.php
@@ -98,8 +98,8 @@ if (array_key_exists('username', $_GET)) {
 	$username = $_GET['username'];
 	$type = $_GET['type'];
 	$un = $username;
-	$q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username='$un' GROUP BY uid");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id,MAX(year),deleted FROM users WHERE username=? GROUP BY uid");
+	$q->execute([$un]);
 	show_pdo_errors_if_any($pdo);
 
 	if ($q->rowCount()) {
@@ -119,8 +119,8 @@ if (array_key_exists('username', $_GET)) {
 			}
 		} else {
 			// undelete them?
-			$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?");
+			$stmt->execute([$r->id]);
 			// then load them?
 			$u = user_load($r->id);
 		}
diff --git a/admin/user_list.php b/admin/user_list.php
index ef6aec72..79b71b87 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -164,9 +164,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
 	$user = user_load($id);
 
 	// Determine if there is a more recent uid that may possibly be in the current FAIRYEAR (allows refresh page to work)
-	$query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid='{$user['uid']}'
+	$query = $pdo->prepare("SELECT id,uid,year FROM users WHERE uid=?
 					ORDER BY year DESC LIMIT 1");
-	$query->execute();
+	$query->execute([$user['uid']]);
 
 	$user_new = $query->fetch(PDO::FETCH_ASSOC);
 
@@ -178,9 +178,9 @@ if (get_value_from_array($_GET, 'action') == 'update') {
 		message_push(happy(i18n('User Updated')));
 
 		// find the newly updated user
-		$q_reload = $pdo->prepare("SELECT id FROM users WHERE uid='{$user['uid']}'
+		$q_reload = $pdo->prepare("SELECT id FROM users WHERE uid=?
 						ORDER BY year DESC LIMIT 1");
-		$q_reload->execute();
+		$q_reload->execute([$user['uid']]);
 
 		$reload_user = $q_reload->fetch(PDO::FETCH_ASSOC);
 
@@ -296,16 +296,16 @@ $querystr = "SELECT
 			GROUP BY uid
 			HAVING 
 				u1.deleted='no'
-				$having_year
-				$where_types
-				$where_complete
+				?
+				?
+				?
 			ORDER BY 
 				lastname ASC,
 				firstname ASC,
 				year DESC";
 
 $q = $pdo->prepare($querystr);
-$q->execute();
+$q->execute([$having_year,$where_types,$where_complete]);
 
 show_pdo_errors_if_any($pdo);
 $num = $q->rowCount();
@@ -358,8 +358,8 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 	if (in_array('fair', $types)) {
 		$qq = $pdo->prepare("SELECT * FROM users_fair 
 							LEFT JOIN fairs ON fairs.id=users_fair.fairs_id
-						WHERE users_id='{$r['id']}'");
-
+						WHERE users_id=?");
+		$qq->execute([$r['id']]);
 		$rr = $qq->fetch(PDO::FETCH_ASSOC);
 		$name = '{' . get_value_from_array($rr, 'name') . '}' . ((trim($name) == '') ? '' : "<br />($name)");
 	}
diff --git a/admin/winners.php b/admin/winners.php
index 5a747df1..74a858b0 100644
--- a/admin/winners.php
+++ b/admin/winners.php
@@ -56,21 +56,21 @@ switch ($action) {
 		}
 
 		// first check how many we are allowed to have
-		$q = $pdo->prepare("SELECT number FROM award_prizes WHERE id='$prize_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT number FROM award_prizes WHERE id=?");
+		$q->execute([$prize_id]);
 		show_pdo_errors_if_any($pdo);
 		$r = $q->fetch(PDO::FETCH_ASSOC);
 		$number = $r['number'];
 
 		/* Get the award info */
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+		$q->execute([$award_awards_id]);
 		show_pdo_errors_if_any($pdo);
 		$a = $q->fetch(PDO::FETCH_ASSOC);
 
 		/* Get the project */
-		$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id='$projects_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT fairs_id FROM projects WHERE id=?");
+		$q->execute([$projects_id]);
 		show_pdo_errors_if_any($pdo);
 		$p = $q->fetch(PDO::FETCH_ASSOC);
 		$fairs_id = $p['fairs_id'];
@@ -89,24 +89,24 @@ switch ($action) {
 			$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners 
 						LEFT JOIN projects ON winners.projects_id=projects.id
 					WHERE 
-						projects.fairs_id='$fairs_id'
-						awards_prizes_id='$prize_id'");
-			$q->execute();
+						projects.fairs_id=?
+						awards_prizes_id=?");
+			$q->execute([$fairs_id,$prize_id]);
 			show_pdo_errors_if_any($pdo);
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			$count = $r['count'];
 		} else {
 			/* Count is the total number assigned */
-			$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id='$prize_id'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT COUNT(*) AS count FROM winners WHERE awards_prizes_id=?");
+			$q->execute([$prize_id]);
 			show_pdo_errors_if_any($pdo);
 			$r = $q->fetch(PDO::FETCH_ASSOC);
 			$count = $r['count'];
 		}
 
 		if ($count < $number) {
-			$stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES ('$prize_id','$projects_id','{$config['FAIRYEAR']}')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO winners (awards_prizes_id,projects_id,year) VALUES (?,?,?)");
+			$stmt->execute([$prize_id,$projects_id,$config['FAIRYEAR']]);
 			happy_('Winning project added');
 		} else {
 			error_('This prize cannot accept any more winners.  Maximum: %1', $number);
@@ -119,8 +119,8 @@ switch ($action) {
 		$projects_id = intval($_GET['projects_id']);
 
 		if ($prize_id && $projects_id) {
-			$stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id='$prize_id' AND projects_id='$projects_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM winners WHERE awards_prizes_id=? AND projects_id=?");
+			$stmt->execute([$prize_id,$projects_id]);
 			happy_('Winning project removed');
 		}
 		exit;
@@ -140,12 +140,12 @@ switch ($action) {
 				award_awards ,
 				award_types
 			WHERE 
-					award_awards.year='{$config['FAIRYEAR']}'
+					award_awards.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND \taward_types.year=award_awards.year
-				AND\taward_awards.id='$award_awards_id'
+				AND\taward_awards.id=?
 			");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$award_awards_id]);
 
 		show_pdo_errors_if_any($pdo);
 
@@ -177,12 +177,12 @@ switch ($action) {
 				award_awards ,
 				award_types
 			WHERE 
-					award_awards.year='{$config['FAIRYEAR']}'
+					award_awards.year=?
 				AND\taward_awards.award_types_id=award_types.id
 				AND \taward_types.year=award_awards.year
-				AND\taward_awards.id='$award_awards_id'
+				AND\taward_awards.id=?
 			");
-		$q->execute();
+		$q->execute([$config['FAIRYEAR'],$award_awards_id]);
 
 		show_pdo_errors_if_any($pdo);
 
@@ -218,15 +218,15 @@ switch ($action) {
 
 	case 'additional_materials':
 		$fairs_id = intval($_GET['fairs_id']);
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id='$award_awards_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE id=?");
+		$q->execute([$award_awards_id]);
 		if ($fairs_id == 0) {
 			echo "Unsupported Action: Can't get additional materials for fairs_id=0.  Edit the project and set it's fair to anything except 'Local/Unspecified'.";
 			exit;
 		}
 		$a = $q->fetch(PDO::FETCH_ASSOC);
-		$q = $pdo->prepare("SELECT * FROM fairs WHERE id='$fairs_id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM fairs WHERE id=?");
+		$q->execute([$fairs_id]);
 		$fair = $q->fetch(PDO::FETCH_ASSOC);
 		$pdf = fair_additional_materials($fair, $a, $config['FAIRYEAR']);
 		foreach ($pdf['header'] as $h)
@@ -412,17 +412,17 @@ $q = $pdo->prepare("SELECT
 			award_types.type,
 			sponsors.organization
 		FROM 
-			award_awards $fair_join,
+			award_awards ?,
 			award_types,
 			sponsors
 		WHERE 
-				award_awards.year='{$config['FAIRYEAR']}'
+				award_awards.year=?
 			AND\taward_awards.award_types_id=award_types.id
-			AND\taward_types.year='{$config['FAIRYEAR']}'
+			AND\taward_types.year=?
 			AND\taward_awards.sponsors_id=sponsors.id
-			$fair_where
+			?
 		ORDER BY awards_order");
-$q->execute();
+$q->execute([$fair_join,$config['FAIRYEAR'],$config['FAIRYEAR'],$fair_where]);
 
 show_pdo_errors_if_any($pdo);
 
@@ -500,11 +500,11 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
 			FROM 
 				award_prizes 
 			WHERE 
-				award_awards_id='{$r['id']}' 
-				AND award_prizes.year='{$config['FAIRYEAR']}'
+				award_awards_id=? 
+				AND award_prizes.year=?
 			ORDER BY 
 				`order`");
-	$q->execute();
+	$q->execute([$r['id'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	echo '<table width="100%"><tr><td>';
@@ -535,9 +535,9 @@ function print_award(&$r, $fairs_id, $editor = false, $editor_data = array())
 					winners
 					LEFT JOIN projects ON projects.id=winners.projects_id
 				WHERE 
-					winners.awards_prizes_id='{$pr->id}'
-					$fairs_where ");
-		$cq->execute();
+					winners.awards_prizes_id=?
+					? ");
+		$cq->execute([$pr->id,$fairs_where]);
 		show_pdo_errors_if_any($pdo);
 		$count = $cq->rowCount();
 		//		echo "winners=$count";
diff --git a/app/projectinfo.php b/app/projectinfo.php
index eec7982a..8cc98aac 100644
--- a/app/projectinfo.php
+++ b/app/projectinfo.php
@@ -32,8 +32,8 @@ require ('../common.inc.php');
 global $pdo;
 
 // first, lets make sure someone isng tryint to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
+$q->execute([$config['dates']['postparticipants']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 
 $pn = trim($_GET['n']);
@@ -56,20 +56,21 @@ if ($r->test) {
 					LEFT JOIN projectcategories ON projectcategories.id=projects.projectcategories_id
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
-					registrations.year='" . $config['FAIRYEAR'] . "' 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					registrations.year=? 
+					AND projectcategories.year=? 
+					AND projectdivisions.year=? 
 					AND (status='complete' OR status='paymentpending')
-					AND projects.projectnumber='$pn'
+					AND projects.projectnumber=?
 				LIMIT 1
 				");
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR'],$pn]);
 	show_pdo_errors_if_any($pdo);
 	$r = $q->fetch(PDO::FETCH_ASSOC);
 
 	$regid = $r['reg_id'];
 
-	$q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id='$regid' ORDER BY lastname");
-	$q2->execute();
+	$q2 = $pdo->prepare("SELECT firstname,lastname,webfirst,weblast,schools.school FROM students JOIN schools ON students.schools_id=schools.id WHERE registrations_id=? ORDER BY lastname");
+	$q2->execute([$regid]);
 	$students = '';
 	while ($stud = $q2->fetch(PDO::FETCH_OBJ)) {
 		if ($stud->webfirst == 'yes')
diff --git a/app/projectlist.php b/app/projectlist.php
index 4f728e62..e0b2f425 100644
--- a/app/projectlist.php
+++ b/app/projectlist.php
@@ -31,8 +31,8 @@ require ('../common.inc.php');
 
 global $pdo;
 // first, lets make sure someone isnt trying to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
+$q->execute([$config['dates']['postparticipants']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 
 if ($r->test) {
@@ -52,16 +52,16 @@ if ($r->test) {
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
 					1
-					AND registrations.year='" . $config['FAIRYEAR'] . "' 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					AND registrations.year=? 
+					AND projectcategories.year=? 
+					AND projectdivisions.year=? 
 					AND (status='complete' OR status='paymentpending')
 				ORDER BY
 					projectcategories.id,
 					projectdivisions.id,
 					projects.projectnumber
 				");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	$lastcat = 'something_that_does_not_exist';
diff --git a/app/projects.php b/app/projects.php
index 41d50207..ba8a5108 100644
--- a/app/projects.php
+++ b/app/projects.php
@@ -31,8 +31,8 @@ require ('../common.inc.php');
 
 global $pdo;
 // first, lets make sure someone isnt trying to see something that they arent allowed to!
-$q = $pdo->prepare("SELECT (NOW()>='" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>=?) AS test");
+$q->execute([$config['dates']['postparticipants']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $ret = array();
 
@@ -56,16 +56,16 @@ if ($r->test) {
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
 					1
-					AND registrations.year='" . $config['FAIRYEAR'] . "' 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					AND registrations.year=? 
+					AND projectcategories.year=? 
+					AND projectdivisions.year=? 
 					AND (status='complete' OR status='paymentpending')
 				ORDER BY
 					projectcategories.id,
 					projectdivisions.id,
 					projects.projectnumber
 				");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	$lastcat = 'something_that_does_not_exist';
diff --git a/committees.php b/committees.php
index 8a182824..fea0d251 100644
--- a/committees.php
+++ b/committees.php
@@ -36,7 +36,7 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	/* Select all the u$q=("SELECT * FROM committees ORDER BY ord,name");sers in the committee, using MAX(year) for the most recent year */
 	$q2 = $pdo->prepare("SELECT committees_link.*,users.uid,MAX(users.year),users.lastname
 							FROM committees_link LEFT JOIN users ON users.uid = committees_link.users_uid 
-							WHERE committees_id='{$r->id}' 
+							WHERE committees_id=? 
 							GROUP BY users.uid ORDER BY ord,users.lastname ");
 	$q2->execute();
 	// if there's nobody in this committee, then just skip it and go on to the next one.
diff --git a/common.inc.php b/common.inc.php
index ea1acf98..5edb4eb7 100644
--- a/common.inc.php
+++ b/common.inc.php
@@ -26,7 +26,7 @@
 
 // ////echo phpinfo();
 header('Content-Type: text/html; charset=utf8');
-include_once('helper.inc.php');
+include_once ('helper.inc.php');
 // set error reporting to not show notices, for some reason some people's installation dont set this by default
 // so we will set it in the code instead just to make sure
 error_reporting(E_ALL);
@@ -70,7 +70,7 @@ if (!is_writable($prependdir . 'data')) {
 }
 
 if (file_exists($prependdir . 'data/config.inc.php')) {
-	require_once($prependdir . 'data/config.inc.php');
+	require_once ($prependdir . 'data/config.inc.php');
 } else {
 	echo '<html><head><title>SFIAB</title></head><body>';
 	echo '<h1>Science Fair In A Box - Installation</h1>';
@@ -138,7 +138,7 @@ if (!$dbdbversion) {
 	exit;
 }
 
-if (!$_SERVER['REQUEST_URI'] == "db_update.php" && ($dbcodeversion != $dbdbversion)) {
+if (!$_SERVER['REQUEST_URI'] == 'db_update.php' && ($dbcodeversion != $dbdbversion)) {
 	echo '<html><head><title>SFIAB ERROR</title></head><body>';
 	echo '<h1>Science Fair In A Box - ERROR</h1>';
 	echo 'SFIAB database and code are mismatched';
@@ -159,24 +159,24 @@ if (!$_SERVER['REQUEST_URI'] == "db_update.php" && ($dbcodeversion != $dbdbversi
 }
 
 // now pull the rest of the configuration
-$q = $pdo->prepare("SELECT * FROM config WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM config WHERE year=?');
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch()) {
 	$config[$r['var']] = $r['val'];
 }
 
 // now pull the dates
-$q = $pdo->prepare("SELECT * FROM dates WHERE year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM dates WHERE year=?');
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch()) {
 	$config['dates'][$r['name']] = $r['date'];
 }
 
 // and now pull the theme
-require_once("theme/{$config['theme']}/theme.php");
-require_once("theme/{$config['theme_icons']}/icons.php");
+require_once ("theme/{$config['theme']}/theme.php");
+require_once ("theme/{$config['theme_icons']}/icons.php");
 
-require_once('committee.inc.php');
+require_once ('committee.inc.php');
 
 if ($config['SFIABDIRECTORY'] == '') {
 	session_name('SFIABSESSID');
@@ -252,8 +252,8 @@ function i18n($str, $args = array(), $argsdesc = array(), $forcelang = '')
 				$_SESSION['lang'] = $savelang;
 			return $str;
 		} else {
-			$q = $pdo->prepare("SELECT * FROM translations WHERE lang='" . $_SESSION['lang'] . "' AND strmd5='" . md5($str) . "'");
-			$q->execute();
+			$q = $pdo->prepare('SELECT * FROM translations WHERE lang=? AND strmd5=?');
+			$q->execute([$_SESSION['lang'], md5($str)]);
 			if ($r = $q->fetch()) {
 				if ($r['val']) {
 					$ret = $r['val'];
@@ -350,16 +350,19 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 		return;
 	else
 		$HEADER_SENT = true;
-?>
+	?>
 	<!DOCTYPE html>
 	<html>
 
 	<head>
 		<meta charset="utf-8" />
 		<meta name="viewport" content="width=device-width, initial-scale=1" />
-		<title><? if ($title && !$titletranslated) echo i18n($title);
-				else if ($title) echo $title;
-				else echo i18n($config['fairname']); ?></title>
+		<title><? if ($title && !$titletranslated)
+		echo i18n($title);
+	else if ($title)
+		echo $title;
+	else
+		echo i18n($config['fairname']); ?></title>
 
 		<link rel="stylesheet" href="https://code.jquery.com/ui/1.14.1/themes/base/jquery-ui.css">
 		<link rel="stylesheet" href="<?= $config['SFIABDIRECTORY'] ?>/theme/<?= $config['theme'] ?>/sfiab.css" type="text/css" media="all" />
@@ -369,9 +372,12 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 	</head>
 
 	<body>
-		<!-- <? if ($title && !$titletranslated) echo i18n($title);
-				else if ($title) echo $title;
-				else echo i18n($config['fairname']); ?> -->
+		<!-- <? if ($title && !$titletranslated)
+		echo i18n($title);
+	else if ($title)
+		echo $title;
+	else
+		echo i18n($config['fairname']); ?> -->
 		<script src="https://code.jquery.com/jquery-3.7.1.js"></script>
 		<script src="https://code.jquery.com/jquery-migrate-3.5.2.js"></script>
 
@@ -389,7 +395,7 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 		<?
 		// if we're under /admin or /config we also want the translation editor
 		if (substr(getcwd(), -6) == '/admin' || substr(getcwd(), -7) == '/config' || substr(getcwd(), -6) == '\admin' || substr(getcwd(), -7) == '\config')
-			require_once('../translationseditor.inc.php');
+			require_once ('../translationseditor.inc.php');
 		?>
 
 		<div id="notice_area" class="notice_area"></div>
@@ -400,11 +406,10 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 
 			echo '<h1>' . i18n($config['fairname']) . '</h1>';
 
-			
 			if ($config['theme'] == 'science_ation')
 				echo "<span id='menu-toggle-button' onClick='toggle_sidebar()' class='material-symbols-outlined'>
-					  menu
-					  </span>"
+				\t  menu
+				\t  </span>"
 			?>
 
 		</div>
@@ -453,8 +458,8 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 
 					// only display it if a date is set to begin with.
 					if ($config['dates']['postparticipants'] && $config['dates']['postparticipants'] != '0000-00-00 00:00:00') {
-						$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['regclose'] . "') AS test");
-						$q->execute();
+						$q = $pdo->prepare('SELECT (NOW()>?) AS test');
+						$q->execute([$config['dates']['regclose']]);
 						$r = $q->fetch(PDO::FETCH_OBJ);
 						if ($r->test == 1) {
 							$registrationconfirmationlink = '<li><a href="' . $config['SFIABDIRECTORY'] . '/confirmed_participants.php">' . i18n('Confirmed Participants') . '</a></li>';
@@ -486,12 +491,12 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 							echo $registrationconfirmationlink;
 
 							/*
-	 * echo "<li><a href=\"{$config['SFIABDIRECTORY']}/register_participants.php\">".i18n("Participant Registration").'</a></li>';
-	 * echo "<li><a href=\"{$config['SFIABDIRECTORY']}/user_login.php?type=judge\">".i18n("Judges Registration").'</a></li>';
-	 * if($config['volunteer_enable'] == 'yes') {
-	 * 	echo "<li><a href=\"{$config['SFIABDIRECTORY']}/user_login.php?type=volunteer\">".i18n("Volunteer Registration").'</a></li>';
-	 * }
-	 */
+							 * echo "<li><a href=\"{$config['SFIABDIRECTORY']}/register_participants.php\">".i18n("Participant Registration").'</a></li>';
+							 * echo "<li><a href=\"{$config['SFIABDIRECTORY']}/user_login.php?type=judge\">".i18n("Judges Registration").'</a></li>';
+							 * if($config['volunteer_enable'] == 'yes') {
+							 * 	echo "<li><a href=\"{$config['SFIABDIRECTORY']}/user_login.php?type=volunteer\">".i18n("Volunteer Registration").'</a></li>';
+							 * }
+							 */
 							echo "<li><a href=\"{$config['SFIABDIRECTORY']}/committees.php\">" . i18n('Committee') . '</a></li>';
 							echo "<li><a href=\"{$config['SFIABDIRECTORY']}/winners.php\">" . i18n('Winners') . '</a></li>';
 							echo '</ul>';
@@ -578,70 +583,70 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 					<div id="main">
 						<?
 
-						if (committee_auth_has_access('config') || committee_auth_has_access('admin'))
-							committee_warnings();
-						if (committee_auth_has_access('config'))
-							config_warnings();
-						if (committee_auth_has_access('admin'))
-							admin_warnings();
+	if (committee_auth_has_access('config') || committee_auth_has_access('admin'))
+		committee_warnings();
+	if (committee_auth_has_access('config'))
+		config_warnings();
+	if (committee_auth_has_access('admin'))
+		admin_warnings();
 
-						echo '<table cellspacing="0" cellpadding="0" width="100%"><tr>';
+	echo '<table cellspacing="0" cellpadding="0" width="100%"><tr>';
 
-						if ($icon && theme_icon($icon)) {
-							echo '<td width="40">';
-							echo theme_icon($icon);
-							echo '</td><td>';
-						} else
-							echo '<td>';
+	if ($icon && theme_icon($icon)) {
+		echo '<td width="40">';
+		echo theme_icon($icon);
+		echo '</td><td>';
+	} else
+		echo '<td>';
 
-						if ($title && !$titletranslated)
-							echo '<h2>' . i18n($title) . '</h2>';
-						else if ($title)
-							echo '<h2>' . $title . '</h2>';
+	if ($title && !$titletranslated)
+		echo '<h2>' . i18n($title) . '</h2>';
+	else if ($title)
+		echo '<h2>' . $title . '</h2>';
 
-						// if we're under /admin or /config then we want to show the ? help icon
-						if (substr(getcwd(), -6) == '/admin' || substr(getcwd(), -7) == '/config' || substr(getcwd(), -6) == '\admin' || substr(getcwd(), -7) == '\config') {
-							if (get_value_from_array($_SERVER, 'REDIRECT_SCRIPT_URL'))
-								$fname = substr($_SERVER['REDIRECT_SCRIPT_URL'], strlen($config['SFIABDIRECTORY']) + 1);
-							else
-								$fname = substr($_SERVER['PHP_SELF'], strlen($config['SFIABDIRECTORY']) + 1);
-							echo "</td><td align=\"right\"><a target=\"_sfiabhelp\" href=\"http://www.sfiab.ca/wiki/index.php/Help_$fname\"><img border=\"0\" src=\"" . $config['SFIABDIRECTORY'] . '/images/32/help_science_ation.' . $config['icon_extension'] . '"></a>';
-						}
-						'</td></tr>';
-						echo '</table>';
+	// if we're under /admin or /config then we want to show the ? help icon
+	if (substr(getcwd(), -6) == '/admin' || substr(getcwd(), -7) == '/config' || substr(getcwd(), -6) == '\admin' || substr(getcwd(), -7) == '\config') {
+		if (get_value_from_array($_SERVER, 'REDIRECT_SCRIPT_URL'))
+			$fname = substr($_SERVER['REDIRECT_SCRIPT_URL'], strlen($config['SFIABDIRECTORY']) + 1);
+		else
+			$fname = substr($_SERVER['PHP_SELF'], strlen($config['SFIABDIRECTORY']) + 1);
+		echo "</td><td align=\"right\"><a target=\"_sfiabhelp\" href=\"http://www.sfiab.ca/wiki/index.php/Help_$fname\"><img border=\"0\" src=\"" . $config['SFIABDIRECTORY'] . '/images/32/help_science_ation.' . $config['icon_extension'] . '"></a>';
+	}
+	'</td></tr>';
+	echo '</table>';
 
-						display_messages();
-					}
+	display_messages();
+}
 
-					/* END OF send_header */
+/* END OF send_header */
 
-					function send_footer()
-					{
-						global $config;
-						?>
+function send_footer()
+{
+	global $config;
+	?>
 				</td>
 			</tr>
 		</table>
 		</div>
 		<div id="footer">
 			<?
-						// we only show the debug session variables if we have an ODD numbered version.
-						if (substr($config['version'], -1) % 2 != 0) {
-							$pos = strpos(getcwd(), '/');
-							if ($pos === false) {  // Windows OS
-								$revision = 'na';
-							} else {
-								$revision = exec('svn info |grep Revision');
-							}
-							$extra = " (Development $revision)";
-							if (get_value_from_array($_SESSION, 'debug') == 'true')
-								$extra .= ' DEBUG: ' . print_r($_SESSION, true);
-						}
+			// we only show the debug session variables if we have an ODD numbered version.
+			if (substr($config['version'], -1) % 2 != 0) {
+				$pos = strpos(getcwd(), '/');
+				if ($pos === false) {  // Windows OS
+					$revision = 'na';
+				} else {
+					$revision = exec('svn info |grep Revision');
+				}
+				$extra = " (Development $revision)";
+				if (get_value_from_array($_SESSION, 'debug') == 'true')
+					$extra .= ' DEBUG: ' . print_r($_SESSION, true);
+			}
 
-						// FIX ME
+			// FIX ME
 
-						// echo "<a target=\"blank\" href=\"http://www.sfiab.ca\">Science-ation Version ".$config['version']."{$extra}</a>";
-						echo '<a target="blank" href="https://science-ation.ca">Science-ation Version 3</a>';
+			// echo "<a target=\"blank\" href=\"http://www.sfiab.ca\">Science-ation Version ".$config['version']."{$extra}</a>";
+			echo '<a target="blank" href="https://science-ation.ca">Science-ation Version 3</a>';
 			?>
 		</div>
 		<div id="debug" style="display:<?= (get_value_from_array($_SESSION, 'debug') == 'true') ? 'block' : 'none' ?>; font-family:monospace; white-space:pre;">Debug...</div>
@@ -652,21 +657,21 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 	</html>
 
 <?
-					}
+}
 
-					function send_popup_header($title = '')
-					{
-						global $HEADER_SENT;
-						global $config;
+function send_popup_header($title = '')
+{
+	global $HEADER_SENT;
+	global $config;
 
-						// do this so we can use send_header() a little more loosly and not worry about it being sent more than once.
-						if ($HEADER_SENT)
-							return;
-						else
-							$HEADER_SENT = true;
+	// do this so we can use send_header() a little more loosly and not worry about it being sent more than once.
+	if ($HEADER_SENT)
+		return;
+	else
+		$HEADER_SENT = true;
 
-						echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n";
-?>
+	echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n";
+	?>
 	<!DOCTYPE html>
 	<html>
 
@@ -692,24 +697,24 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 		<div id="notice_area" class="notice_area"></div>
 
 	<?
-						if ($title)
-							echo '<h2>' . i18n($title) . '</h2>';
-					}
+	if ($title)
+		echo '<h2>' . i18n($title) . '</h2>';
+}
 
-					function send_popup_footer()
-					{
+function send_popup_footer()
+{
 	?>
 		<br />
 		<br />
 		<div id="footer">
 			<?
-						global $config;
-						$lastdigit = $config['version'][strlen($config['version']) - 1];
-						if ($lastdigit % 2 != 0) {
-							echo 'DEBUG:';
-							print_r($_SESSION);
-						}
-						echo 'Science-ation Version ' . $config['version'];
+			global $config;
+			$lastdigit = $config['version'][strlen($config['version']) - 1];
+			if ($lastdigit % 2 != 0) {
+				echo 'DEBUG:';
+				print_r($_SESSION);
+			}
+			echo 'Science-ation Version ' . $config['version'];
 			?>
 		</div>
 		<div id="debug" style="display:<?= ($_SESSION['debug'] == 'true') ? 'block' : 'none' ?>">Debug...</div>
@@ -719,813 +724,817 @@ function send_header($title = '', $nav = null, $icon = null, $titletranslated =
 
 	</html>
 <?
-					}
+}
 
-					function emit_month_selector($name, $selected = '')
-					{
-						echo "<select name=\"$name\">\n";
-						$months = array('', 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-						echo '<option value="">' . i18n('Month') . "</option>\n";
-						for ($x = 1; $x <= 12; $x++) {
-							if ($x == $selected)
-								$s = 'selected="selected"';
-							else
-								$s = '';
-							echo "<option $s value=\"$x\">" . $months[$x] . "</option>\n";
-						}
+function emit_month_selector($name, $selected = '')
+{
+	echo "<select name=\"$name\">\n";
+	$months = array('', 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
+	echo '<option value="">' . i18n('Month') . "</option>\n";
+	for ($x = 1; $x <= 12; $x++) {
+		if ($x == $selected)
+			$s = 'selected="selected"';
+		else
+			$s = '';
+		echo "<option $s value=\"$x\">" . $months[$x] . "</option>\n";
+	}
 
-						echo "</select>\n";
-					}
+	echo "</select>\n";
+}
 
-					function emit_day_selector($name, $selected = '')
-					{
-						echo "<select name=\"$name\">\n";
-						echo '<option value="">' . i18n('Day') . "</option>\n";
+function emit_day_selector($name, $selected = '')
+{
+	echo "<select name=\"$name\">\n";
+	echo '<option value="">' . i18n('Day') . "</option>\n";
 
-						for ($x = 1; $x <= 31; $x++)
-							echo '<option value="' . ($x < 10 ? '0' : '') . "$x\" " . ($selected == $x ? 'selected="selected"' : '') . ">$x</option>\n";
+	for ($x = 1; $x <= 31; $x++)
+		echo '<option value="' . ($x < 10 ? '0' : '') . "$x\" " . ($selected == $x ? 'selected="selected"' : '') . ">$x</option>\n";
 
-						echo "</select>\n";
-					}
+	echo "</select>\n";
+}
 
-					function emit_year_selector($name, $selected = '', $min = 0, $max = 0)
-					{
-						$curyear = date('Y');
-						echo "<select name=\"$name\">\n";
-						echo '<option value="">' . i18n('Year') . "</option>\n";
+function emit_year_selector($name, $selected = '', $min = 0, $max = 0)
+{
+	$curyear = date('Y');
+	echo "<select name=\"$name\">\n";
+	echo '<option value="">' . i18n('Year') . "</option>\n";
 
-						if ($min && $max) {
-							for ($x = $min; $x <= $max; $x++)
-								echo "<option value=\"$x\" " . ($selected == $x ? 'selected="selected"' : '') . ">$x</option>\n";
-						} else {
-							// if we arent given a min and max, lets show current year + 5
-							for ($x = $curyear; $x < $curyear + 5; $x++)
-								echo "<option value=\"$x\" " . ($selected == $x ? 'selected="selected"' : '') . ">$x</option>\n";
-						}
-						echo "</select>\n";
-					}
+	if ($min && $max) {
+		for ($x = $min; $x <= $max; $x++)
+			echo "<option value=\"$x\" " . ($selected == $x ? 'selected="selected"' : '') . ">$x</option>\n";
+	} else {
+		// if we arent given a min and max, lets show current year + 5
+		for ($x = $curyear; $x < $curyear + 5; $x++)
+			echo "<option value=\"$x\" " . ($selected == $x ? 'selected="selected"' : '') . ">$x</option>\n";
+	}
+	echo "</select>\n";
+}
 
-					function emit_date_selector($name, $selected = '')
-					{
-						if ($selected) {
-							list($year, $month, $day) = explode('-', $selected);
-						}
-						echo '<table cellpadding=0>';
-						echo '<tr><td>';
-						emit_year_selector($name . '_year', $year);
-						echo '</td><td>';
-						emit_month_selector($name . '_month', $month);
-						echo '</td><td>';
-						emit_day_selector($name . '_day', $day);
-						echo '</td></tr>';
-						echo '</table>';
-					}
+function emit_date_selector($name, $selected = '')
+{
+	if ($selected) {
+		list($year, $month, $day) = explode('-', $selected);
+	}
+	echo '<table cellpadding=0>';
+	echo '<tr><td>';
+	emit_year_selector($name . '_year', $year);
+	echo '</td><td>';
+	emit_month_selector($name . '_month', $month);
+	echo '</td><td>';
+	emit_day_selector($name . '_day', $day);
+	echo '</td></tr>';
+	echo '</table>';
+}
 
-					function emit_hour_selector($name, $selected = '')
-					{
-						if ($selected != '')
-							$selected = (int) $selected;
-						echo "<select name=\"$name\">\n";
-						echo "<option value=\"\">HH</option>\n";
+function emit_hour_selector($name, $selected = '')
+{
+	if ($selected != '')
+		$selected = (int) $selected;
+	echo "<select name=\"$name\">\n";
+	echo "<option value=\"\">HH</option>\n";
 
-						for ($x = 0; $x <= 23; $x++) {
-							if ($x === $selected)
-								$sel = 'selected';
-							else
-								$sel = '';
-							echo "<option value=\"$x\" $sel>" . sprintf('%02d', $x) . "</option>\n";
-						}
+	for ($x = 0; $x <= 23; $x++) {
+		if ($x === $selected)
+			$sel = 'selected';
+		else
+			$sel = '';
+		echo "<option value=\"$x\" $sel>" . sprintf('%02d', $x) . "</option>\n";
+	}
 
-						echo "</select>\n";
-					}
+	echo "</select>\n";
+}
 
-					function emit_minute_selector($name, $selected = '')
-					{
-						$mins = array('00', '05', '10', '15', '20', '25', '30', '35', '40', '45', '50', '55');
-						echo "<select name=\"$name\">\n";
-						echo "<option value=\"\">MM</option>\n";
+function emit_minute_selector($name, $selected = '')
+{
+	$mins = array('00', '05', '10', '15', '20', '25', '30', '35', '40', '45', '50', '55');
+	echo "<select name=\"$name\">\n";
+	echo "<option value=\"\">MM</option>\n";
 
-						for ($x = 0; $x < count($mins); $x++)
-							echo '<option value="' . $mins[$x] . '" ' . ($selected == $mins[$x] ? 'selected' : '') . ">$mins[$x]</option>\n";
+	for ($x = 0; $x < count($mins); $x++)
+		echo '<option value="' . $mins[$x] . '" ' . ($selected == $mins[$x] ? 'selected' : '') . ">$mins[$x]</option>\n";
 
-						echo "</select>\n";
-					}
+	echo "</select>\n";
+}
 
-					function emit_time_selector($name, $selected = '')
-					{
-						global $hour;
-						global $minute;
-						if ($selected) {
-							list($hour, $minute, $second) = explode(':', $selected);
-						}
-						echo '<table cellpadding=0>';
-						echo '<tr><td>';
-						emit_hour_selector($name . '_hour', $hour);
-						echo '</td><td>';
-						emit_minute_selector($name . '_minute', $minute);
-						echo '</td></tr>';
-						echo '</table>';
-					}
+function emit_time_selector($name, $selected = '')
+{
+	global $hour;
+	global $minute;
+	if ($selected) {
+		list($hour, $minute, $second) = explode(':', $selected);
+	}
+	echo '<table cellpadding=0>';
+	echo '<tr><td>';
+	emit_hour_selector($name . '_hour', $hour);
+	echo '</td><td>';
+	emit_minute_selector($name . '_minute', $minute);
+	echo '</td></tr>';
+	echo '</table>';
+}
 
-					function emit_province_selector($name, $selected = '', $extra = '')
-					{
-						global $config;
+function emit_province_selector($name, $selected = '', $extra = '')
+{
+	global $config;
 
-						global $pdo;
-						$q = $pdo->prepare("SELECT * FROM provinces WHERE countries_code='" . $config['country'] . "' ORDER BY province");
-						$q->execute();
+	global $pdo;
+	$q = $pdo->prepare('SELECT * FROM provinces WHERE countries_code=? ORDER BY province');
+	$q->execute([$config['country']]);
 
-						if ($q->rowCount() == 1) {
-							$r = $q->fetch(PDO::FETCH_OBJ);
+	if ($q->rowCount() == 1) {
+		$r = $q->fetch(PDO::FETCH_OBJ);
 
-							echo "<input type=\"hidden\" name=\"$name\" value=\"$r->code\">";
-							echo i18n($r->province);
-						} else {
-							echo "<select name=\"$name\" $extra>\n";
+		echo "<input type=\"hidden\" name=\"$name\" value=\"$r->code\">";
+		echo i18n($r->province);
+	} else {
+		echo "<select name=\"$name\" $extra>\n";
 
-							echo '<option value="">' . i18n("Select a {$config['provincestate']}") . "</option>\n";
-							while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-								if ($r->code == $selected)
-									$sel = 'selected="selected"';
-								else
-									$sel = '';
+		echo '<option value="">' . i18n("Select a {$config['provincestate']}") . "</option>\n";
+		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
+			if ($r->code == $selected)
+				$sel = 'selected="selected"';
+			else
+				$sel = '';
 
-								echo "<option $sel value=\"$r->code\">" . i18n($r->province);
-								echo "</option>\n";
-							}
+			echo "<option $sel value=\"$r->code\">" . i18n($r->province);
+			echo "</option>\n";
+		}
 
-							echo "</select>\n";
-						}
-					}
+		echo "</select>\n";
+	}
+}
 
-					function outputStatus($status)
-					{
-						$ret = '';
-						switch ($status) {
-							case 'incomplete':
-								$ret .= '<div class="incomplete">';
-								$ret .= i18n('Incomplete');
-								$ret .= '</div>';
-								break;
-							case 'complete':
-								$ret .= '<div class="complete">';
-								$ret .= i18n('Complete');
-								$ret .= '</div>';
-								break;
-							case 'empty':
-								$ret .= '<div class="incomplete">';
-								$ret .= i18n('Empty');
-								$ret .= '</div>';
-								break;
+function outputStatus($status)
+{
+	$ret = '';
+	switch ($status) {
+		case 'incomplete':
+			$ret .= '<div class="incomplete">';
+			$ret .= i18n('Incomplete');
+			$ret .= '</div>';
+			break;
+		case 'complete':
+			$ret .= '<div class="complete">';
+			$ret .= i18n('Complete');
+			$ret .= '</div>';
+			break;
+		case 'empty':
+			$ret .= '<div class="incomplete">';
+			$ret .= i18n('Empty');
+			$ret .= '</div>';
+			break;
 
-							default:
-								$ret .= i18n('Unknown');
-								break;
-						}
-						return $ret;
-					}
+		default:
+			$ret .= i18n('Unknown');
+			break;
+	}
+	return $ret;
+}
 
-					// returns true if its a valid email address, false if its not
-					function isEmailAddress($str)
-					{
-						if (preg_match('/^[+a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$/i', $str))
-							return true;
-						else
-							return false;
-					}
+// returns true if its a valid email address, false if its not
+function isEmailAddress($str)
+{
+	if (preg_match('/^[+a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$/i', $str))
+		return true;
+	else
+		return false;
+}
 
-					function communication_get_user_replacements(&$u)
-					{
-						global $config;
-						$rep = array(
-							'FAIRNAME' => $config['fairname'],
-							'NAME' => $u['name'],
-							'EMAIL' => $u['email'],
-							'PASSWORD' => $u['password'],
-							'SALUTATION' => $u['salutation'],
-							'FIRSTNAME' => $u['firstname'],
-							'LASTNAME' => $u['lastname'],
-							'ORGANIZATION' => $u['sponsor']['organization'],
-						);
-						return $rep;
-					}
+function communication_get_user_replacements(&$u)
+{
+	global $config;
+	$rep = array(
+		'FAIRNAME' => $config['fairname'],
+		'NAME' => $u['name'],
+		'EMAIL' => $u['email'],
+		'PASSWORD' => $u['password'],
+		'SALUTATION' => $u['salutation'],
+		'FIRSTNAME' => $u['firstname'],
+		'LASTNAME' => $u['lastname'],
+		'ORGANIZATION' => $u['sponsor']['organization'],
+	);
+	return $rep;
+}
 
-					function communication_replace_vars($text, &$u, $otherrep = array())
-					{
-						global $config;
-						if ($u) {
-							$userrep = communication_get_user_replacements($u);
-						} else {
-							$userrep = array();
-						}
+function communication_replace_vars($text, &$u, $otherrep = array())
+{
+	global $config;
+	if ($u) {
+		$userrep = communication_get_user_replacements($u);
+	} else {
+		$userrep = array();
+	}
 
-						$rep = array_merge($userrep, $otherrep);
-						foreach ($rep as $k => $v) {
-							$text = preg_replace("\[$k\]", $v, $text);
-						}
-						return $text;
-					}
+	$rep = array_merge($userrep, $otherrep);
+	foreach ($rep as $k => $v) {
+		$text = preg_replace("\[$k\]", $v, $text);
+	}
+	return $text;
+}
 
-					function email_send($val, $to, $sub_subject = array(), $sub_body = array())
-					{
-						global $config, $pdo;
+function email_send($val, $to, $sub_subject = array(), $sub_body = array())
+{
+	global $config, $pdo;
 
-						/*
+	/*
 	 * Standard substitutions that are constant no matter who
 	 * the $to is
 	 */
-						$urlproto = $_SERVER['SERVER_PORT'] == 443 ? 'https://' : 'http://';
-						$urlmain = "$urlproto{$_SERVER['HTTP_HOST']}{$config['SFIABDIRECTORY']}";
-						$urllogin = "$urlmain/login.php";
-						$stdsub = array(
-							'FAIRNAME' => i18n($config['fairname']),
-							'URLMAIN' => $urlmain,
-							'URLLOGIN' => $urllogin,
-						);
-						/* Add standard subs to existing sub arrays */
-						$sub_subject = array_merge($sub_subject, $stdsub);
-						$sub_body = array_merge($sub_body, $stdsub);
+	$urlproto = $_SERVER['SERVER_PORT'] == 443 ? 'https://' : 'http://';
+	$urlmain = "$urlproto{$_SERVER['HTTP_HOST']}{$config['SFIABDIRECTORY']}";
+	$urllogin = "$urlmain/login.php";
+	$stdsub = array(
+		'FAIRNAME' => i18n($config['fairname']),
+		'URLMAIN' => $urlmain,
+		'URLLOGIN' => $urllogin,
+	);
+	/* Add standard subs to existing sub arrays */
+	$sub_subject = array_merge($sub_subject, $stdsub);
+	$sub_body = array_merge($sub_body, $stdsub);
 
-						// if our "to" doesnt look like a valid email, then forget about sending it.
-						if (!isEmailAddress($to)) {
-							return false;
-						}
-
-						$q = $pdo->prepare("SELECT * FROM emails WHERE val='$val'");
-						if ($r = $q->fetch(PDO::FETCH_ASSOC)) {
-							// we dont want to translate these, the messages themselves shoudl contain whatever languages they need
-							$subject = $r->subject;
-							$body = $r->body;
-							$bodyhtml = $r->bodyhtml;
-
-							/* Eventually we should just do this with communication_replace_vars() */
-							if (count($sub_subject)) {
-								foreach ($sub_subject as $sub_k => $sub_v) {
-									$subject = preg_replace("\[$sub_k\]", "$sub_v", $subject);
-								}
-							}
-							if (count($sub_body)) {
-								foreach ($sub_body as $sub_k => $sub_v) {
-									$body = preg_replace("\[$sub_k\]", "$sub_v", $body);
-								}
-							}
-
-							if (count($sub_body)) {
-								foreach ($sub_body as $sub_k => $sub_v) {
-									$bodyhtml = preg_replace("\[$sub_k\]", "$sub_v", $bodyhtml);
-								}
-							}
-
-							if ($r->from)
-								$fr = $r->from;
-							else if ($config['fairmanageremail'])
-								$fr = $config['fairmanageremail'];
-							else
-								$fr = '';
-
-							// only send the email if we have a from
-							if ($fr) {
-								// send using RMail
-								// FIXME EMAIL
-								////email_send_new($to, $fr, $subject, $body, $bodyhtml);
-							} else
-								echo error(i18n("CRITICAL ERROR: email '%1' does not have a 'From' and the Fair Manager Email is not configured", array($val), array('email key name')));
-						} else {
-							echo error(i18n("CRITICAL ERROR: email '%1' not found", array($val), array('email key name')));
-						}
-					}
-
-					/*require_once("Rmail/Rmail.php");
-require_once("Rmail/RFC822.php");
-
-// this sends out an all-ready-to-go email, it does no substitution or changes or database lookups or anything
-function email_send_new($to, $from, $subject, $body, $bodyhtml = '')
-{
-	$mail = new RMail();
-	$mail->setFrom($from);
-	$mail->setSubject($subject);
-	$mail->setText($body);
-
-	$r = new Mail_RFC822($from);
-	$structure = $r->parseAddressList($from);
-	$s = $structure[0];
-	$ret = sprintf('%s@%s', $s->mailbox, $s->host);
-	$mail->setReturnPath($ret);
-	$mail->setHeader('Bounce-To', $ret);
-
-	// only add the html if we have it
-	if ($bodyhtml) {
-		$mail->setHTML($bodyhtml);
+	// if our "to" doesnt look like a valid email, then forget about sending it.
+	if (!isEmailAddress($to)) {
+		return false;
 	}
 
-	if (is_array($to)) {
-		return $mail->send($to);
+	$q = $pdo->prepare('SELECT * FROM emails WHERE val=?');
+	if ($r = $q->fetch(PDO::FETCH_ASSOC)) {
+		// we dont want to translate these, the messages themselves shoudl contain whatever languages they need
+		$subject = $r->subject;
+		$body = $r->body;
+		$bodyhtml = $r->bodyhtml;
+
+		/* Eventually we should just do this with communication_replace_vars() */
+		if (count($sub_subject)) {
+			foreach ($sub_subject as $sub_k => $sub_v) {
+				$subject = preg_replace("\[$sub_k\]", "$sub_v", $subject);
+			}
+		}
+		if (count($sub_body)) {
+			foreach ($sub_body as $sub_k => $sub_v) {
+				$body = preg_replace("\[$sub_k\]", "$sub_v", $body);
+			}
+		}
+
+		if (count($sub_body)) {
+			foreach ($sub_body as $sub_k => $sub_v) {
+				$bodyhtml = preg_replace("\[$sub_k\]", "$sub_v", $bodyhtml);
+			}
+		}
+
+		if ($r->from)
+			$fr = $r->from;
+		else if ($config['fairmanageremail'])
+			$fr = $config['fairmanageremail'];
+		else
+			$fr = '';
+
+		// only send the email if we have a from
+		if ($fr) {
+			// send using RMail
+			// FIXME EMAIL
+			// //email_send_new($to, $fr, $subject, $body, $bodyhtml);
+		} else
+			echo error(i18n("CRITICAL ERROR: email '%1' does not have a 'From' and the Fair Manager Email is not configured", array($val), array('email key name')));
 	} else {
-		return $mail->send(array($to));
+		echo error(i18n("CRITICAL ERROR: email '%1' not found", array($val), array('email key name')));
 	}
 }
-*/
 
+/*
+ * require_once("Rmail/Rmail.php");
+ * require_once("Rmail/RFC822.php");
+ *
+ * // this sends out an all-ready-to-go email, it does no substitution or changes or database lookups or anything
+ * function email_send_new($to, $from, $subject, $body, $bodyhtml = '')
+ * {
+ * 	$mail = new RMail();
+ * 	$mail->setFrom($from);
+ * 	$mail->setSubject($subject);
+ * 	$mail->setText($body);
+ *
+ * 	$r = new Mail_RFC822($from);
+ * 	$structure = $r->parseAddressList($from);
+ * 	$s = $structure[0];
+ * 	$ret = sprintf('%s@%s', $s->mailbox, $s->host);
+ * 	$mail->setReturnPath($ret);
+ * 	$mail->setHeader('Bounce-To', $ret);
+ *
+ * 	// only add the html if we have it
+ * 	if ($bodyhtml) {
+ * 		$mail->setHTML($bodyhtml);
+ * 	}
+ *
+ * 	if (is_array($to)) {
+ * 		return $mail->send($to);
+ * 	} else {
+ * 		return $mail->send(array($to));
+ * 	}
+ * }
+ */
 
-					/*
+/*
  * returns an array of arrays
  * [ 0 ] = array ( to, firstname, lastname, email )
  * [ 1 ] = array ( to, firstname, lastname, email )
  * ...etc
  */
-					function getEmailRecipientsForRegistration($reg_id)
-					{
-						global $config, $pdo;
-						// okay first grab the registration record, to see if we should email the kids, the teacher, and/or the parents
-						$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$reg_id' AND year='{$config['FAIRYEAR']}'");
-						$q->execute();
-						$registration = $q->fetch();
+function getEmailRecipientsForRegistration($reg_id)
+{
+	global $config, $pdo;
+	// okay first grab the registration record, to see if we should email the kids, the teacher, and/or the parents
+	$q = $pdo->prepare('SELECT * FROM registrations WHERE id=? AND year=?');
+	$q->execute([$reg_id, $config['FAIRYEAR']]);
+	$registration = $q->fetch();
 
-						if ($registration->emailcontact && isEmailAddress($registration->emailcontact)) {
-							$ret[] = array(
-								'to' => $registration->emailcontact,
-								'firstname' => '',
-								'lastname' => '',
-								'email' => $registration->emailcontact,
-							);
-						}
+	if ($registration->emailcontact && isEmailAddress($registration->emailcontact)) {
+		$ret[] = array(
+			'to' => $registration->emailcontact,
+			'firstname' => '',
+			'lastname' => '',
+			'email' => $registration->emailcontact,
+		);
+	}
 
-						$sq = $pdo->prepare("SELECT * FROM students WHERE registrations_id='$reg_id' AND year='{$config['FAIRYEAR']}'");
-						$sq->execute();
-						$ret = array();
-						while ($sr = $sq->fetch()) {
-							if ($sr->email && isEmailAddress($sr->email)) {
-								$to = $sr->email;
+	$sq = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
+	$sq->execute([$reg_id, $config['FAIRYEAR']]);
+	$ret = array();
+	while ($sr = $sq->fetch()) {
+		if ($sr->email && isEmailAddress($sr->email)) {
+			$to = $sr->email;
 
-								$ret[] = array(
-									'to' => $to,
-									'firstname' => $sr->firstname,
-									'lastname' => $sr->lastname,
-									'email' => $sr->email,
-								);
-							}
-						}
-						return $ret;
-					}
+			$ret[] = array(
+				'to' => $to,
+				'firstname' => $sr->firstname,
+				'lastname' => $sr->lastname,
+				'email' => $sr->email,
+			);
+		}
+	}
+	return $ret;
+}
 
-					function output_page_text($textname)
-					{
-						global $config;
-						global $pdo;
+function output_page_text($textname)
+{
+	global $config;
+	global $pdo;
 
-						$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='$textname' AND year='" . $config['FAIRYEAR'] . "' AND lang='" . $_SESSION['lang'] . "'");
-						$q->execute();
-						if ($q->rowCount())
-							$r = $q->fetch();
-						else {
-							// not defined, lets grab the default text
-							$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='$textname' AND year='-1' AND lang='" . $config['default_language'] . "'");
-							$q->execute();
-							$r = $q->fetch();
-						}
+	$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=? AND lang=?");
+	$q->execute([$textname, $config['FAIRYEAR'], $_SESSION['lang']]);
+	if ($q->rowCount())
+		$r = $q->fetch();
+	else {
+		// not defined, lets grab the default text
+		$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year='-1' AND lang=?");
+		$q->execute([
+			$textname, $config['default_language']
+		]);
+		$r = $q->fetch();
+	}
 
-						// if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br
-						if (get_value_property_or_default($r, 'text') !== null and strlen($r->text) == strlen(strip_tags($r->text)))
-							echo nl2br($r->text);
-						else
-							echo get_value_property_or_default($r, 'text');
-					}
+	// if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br
+	if (get_value_property_or_default($r, 'text') !== null and strlen($r->text) == strlen(strip_tags($r->text)))
+		echo nl2br($r->text);
+	else
+		echo get_value_property_or_default($r, 'text');
+}
 
-					function output_page_cms($filename)
-					{
-						global $config;
-						global $pdo;
+function output_page_cms($filename)
+{
+	global $config;
+	global $pdo;
 
-						$q = $pdo->prepare("SELECT * FROM cms WHERE filename='" . $filename . "' AND lang='" . $_SESSION['lang'] . "' ORDER BY dt DESC LIMIT 1");
-						$q->execute();
-						if ($q->rowCount()) {
-							$r = $q->fetch();
-							send_header($r['title'], null, null, true);
+	$q = $pdo->prepare("SELECT * FROM cms WHERE filename=? AND lang=? ORDER BY dt DESC LIMIT 1");
+	$q->execute([$filename, $_SESSION['lang']]);
+	if ($q->rowCount()) {
+		$r = $q->fetch();
+		send_header($r['title'], null, null, true);
 
-							if (file_exists('data/logo-200.gif') && $r['showlogo'] == 1)
-								echo '<img align="right" src="' . $config['SFIABDIRECTORY'] . '/data/logo-200.gif" border="0">';
+		if (file_exists('data/logo-200.gif') && $r['showlogo'] == 1)
+			echo '<img align="right" src="' . $config['SFIABDIRECTORY'] . '/data/logo-200.gif" border="0">';
 
-							// if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br
-							if ($r['text'] !== null and strlen($r['text']) == strlen(strip_tags($r['text'])))
-								echo nl2br($r['text']);
-							else
-								echo $r['text'];
-						} else {
-							send_header('Error: File not found');
-							echo error(i18n('The file you have requested (%1), does not exist on the server.', array($filename)));
-							return;
-							// not defined, lets grab the default text
-						}
+		// if it looks like we have HTML content, dont do a nl2br, if there's no html, then do the nl2br
+		if ($r['text'] !== null and strlen($r['text']) == strlen(strip_tags($r['text'])))
+			echo nl2br($r['text']);
+		else
+			echo $r['text'];
+	} else {
+		send_header('Error: File not found');
+		echo error(i18n('The file you have requested (%1), does not exist on the server.', array($filename)));
+		return;
+		// not defined, lets grab the default text
+	}
 
-						send_footer();
-					}
+	send_footer();
+}
 
 // config specific warning
 function config_warnings() {}
 
-					// admin specific warnings
-					function admin_warnings() {}
+// admin specific warnings
+function admin_warnings() {}
 
-					// warnings to show to both config and/or admin people
-					function committee_warnings()
-					{
-						global $config, $pdo;
-						// it is vital that each year the system be rolled over before we start it again
-						// we should do this, say, 4 months after the FAIRDATE, so its soon enough that they should see
-						// the message as soon as they login to start preparing for hte new year, but not too late to do it
-						// properly :)
+// warnings to show to both config and/or admin people
+function committee_warnings()
+{
+	global $config, $pdo;
+	// it is vital that each year the system be rolled over before we start it again
+	// we should do this, say, 4 months after the FAIRDATE, so its soon enough that they should see
+	// the message as soon as they login to start preparing for hte new year, but not too late to do it
+	// properly :)
 
-						$q = $pdo->prepare("SELECT DATE_ADD('" . $config['dates']['fairdate'] . "', INTERVAL 4 MONTH) < NOW() AS rollovercheck");
-						$q->execute();
+	$q = $pdo->prepare('SELECT DATE_ADD(?, INTERVAL 4 MONTH) < NOW() AS rollovercheck');
+	$q->execute([$config['dates']['fairdate']]);
 
-						$r = $q->fetch(PDO::FETCH_OBJ);
+	$r = $q->fetch(PDO::FETCH_OBJ);
 
-						// FIXME Clear out Important Dates as part of rollover
-						if ($r->rollovercheck) {
-							echo error(i18n("It has been more than 4 months since your fair.  In order to prepare the system for the next year's fair, you should go to the SFIAB Configuration page, and click on 'Rollover Fair Year'.  Do not start updating the system with new information until the year has been properly rolled over."));
-						}
+	// FIXME Clear out Important Dates as part of rollover
+	if ($r->rollovercheck) {
+		echo error(i18n("It has been more than 4 months since your fair.  In order to prepare the system for the next year's fair, you should go to the SFIAB Configuration page, and click on 'Rollover Fair Year'.  Do not start updating the system with new information until the year has been properly rolled over."));
+	}
 
 	$q = $pdo->prepare('SELECT * FROM award_prizes WHERE `external_identifier` IS NOT NULL 
 				AND external_identifier=prize');
-						$q->execute();
-						if ($q->rowCount() > 0) {
-							/*
+	$q->execute();
+	if ($q->rowCount() > 0) {
+		/*
 		 * The bug was that the external_identifier was set to the prize name.. so only display the warning
 		 * if we find that case for a non-sfiab external fair
 		 */
 		while (($p = $q->fetch(PDO::FETCH_ASSOC))) {
 			$qq = $pdo->prepare("SELECT * FROM award_awards
 						LEFT JOIN fairs ON fairs.id=award_awards.award_source_fairs_id
-						WHERE award_awards.id='{$p['award_awards_id']}'
-						AND year='{$config['FAIRYEAR']}'
+						WHERE award_awards.id=?
+						AND year=?
 						AND award_awards.award_source_fairs_id IS NOT NULL
 						AND fairs.type='ysc' ");
-			$qq->execute();
+			$qq->execute([$p['award_awards_id'], $config['FAIRYEAR']]);
 		}
 	}
 }
 
-					$CWSFDivisions = array(
-						1 => 'Discovery',
-						2 => 'Energy',
-						3 => 'Environment',
-						4 => 'Health',
-						5 => 'Information',
-						6 => 'Innovation',
-						7 => 'Resources'
-					);
+$CWSFDivisions = array(
+	1 => 'Discovery',
+	2 => 'Energy',
+	3 => 'Environment',
+	4 => 'Health',
+	5 => 'Information',
+	6 => 'Innovation',
+	7 => 'Resources'
+);
 
-					function theme_icon($icon, $width = 0)
-					{
-						global $theme_icons, $config;
+function theme_icon($icon, $width = 0)
+{
+	global $theme_icons, $config;
 
-						$w = ($width == 0) ? '' : "width=\"$width\"";
-						if ($theme_icons['icons'][$icon])
-							return "<img src=\"{$config['SFIABDIRECTORY']}/theme/{$config['theme_icons']}/{$theme_icons['icons'][$icon]}\" border=\"0\" $w alt=\"" . htmlspecialchars($icon) . '">';
+	$w = ($width == 0) ? '' : "width=\"$width\"";
+	if ($theme_icons['icons'][$icon])
+		return "<img src=\"{$config['SFIABDIRECTORY']}/theme/{$config['theme_icons']}/{$theme_icons['icons'][$icon]}\" border=\"0\" $w alt=\"" . htmlspecialchars($icon) . '">';
 
-						return '';
-					}
+	return '';
+}
 
-					// $d can be a unix timestamp integer, OR a text string, eg 2008-01-22
-					function format_date($d)
-					{
-						global $config;
-						if (is_numeric($d))
-							return date($config['dateformat'], $d);
-						else
-							return date($config['dateformat'], strtotime($d));
-					}
+// $d can be a unix timestamp integer, OR a text string, eg 2008-01-22
+function format_date($d)
+{
+	global $config;
+	if (is_numeric($d))
+		return date($config['dateformat'], $d);
+	else
+		return date($config['dateformat'], strtotime($d));
+}
 
-					// $t can be a unix timestamp integer, or a text string, eg 10:23:48
-					function format_time($t)
-					{
-						global $config;
-						if (is_numeric($t))
-							return date($config['timeformat'], $t);
-						else
-							return date($config['timeformat'], strtotime($t));
-					}
+// $t can be a unix timestamp integer, or a text string, eg 10:23:48
+function format_time($t)
+{
+	global $config;
+	if (is_numeric($t))
+		return date($config['timeformat'], $t);
+	else
+		return date($config['timeformat'], strtotime($t));
+}
 
-					// $dt can be a unix timestamp integer, or a text string, eg 2008-01-22 10:23:48
-					function format_datetime($dt)
-					{
-						if (is_numeric($dt)) {
-							return format_date($dt) . ' ' . i18n('at') . ' ' . format_time($dt);
-						} else {
-							list($d, $t) = explode(' ', $dt);
-							return format_date($d) . ' ' . i18n('at') . ' ' . format_time($t);
-						}
-					}
+// $dt can be a unix timestamp integer, or a text string, eg 2008-01-22 10:23:48
+function format_datetime($dt)
+{
+	if (is_numeric($dt)) {
+		return format_date($dt) . ' ' . i18n('at') . ' ' . format_time($dt);
+	} else {
+		list($d, $t) = explode(' ', $dt);
+		return format_date($d) . ' ' . i18n('at') . ' ' . format_time($t);
+	}
+}
 
-					function format_money($n, $decimals = true)
-					{
-						global $neg;
-						if ($n < 0) {
-							$neg = true;
-							$n = $n * -1;
-						}
-						// get the part before the decimal
-						$before = floor(get_value_or_default($n, 0));
-						$out = '';
+function format_money($n, $decimals = true)
+{
+	global $neg;
+	if ($n < 0) {
+		$neg = true;
+		$n = $n * -1;
+	}
+	// get the part before the decimal
+	$before = floor(get_value_or_default($n, 0));
+	$out = '';
 
-						// space it out in blocks of three
-						for ($x = strlen($before); $x > 3; $x -= 3) {
-							$out = substr($before, $x - 3, 3) . ' ' . $out;
-						}
-						if ($x > 0)
-							$out = substr($before, 0, $x) . ' ' . $out;
+	// space it out in blocks of three
+	for ($x = strlen($before); $x > 3; $x -= 3) {
+		$out = substr($before, $x - 3, 3) . ' ' . $out;
+	}
+	if ($x > 0)
+		$out = substr($before, 0, $x) . ' ' . $out;
 
-						// trim any leading/trailing space that was added
-						$out = trim($out);
+	// trim any leading/trailing space that was added
+	$out = trim($out);
 
-						if ($neg)
-							$negdisp = '-';
-						else
-							$negdisp = '';
+	if ($neg)
+		$negdisp = '-';
+	else
+		$negdisp = '';
 
-						if ($decimals) {
-							// get everything after the decimal place, and %02f it.
-							$after = substr(strstr(sprintf('%.02f', $n), '.'), 1);
+	if ($decimals) {
+		// get everything after the decimal place, and %02f it.
+		$after = substr(strstr(sprintf('%.02f', $n), '.'), 1);
 
-							// finally display it with the right language localization
-							if ($_SESSION['lang'] == 'fr')
-								return sprintf('%s%s,%s $', $negdisp, $out, $after);
-							else
-								return sprintf('%s$%s.%s', $negdisp, $out, $after);
-						} else {
-							if ($_SESSION['lang'] == 'fr')
-								return sprintf('%s%s $', $negdisp, $out);
-							else
-								return sprintf('%s$%s', $negdisp, $out);
-						}
-					}
+		// finally display it with the right language localization
+		if ($_SESSION['lang'] == 'fr')
+			return sprintf('%s%s,%s $', $negdisp, $out, $after);
+		else
+			return sprintf('%s$%s.%s', $negdisp, $out, $after);
+	} else {
+		if ($_SESSION['lang'] == 'fr')
+			return sprintf('%s%s $', $negdisp, $out);
+		else
+			return sprintf('%s$%s', $negdisp, $out);
+	}
+}
 
-					function message_push($m)
-					{
-						if (!is_array($_SESSION['messages']))
-							$_SESSION['messages'] = array();
-						$_SESSION['messages'][] = $m;
-					}
+function message_push($m)
+{
+	if (!is_array($_SESSION['messages']))
+		$_SESSION['messages'] = array();
+	$_SESSION['messages'][] = $m;
+}
 
-					function notice_($str, $i18n_array = array(), $timeout = -1, $type = 'notice')
-					{
-						if ($timeout == -1)
-							$timeout = 5000;
-						echo "<script type=\"text/javascript\">
+function notice_($str, $i18n_array = array(), $timeout = -1, $type = 'notice')
+{
+	if ($timeout == -1)
+		$timeout = 5000;
+	echo "<script type=\"text/javascript\">
 		notice_create('$type',\"" . i18n($str, $i18n_array) . "\",$timeout);
 		</script>";
-					}
+}
 
-					function happy_($str, $i18n_array = array(), $timeout = -1)
-					{
-						notice_($str, $i18n_array, $timeout, 'happy');
-					}
+function happy_($str, $i18n_array = array(), $timeout = -1)
+{
+	notice_($str, $i18n_array, $timeout, 'happy');
+}
 
-					function error_($str, $i18n_array = array(), $timeout = -1)
-					{
-						notice_($str, $i18n_array, $timeout, 'error');
-					}
+function error_($str, $i18n_array = array(), $timeout = -1)
+{
+	notice_($str, $i18n_array, $timeout, 'error');
+}
 
-					function debug_($str)
-					{
-						if (get_value_from_array($_SESSION, 'debug') != true)
-							return;
-						$s = str_replace("\n", '', nl2br(htmlspecialchars($str))) . '<br />';
-						echo "<script type=\"text/javascript\">
+function debug_($str)
+{
+	if (get_value_from_array($_SESSION, 'debug') != true)
+		return;
+	$s = str_replace("\n", '', nl2br(htmlspecialchars($str))) . '<br />';
+	echo "<script type=\"text/javascript\">
 		\$(document).ready(function() {
 			\$(\"#debug\").append(\"$s\");
 		});
 		</script>";
-					}
+}
 
-					// this function returns a HTML colour code ranging between red and green, with yellow in the middle based on the percent passed into it
-					function colour_to_percent($percent)
-					{
-						// 0 is red
-						// 50 is yellow
-						// 100 is green
+// this function returns a HTML colour code ranging between red and green, with yellow in the middle based on the percent passed into it
+function colour_to_percent($percent)
+{
+	// 0 is red
+	// 50 is yellow
+	// 100 is green
 
-						if ($percent <= 50)
-							$red = 255;
-						else
-							$red = (100 - $percent) * 2 / 100 * 255;;
+	if ($percent <= 50)
+		$red = 255;
+	else
+		$red = (100 - $percent) * 2 / 100 * 255;
+	;
 
-						if ($percent > 50)
-							$green = 255;
-						else
-							$green = ($percent) * 2 / 100 * 255;;
+	if ($percent > 50)
+		$green = 255;
+	else
+		$green = ($percent) * 2 / 100 * 255;
+	;
 
-						//    echo "red=$red";
-						//    echo "green=$green";
-						$str = '#' . sprintf('%02s', dechex($red)) . sprintf('%02s', dechex($green)) . '00';
-						return $str;
-					}
+	//    echo "red=$red";
+	//    echo "green=$green";
+	$str = '#' . sprintf('%02s', dechex($red)) . sprintf('%02s', dechex($green)) . '00';
+	return $str;
+}
 
-					function format_duration($seconds, $granularity = 2)
-					{
-						$units = array(
-							'1 year|:count years' => 31536000,
-							'1 week|:count weeks' => 604800,
-							'1 day|:count days' => 86400,
-							'1 hour|:count hours' => 3600,
-							'1 min|:count min' => 60,
-							'1 sec|:count sec' => 1
-						);
-						$output = '';
-						// $output.=time()." - ".$timestamp." = ".$seconds;
-						foreach ($units as $key => $value) {
-							$key = explode('|', $key);
-							if ($seconds >= $value) {
-								$count = floor($seconds / $value);
-								$output .= ($output ? ' ' : '');
-								$output .= ($count == 1) ? $key[0] : str_replace(':count', $count, $key[1]);
-								$seconds %= $value;
-								$granularity--;
-							}
-							if ($granularity == 0) {
-								break;
-							}
-						}
-						return $output ? $output : '0 sec';
-					}
+function format_duration($seconds, $granularity = 2)
+{
+	$units = array(
+		'1 year|:count years' => 31536000,
+		'1 week|:count weeks' => 604800,
+		'1 day|:count days' => 86400,
+		'1 hour|:count hours' => 3600,
+		'1 min|:count min' => 60,
+		'1 sec|:count sec' => 1
+	);
+	$output = '';
+	// $output.=time()." - ".$timestamp." = ".$seconds;
+	foreach ($units as $key => $value) {
+		$key = explode('|', $key);
+		if ($seconds >= $value) {
+			$count = floor($seconds / $value);
+			$output .= ($output ? ' ' : '');
+			$output .= ($count == 1) ? $key[0] : str_replace(':count', $count, $key[1]);
+			$seconds %= $value;
+			$granularity--;
+		}
+		if ($granularity == 0) {
+			break;
+		}
+	}
+	return $output ? $output : '0 sec';
+}
 
-					function getTextFromHtml($html)
-					{
-						// first, replace an </p> with </p><br />
-						$text = str_replace('</p>', '</p><br />', $html);
-						// next, replace a </div> with </div><br />
-						$text = str_replace('</div>', '</div><br />', $html);
-						// now replace any <br /> with newlines
-						$text = preg_replace('<br[[:space:]]*/?[[:space:]]*>', chr(13) . chr(10), $text);
-						// and strip the rest of the tags
-						$text = strip_tags($text);
+function getTextFromHtml($html)
+{
+	// first, replace an </p> with </p><br />
+	$text = str_replace('</p>', '</p><br />', $html);
+	// next, replace a </div> with </div><br />
+	$text = str_replace('</div>', '</div><br />', $html);
+	// now replace any <br /> with newlines
+	$text = preg_replace('<br[[:space:]]*/?[[:space:]]*>', chr(13) . chr(10), $text);
+	// and strip the rest of the tags
+	$text = strip_tags($text);
 
-						// a few common html entities
-						// replace &amp; with & first, so multiply-encoded entities will decode (like "&amp;#160;")
-						$text = str_replace('&amp;', '&', $text);
-						$text = str_replace('&nbsp;', ' ', $text);
-						$text = str_replace('&#160;', ' ', $text);
-						$text = str_replace('&lt;', '<', $text);
-						$text = str_replace('&gt;', '>', $text);
+	// a few common html entities
+	// replace &amp; with & first, so multiply-encoded entities will decode (like "&amp;#160;")
+	$text = str_replace('&amp;', '&', $text);
+	$text = str_replace('&nbsp;', ' ', $text);
+	$text = str_replace('&#160;', ' ', $text);
+	$text = str_replace('&lt;', '<', $text);
+	$text = str_replace('&gt;', '>', $text);
 
-						// text version should always wrap at 75 chars, some mail severs wont accept
-						// mail with very long lines
-						$text = wordwrap($text, 75, "\n", true);
+	// text version should always wrap at 75 chars, some mail severs wont accept
+	// mail with very long lines
+	$text = wordwrap($text, 75, "\n", true);
 
-						return $text;
-					}
+	return $text;
+}
 
-					function getUserForSponsor($sponsor_id)
-					{
-						global $pdo;
-						// loop through each contact and draw a form with their data in it.
-						$q = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
+function getUserForSponsor($sponsor_id)
+{
+	global $pdo;
+	// loop through each contact and draw a form with their data in it.
+	$q = $pdo->prepare("SELECT *,MAX(year) FROM users LEFT JOIN users_sponsor ON users_sponsor.users_id=users.id
 	WHERE 
-	sponsors_id='" . $sponsor_id . "' 
+	sponsors_id=?
     AND types LIKE '%sponsor%'
     GROUP BY uid
 	HAVING deleted='no' 
 	ORDER BY users_sponsor.primary DESC,lastname,firstname
 	LIMIT 1
     ");
-						$q->execute();
-						$r = $q->fetch();
-						return user_load_by_uid($r->uid);
-					}
+	$q->execute([$sponsor_id]);
+	$r = $q->fetch();
+	return user_load_by_uid($r->uid);
+}
 
-					function projectdivisions_load($year = false)
-					{
-						global $config, $pdo;
-						if ($year == false)
-							$year = $config['FAIRYEAR'];
-						$divs = array();
-						$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year'");
-						$q->execute();
-						while ($d = $q->fetch(PDO::FETCH_ASSOC))
-							$divs[$d['id']] = $d;
-						return $divs;
-					}
+function projectdivisions_load($year = false)
+{
+	global $config, $pdo;
+	if ($year == false)
+		$year = $config['FAIRYEAR'];
+	$divs = array();
+	$q = $pdo->prepare('SELECT * FROM projectdivisions WHERE year=?');
+	$q->execute([$year]);
+	while ($d = $q->fetch(PDO::FETCH_ASSOC))
+		$divs[$d['id']] = $d;
+	return $divs;
+}
 
-					function projectcategories_load($year = false)
-					{
-						global $config, $pdo;
-						if ($year == false)
-							$year = $config['FAIRYEAR'];
-						$cats = array();
-						$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year'");
-						$q->execute();
-						while ($c = $q->fetch(PDO::FETCH_ASSOC))
-							$cats[$c['id']] = $c;
-						return $cats;
-					}
+function projectcategories_load($year = false)
+{
+	global $config, $pdo;
+	if ($year == false)
+		$year = $config['FAIRYEAR'];
+	$cats = array();
+	$q = $pdo->prepare('SELECT * FROM projectcategories WHERE year=?');
+	$q->execute([$year]);
+	while ($c = $q->fetch(PDO::FETCH_ASSOC))
+		$cats[$c['id']] = $c;
+	return $cats;
+}
 
-					// Converts the numeric value "$val" to an English text representation of it (e.g. "two thousand four").
-					// If the "$monetize" flag is set to true, then it's formatted to be useable on printed cheques (e.g. "***** Two Thousand Four 00/100 *****".
-					function wordify($val, $monetize = false)
-					{
-						$digits = array('zero', 'one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine');
-						if ($monetize) {
-							$pennies = intval(($val - intval($val)) * 100);
-							$returnval = 'and ' . sprintf('%02d', $pennies) . '/100';
-						} else if ($val != intval($val)) {
-							$dec = $val - intval($val);
-							$returnval = 'point';
-							while ($dec) {
-								$dec *= 10;
-								$returnval .= ' ' . smallIntToText(intval($dec));
-								$dec -= intval($dec);
-							}
-						}
-						$val = intval($val);
-						$powerofthousand = array(
-							'',
-							'Thousand',
-							'Million',
-							'Billion',
-							'trillion',
-							'quadrillion'
-						);
-						$n = 0;
-						if (!$val) {
-							$returnval = 'Zero ' . $returnval;
-						} else {
-							while ($val > 0) {
-								$sectionVal = $val % 1000;
-								if ($sectionVal != 0) {
-									$sectionText = smallIntToText($sectionVal);
-									if ($powerofthousand[$n] != '') {
-										$returnval = $sectionText . ' ' . $powerofthousand[$n] . ' ' . $returnval;
-									} else {
-										$returnval = $sectionText . ' ' . $returnval;
-									}
-								}
-								$val = intval($val / 1000);
-								$n++;
-							}
-						}
-						if ($monetize)
-							$returnval = '***' . $returnval;
-						return $returnval;
-					}
+// Converts the numeric value "$val" to an English text representation of it (e.g. "two thousand four").
+// If the "$monetize" flag is set to true, then it's formatted to be useable on printed cheques (e.g. "***** Two Thousand Four 00/100 *****".
+function wordify($val, $monetize = false)
+{
+	$digits = array('zero', 'one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine');
+	if ($monetize) {
+		$pennies = intval(($val - intval($val)) * 100);
+		$returnval = 'and ' . sprintf('%02d', $pennies) . '/100';
+	} else if ($val != intval($val)) {
+		$dec = $val - intval($val);
+		$returnval = 'point';
+		while ($dec) {
+			$dec *= 10;
+			$returnval .= ' ' . smallIntToText(intval($dec));
+			$dec -= intval($dec);
+		}
+	}
+	$val = intval($val);
+	$powerofthousand = array(
+		'',
+		'Thousand',
+		'Million',
+		'Billion',
+		'trillion',
+		'quadrillion'
+	);
+	$n = 0;
+	if (!$val) {
+		$returnval = 'Zero ' . $returnval;
+	} else {
+		while ($val > 0) {
+			$sectionVal = $val % 1000;
+			if ($sectionVal != 0) {
+				$sectionText = smallIntToText($sectionVal);
+				if ($powerofthousand[$n] != '') {
+					$returnval = $sectionText . ' ' . $powerofthousand[$n] . ' ' . $returnval;
+				} else {
+					$returnval = $sectionText . ' ' . $returnval;
+				}
+			}
+			$val = intval($val / 1000);
+			$n++;
+		}
+	}
+	if ($monetize)
+		$returnval = '***' . $returnval;
+	return $returnval;
+}
 
-					// Converts a number between zero and one thousand to Canadian English text
-					function smallIntToText($number)
-					{
-						$number %= 1000;
-						$rvals = array(
-							0 => 'Zero',
-							1 => 'One',
-							2 => 'Two',
-							3 => 'Three',
-							4 => 'Four',
-							5 => 'Five',
-							6 => 'Six',
-							7 => 'Seven',
-							8 => 'Eight',
-							9 => 'Nine',
-							10 => 'Ten',
-							11 => 'Eleven',
-							12 => 'Twelve',
-							13 => 'Thirteen',
-							14 => 'Fourteen',
-							15 => 'Fifteen',
-							16 => 'Sixteen',
-							17 => 'Seventeen',
-							18 => 'Eighteen',
-							19 => 'Nineteen',
-							20 => 'Twenty',
-							30 => 'Thirty',
-							40 => 'Forty',
-							50 => 'Fifty',
-							60 => 'Sixty',
-							70 => 'Seventy',
-							80 => 'Eighty',
-							90 => 'Ninety',
-						);
-						if (array_key_exists($number, $rvals))
-							return $rvals[$number];
-						$returnval = '';
-						if ($number >= 100) {
-							$hundred = intval($number / 100);
-							$returnval = $rvals[$hundred] . ' Hundred';
-							$number -= 100 * $hundred;
-						}
-						if (array_key_exists($number, $rvals)) {
-							if ($number > 0)
-								$returnval .= ' ' . $rvals[$number];
-							return $returnval;
-						}
-						if ($number >= 10) {
-							$ten = intval($number / 10);
-							if ($returnval != '')
-								$returnval .= ' ';
-							$returnval .= $rvals[10 * $ten];
-							$number -= 10 * $ten;
-						}
-						if ($number > 0) {
-							$returnval .= ' ' . $rvals[$number];
-						}
-						return $returnval;
-					}
+// Converts a number between zero and one thousand to Canadian English text
+function smallIntToText($number)
+{
+	$number %= 1000;
+	$rvals = array(
+		0 => 'Zero',
+		1 => 'One',
+		2 => 'Two',
+		3 => 'Three',
+		4 => 'Four',
+		5 => 'Five',
+		6 => 'Six',
+		7 => 'Seven',
+		8 => 'Eight',
+		9 => 'Nine',
+		10 => 'Ten',
+		11 => 'Eleven',
+		12 => 'Twelve',
+		13 => 'Thirteen',
+		14 => 'Fourteen',
+		15 => 'Fifteen',
+		16 => 'Sixteen',
+		17 => 'Seventeen',
+		18 => 'Eighteen',
+		19 => 'Nineteen',
+		20 => 'Twenty',
+		30 => 'Thirty',
+		40 => 'Forty',
+		50 => 'Fifty',
+		60 => 'Sixty',
+		70 => 'Seventy',
+		80 => 'Eighty',
+		90 => 'Ninety',
+	);
+	if (array_key_exists($number, $rvals))
+		return $rvals[$number];
+	$returnval = '';
+	if ($number >= 100) {
+		$hundred = intval($number / 100);
+		$returnval = $rvals[$hundred] . ' Hundred';
+		$number -= 100 * $hundred;
+	}
+	if (array_key_exists($number, $rvals)) {
+		if ($number > 0)
+			$returnval .= ' ' . $rvals[$number];
+		return $returnval;
+	}
+	if ($number >= 10) {
+		$ten = intval($number / 10);
+		if ($returnval != '')
+			$returnval .= ' ';
+		$returnval .= $rvals[10 * $ten];
+		$number -= 10 * $ten;
+	}
+	if ($number > 0) {
+		$returnval .= ' ' . $rvals[$number];
+	}
+	return $returnval;
+}
 
 ?>
\ No newline at end of file
diff --git a/config/backuprestore.php b/config/backuprestore.php
index 555c775c..9c655ceb 100644
--- a/config/backuprestore.php
+++ b/config/backuprestore.php
@@ -40,12 +40,12 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 	$dump .= '#SFIAB FAIR NAME: ' . $config['fairname'] . "\n";
 	$dump .= "#-------------------------------------------------\n";
 
-	$tableq = $pdo->prepare("SHOW TABLES FROM `$DBNAME`");
+	$tableq = $pdo->prepare("SHOW TABLES FROM $DBNAME");
 	$tableq->execute();
 	while ($tr = $tableq->fetch(PDO::FETCH_NUM)) {
 		$table = $tr[0];
 		$dump .= "#TABLE: $table\n";
-		$columnq = $pdo->prepare("SHOW COLUMNS FROM `$table`");
+		$columnq = $pdo->prepare("SHOW COLUMNS FROM $table");
 		$columnq->execute();
 		$str = "INSERT INTO `$table` (";
 		unset($fields);
@@ -57,7 +57,7 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 		$str = substr($str, 0, -1);
 		$str .= ') VALUES (';
 
-		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY `{$fields[0]}`");
+		$dataq = $pdo->prepare("SELECT * FROM `$table` ORDER BY $fields[0]");
 		$dataq->execute();
 		while ($data = $dataq->fetch(PDO::FETCH_OBJ)) {
 			$insertstr = $str;
@@ -178,7 +178,7 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 			$line = trim($line);
 			if (mb_ereg('^#TABLE: (.*)', $line, $args)) {
 				// empty out the table
-				$sql = 'TRUNCATE TABLE `' . $args[1] . '`';
+				$sql = "TRUNCATE TABLE $args[1]";
 				//			echo $sql."\n";
 
 				$stmt = $pdo->prepare($sql);
@@ -226,13 +226,13 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 			user_purge($judge, 'judge');
 		} else {
 			// Find max year of judge
-			$max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid = ' . $judge['uid'] . ' ORDER BY year DESC limit 1');
-			$max_year_query->execute();
+			$max_year_query = $pdo->prepare('SELECT year FROM users WHERE uid =? ORDER BY year DESC limit 1');
+			$max_year_query->execute([$judge['uid']]);
 			$judge_max_year = $max_year_query->fetch(PDO::FETCH_ASSOC);
 			// Grab old judge info.
 			// Old judge info consists of all entries in the database that are not the most recent for the specific judge
-			$deletable = $pdo->prepare('SELECT * FROM users WHERE uid =' . $judge['uid'] . ' AND year NOT LIKE ' . $judge_max_year['year']);
-			$deletable->execute();
+			$deletable = $pdo->prepare('SELECT * FROM users WHERE uid =? AND year NOT LIKE ?');
+			$deletable->execute([$judge['uid'],$judge_max_year['year']]);
 			// and if they have old data from previous fair years
 			if ($deletable->rowCount() > 0) {
 				// delete old data one by one
@@ -260,8 +260,8 @@ if (get_value_from_array($_GET, 'action') == 'backup') {
 		error(i18n($pdo->errorInfo()[0]));
 	}
 } else if (get_value_from_array($_POST, 'action') == 'clean_parents') {
-	$query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=' . $config['FAIRYEAR']);
-	$query_parents->execute();
+	$query_parents = $pdo->prepare('SELECT * FROM users WHERE types LIKE "parent" AND year !=?');
+	$query_parents->execute([$config['FAIRYEAR']]);
 	while ($parent = $query_parents->fetch(PDO::FETCH_ASSOC)) {
 		if (!is_array($parent['types'])) {
 			$parent['types'] = array($parent['types']);
diff --git a/config/categories.php b/config/categories.php
index b388e43c..23df2b87 100644
--- a/config/categories.php
+++ b/config/categories.php
@@ -42,21 +42,21 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 if (get_value_from_array($_POST, 'action') == 'edit') {
 	// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'category') && isset($_POST['mingrade']) && $_POST['maxgrade']) {
-		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
 			echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
 		} else {
 			$stmt = $pdo->prepare('UPDATE projectcategories SET '
-				. "id='" . $_POST['id'] . "', "
-				. "category='" . stripslashes($_POST['category']) . "', "
-				. "category_shortform='" . stripslashes($_POST['category_shortform']) . "', "
-				. "mingrade='" . $_POST['mingrade'] . "', "
-				. "maxgrade='" . $_POST['maxgrade'] . "' "
-				. "WHERE id='" . $_POST['saveid'] . "'");
+				. "id=?, "
+				. "category=?, "
+				. "category_shortform=?, "
+				. "mingrade=?, "
+				. "maxgrade=?"
+				. "WHERE id=?");
 			echo happy(i18n('Category successfully saved'));
-			$stmt->execute();
+			$stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),$_POST['mingrade'],$_POST['maxgrade'],$_POST['saveid']]);
 		}
 	} else {
 		echo error(i18n('All fields are required'));
@@ -66,19 +66,20 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
 if (get_value_from_array($_POST, 'action') == 'new') {
 	// ues isset($_POST['mingrade']) instead of just $_POST['mingrade'] to allow entering 0 for kindergarden
 	if (get_value_from_array($_POST, 'id') && $_POST['category'] && isset($_POST['mingrade']) && $_POST['maxgrade']) {
-		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projectcategories WHERE id=? AND year=?");
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount()) {
 			echo error(i18n('Category ID %1 already exists', array($_POST['id']), array('category ID')));
 		} else {
-			$stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES ( '
-				. "'" . $_POST['id'] . "', "
-				. "'" . stripslashes($_POST['category']) . "', "
-				. "'" . stripslashes($_POST['category_shortform']) . "', "
-				. "'" . $_POST['mingrade'] . "', "
-				. "'" . $_POST['maxgrade'] . "', "
-				. "'" . $config['FAIRYEAR'] . "')");
-			$stmt->execute();
+			$stmt = $pdo->prepare('INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
+				?,
+				?, 
+				?, 
+				?, 
+				?, 
+				?)');
+			$stmt->execute([$_POST['id'],stripslashes($_POST['category']),stripslashes($_POST['category_shortform']),
+			$_POST['mingrade'],$_POST['maxgrade'],$config['FAIRYEAR']]);
 			echo happy(i18n('Category successfully added'));
 		}
 	} else {
@@ -89,11 +90,11 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
 	// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
 	// for this division exist they should be deleted
-	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectcategories_id=? AND year=?");
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	// ####
-	$stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM projectcategories WHERE id=? AND year=?");
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	echo happy(i18n('Category successfully removed'));
 }
 
@@ -118,8 +119,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo '<input type="hidden" name="action" value="' . get_value_from_array($_GET, 'action') . "\">\n";
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE id=? AND year=?");
+		$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
 		$categoryr = $q->fetch(PDO::FETCH_OBJ);
 		$buttontext = 'Save';
 	} else if (get_value_from_array($_GET, 'action') == 'new') {
@@ -135,8 +136,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <td><input type="submit" value="' . i18n($buttontext) . '"></td>';
 	echo '</tr>';
 } else {
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
 		echo " <td align=\"center\">$r->id</td>";
diff --git a/config/dates.php b/config/dates.php
index 5b49acd4..58f1c740 100644
--- a/config/dates.php
+++ b/config/dates.php
@@ -57,8 +57,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 			$d = stripslashes($val);
 			$t = stripslashes($_POST['savetimes'][$key]);
 			$v = "$d $t";
-			$stmt = $pdo->prepare("UPDATE dates SET date='$v' WHERE year='" . $config['FAIRYEAR'] . "' AND id='$key'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE dates SET date=? WHERE year=? AND id=?");
+			$stmt->execute([$v,$config['FAIRYEAR'],$key]);
 		}
 	}
 	echo happy(i18n('Dates successfully saved'));
@@ -83,8 +83,8 @@ $dates = array('fairdate' => array(),
 
 /* Now copy the SQL data into the above array */
 
-$q = $pdo->prepare("SELECT * FROM dates WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY date");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM dates WHERE year=? ORDER BY date");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$dates[$r->name]['description'] = $r->description;
 	$dates[$r->name]['id'] = $r->id;
@@ -131,12 +131,12 @@ foreach ($dates as $dn => $d) {
 		$def = $defaultdates[$dn];
 		// hmm if we dont have a record for this date this year, INSERT the sql from the default
 		$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
-			'" . $def->date . "',
-			'" . $dn . "',
-			'" . $def->description . "',
-			'" . $config['FAIRYEAR'] . "'
+			?,
+			?,
+			?,
+			?
 			)");
-		$stmt->execute();
+		$stmt->execute([$def->date,$dn,$def->description,$config['FAIRYEAR']]);
 		$d['id'] = $pdo->lastInsertId();
 		$d['description'] = $def->description;
 		$d['date'] = $def->date;
diff --git a/config/divisions.php b/config/divisions.php
index 81af49d8..51f71511 100644
--- a/config/divisions.php
+++ b/config/divisions.php
@@ -45,29 +45,26 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 
 if (get_value_from_array($_POST, 'action') == 'edit') {
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
-		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
 			echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
 		} else {
 			$stmt = $pdo->prepare('UPDATE projectdivisions SET '
-				. "id='" . $_POST['id'] . "', "
-				. "division='" . stripslashes($_POST['division']) . "', "
-				. "division_shortform='" . stripslashes($_POST['division_shortform']) . "' "
-				. "WHERE id='" . $_POST['saveid'] . "' AND year='{$config['FAIRYEAR']}'");
-			$stmt->execute();
+				. "id=?, "
+				. "division=?, "
+				. "division_shortform=?"
+				. "WHERE id=? AND year=?");
+			$stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$_POST['saveid'],$config['FAIRYEAR']]);
 
 			// ###### Feature Specific - filtering divisions by category
 			if ($config['filterdivisionbycategory'] == 'yes') {
-				$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id='" . $_POST['saveid'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND year=?");
+				$stmt->execute([ $_POST['saveid'],$config['FAIRYEAR']]);
 				if (is_array($_POST['divcat'])) {
 					foreach ($_POST['divcat'] as $tempcat) {
-						$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
-							. "'" . $_POST['id'] . "', "
-							. "'" . $tempcat . "', "
-							. "'" . $config['FAIRYEAR'] . "') ");
-						$stmt->execute();
+						$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?,?)');
+						$stmt->execute([$_POST['id'],$tempcat,$config['FAIRYEAR']]);
 					}
 				}
 			}
@@ -82,25 +79,19 @@ if (get_value_from_array($_POST, 'action') == 'edit') {
 
 if (get_value_from_array($_POST, 'action') == 'new') {
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'division')) {
-		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projectdivisions WHERE id=? AND year=?");
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount()) {
 			echo error(i18n('Division ID %1 already exists', array($_POST['id']), array('division ID')));
 		} else {
-			$stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES ( '
-				. "'" . $_POST['id'] . "', "
-				. "'" . stripslashes($_POST['division']) . "', "
-				. "'" . stripslashes($_POST['division_shortform']) . "', "
-				. "'" . $config['FAIRYEAR'] . "') ");
-			$stmt->execute();
+			$stmt = $pdo->prepare('INSERT INTO projectdivisions (id,division,division_shortform,year) VALUES (?,?,?,?)');
+			$stmt->execute([$_POST['id'],stripslashes($_POST['division']),stripslashes($_POST['division_shortform']),$config['FAIRYEAR']]);
 
 			// ###### Feature Specific - filtering divisions by category
 			if ($config['filterdivisionbycategory'] == 'yes') {
 				foreach ($_POST['divcat'] as $tempcat) {
-					$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES ( '
-						. "'" . $tempcat . "', "
-						. "'" . $config['FAIRYEAR'] . "') ");
-					$stmt->execute();
+					$stmt = $pdo->prepare('INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (?,?)');
+					$stmt->execute([$tempcat,$conference['id']]);
 				}
 			}
 			// #######
@@ -114,10 +105,10 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
 	// ###### Feature Specific - filtering divisions by category - not conditional, cause even if they have the filtering turned off..if any links
 	// for this division exist they should be deleted
-	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM projectcategoriesdivisions_link where projectdivisions_id=? AND year=?");
+	$stmt->execute([$_GET['remove'], $config['FAIRYEAR']]);
+	$stmt = $pdo->prepare("DELETE FROM projectdivisions WHERE id=? AND year=?");
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	echo happy(i18n('Division successfully removed'));
 }
 
@@ -142,8 +133,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo '<input type="hidden" name="action" value="' . get_value_from_array($_GET, 'action') . "\">\n";
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id=? AND year=?");
+		$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
 		$divisionr = $q->fetch(PDO::FETCH_OBJ);
 
 		$buttontext = 'Save';
@@ -158,12 +149,12 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	// ###### Feature Specific - filtering divisions by category
 	if ($config['filterdivisionbycategory'] == 'yes') {
 		echo ' <td>';
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY mingrade");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
+		$q->execute([$config['FAIRYEAR']]);
 		while ($categoryr = $q->fetch(PDO::FETCH_OBJ)) {
-			$query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=' . $divisionr->id . ' AND projectcategories_id=' . $categoryr->id . " AND year='" . $config['FAIRYEAR'] . "'";
+			$query = 'SELECT * FROM projectcategoriesdivisions_link WHERE projectdivisions_id=? AND projectcategories_id=? AND year=?';
 			$t = $pdo->prepare($query);
-			$t->execute();
+			$t->execute([$divisionr->id,$categoryr->id,$config['FAIRYEAR']]);
 			if ($t && $t->rowCount() > 0)
 				echo "<nobr><input type=\"checkbox\" name=\"divcat[]\" value=\"$categoryr->id\" checked=\"checked\" /> $categoryr->category</nobr><br/>";
 			else
@@ -175,8 +166,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo ' <td><input type="submit" value="' . i18n($buttontext) . '" /></td>';
 	echo '</tr>';
 } else {
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
 		echo " <td>$r->id</td>";
@@ -186,11 +177,11 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 		if ($config['filterdivisionbycategory'] == 'yes') {
 			$c = $pdo->prepare("SELECT category FROM projectcategoriesdivisions_link, projectcategories 
 					WHERE projectcategoriesdivisions_link.projectcategories_id = projectcategories.id
-				AND projectdivisions_id='$r->id'
-				AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "'
-				AND projectcategories.year='" . $config['FAIRYEAR'] . "'
+				AND projectdivisions_id=?
+				AND projectcategoriesdivisions_link.year=?
+				AND projectcategories.year=?
 				ORDER BY projectcategories.mingrade");
-			$c->execute();
+			$c->execute([$r->id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			if (!$c) {
 				$tempcat = '&nbsp;';
diff --git a/config/divisions_cwsf.php b/config/divisions_cwsf.php
index 46accfe8..cc68b9c3 100644
--- a/config/divisions_cwsf.php
+++ b/config/divisions_cwsf.php
@@ -35,8 +35,8 @@ send_header('CWSF Project Divisions',
 // //// FIX ME!!!!!
 if (count(get_value_from_array($_POST, 'cwsfdivision', []))) {
 	foreach ($_POST['cwsfdivision'] AS $k => $v) {
-		$stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid='$v' WHERE id='$k' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE projectdivisions SET cwsfdivisionid=? WHERE id=? AND year=?");
+		$stmt->execute([$v,$k,$config['FAIRYEAR']]);
 	}
 	echo happy(i18n('Corresponding CWSF divisions saved'));
 }
@@ -53,8 +53,8 @@ echo '<th>' . i18n('Your Division') . "</th>\n";
 echo '<th>' . i18n('Corresponding CWSF Division') . "</th>\n";
 echo '</tr>';
 
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr>';
 	echo ' <td>' . i18n($r->division) . '</td>';
diff --git a/config/languagepacks.php b/config/languagepacks.php
index 3b86a000..e85b1f0e 100644
--- a/config/languagepacks.php
+++ b/config/languagepacks.php
@@ -88,7 +88,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
 	$packs = loadLanguagePacks();
 	$loaded = 0;
 	if ($packs[$_GET['install']]) {
-		$lines = file("http://www.sfiab.ca/languages/{$packs[$_GET['install']]['filename']}");
+		$lines = file("http://www.sfiab.ca/languages/?");
 		$totallines = count($lines);
 		$numtranslations = round($totallines / 2);
 		echo i18n('There are %1 translations in this language pack... processing...', array($numtranslations));
@@ -98,7 +98,7 @@ if (get_value_from_array($_GET, 'action') == 'install' && get_value_from_array($
 
 				if (substr($line, 0, 6) == 'UPDATE' || substr($line, 0, 6) == 'INSERT') {
 					$stmt = $pdo->prepare($line);
-					$stmt->execute();
+					$stmt->execute([$packs[$_GET['install']]['filename']]);
 					$a = $pdo->rowwCount();
 					$loaded += $a;
 				} else
diff --git a/config/pagetexts.php b/config/pagetexts.php
index ac0746ee..62946565 100644
--- a/config/pagetexts.php
+++ b/config/pagetexts.php
@@ -43,18 +43,19 @@
  while($r=$q->fetch(PDO::FETCH_OBJ))
  {
 	 foreach($config['languages'] AS $lang=>$langname) {
-		$q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=".$pdo->quote($config['FAIRYEAR'])." and textname=".$pdo->quote($r->textname)."");
-		$q_current->execute();
+		$q_current = $pdo->prepare("SELECT * FROM pagetext WHERE year=? and textname=?");
+		$q_current->execute([$pdo->quote($config['FAIRYEAR']),$pdo->quote($r->textname)]);
 
 		if ($q_current->rowCount() == 0) {
 			$q1 = $pdo->prepare("INSERT INTO pagetext (`textname`,`textdescription`,`text`,`year`,`lang`) VALUES (
-				".$pdo->quote($r->textname).",
-				".$pdo->quote($r->textdescription).",
-				".$pdo->quote($r->text).",
-				".$pdo->quote($config['FAIRYEAR']).",
-				".$pdo->quote($lang).")");
+				?,
+				?,
+				?,
+				?,
+				?)");
 		
-			$q1->execute();
+			$q1->execute([$pdo->quote($r->textname),$pdo->quote($r->textdescription),$pdo->quote($r->text),
+			$pdo->quote($config['FAIRYEAR']),$pdo->quote($lang)]);
 		}
     }
  }
@@ -69,12 +70,12 @@
 		$stmt = $pdo->prepare("UPDATE pagetext 
 				SET 
 					lastupdate=NOW(), 
-					text=$text
+					text=?
 				WHERE 
-					textname=".$pdo->quote($_POST['textname'])." 
-					AND year='".$config['FAIRYEAR']."'
-					AND lang='$lang'");
-		$stmt->execute();
+					textname=? 
+					AND year=?
+					AND lang=?");
+		$stmt->execute([$text,$pdo->quote($_POST['textname']),$config['FAIRYEAR'],$lang]);
 	}
 	echo happy(i18n("Page texts successfully saved"));
 
@@ -82,8 +83,8 @@
 
  if(get_value_from_array($_GET, 'textname'))
  {
-	$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=?");
+	$q->execute([$_GET['textname'],$config['FAIRYEAR']]);
 	//needs to be at least one entry in any languages
 	if($r=$q->fetch(PDO::FETCH_OBJ))
 	{
@@ -93,14 +94,14 @@
 
 
 		foreach($config['languages'] AS $lang=>$langname) {
-			$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname='".$_GET['textname']."' AND year='".$config['FAIRYEAR']."' AND lang='$lang'");
-			$q->execute();
+			$q=$pdo->prepare("SELECT * FROM pagetext WHERE textname=? AND year=? AND lang=?");
+			$q->execute([$_GET['textname'],$config['FAIRYEAR'],$lang]);
 			$r=$q->fetch(PDO::FETCH_OBJ);
 
 			if(!$r)
 			{
-					$stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES ('".$pdo->quote($_GET['textname'])."','".$config['FAIRYEAR']."','$lang')");
-					$stmt->execute();
+					$stmt = $pdo->prepare("INSERT INTO pagetext (textname,year,lang) VALUES (?,?,?)");
+					$stmt->execute([$pdo->quote($_GET['textname']),$config['FAIRYEAR'],$lang]);
 					show_pdo_errors_if_any($pdo);
 			}
 
@@ -140,8 +141,8 @@
 	 echo i18n("Choose a page text to edit");
 	 echo "<table class=\"summarytable\">";
 
-	 $q=$pdo->prepare("SELECT * FROM pagetext WHERE year='".$config['FAIRYEAR']."' AND lang='".$config['default_language']."' ORDER BY textname");
-	$q->execute();
+	 $q=$pdo->prepare("SELECT * FROM pagetext WHERE year=? AND lang=? ORDER BY textname");
+	$q->execute([$config['FAIRYEAR'],$config['default_language']]);
 	 echo "<tr><th>".i18n("Page Text Description")."</th><th>".i18n("Last Update")."</th></tr>";
 	 while($r=$q->fetch(PDO::FETCH_OBJ))
 	 {
diff --git a/config/rollover.php b/config/rollover.php
index e537b090..a61fe54c 100644
--- a/config/rollover.php
+++ b/config/rollover.php
@@ -66,7 +66,7 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 	 */
 
 	/* Get field list for this table */
-	$q = $pdo->prepare("SHOW COLUMNS IN `$table`");
+	$q = $pdo->prepare("SHOW COLUMNS IN $table");
 	$q->execute();
 	show_pdo_errors_if_any($pdo);
 	while (($c = $q->fetch(PDO::FETCH_ASSOC))) {
@@ -91,8 +91,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 		$where = '1';
 
 	/* Get data */
-	$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear' AND $where");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM $table WHERE year=? AND $where");
+	$q->execute([$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
 
@@ -108,8 +108,8 @@ function roll($currentfairyear, $newfairyear, $table, $where = '', $replace = ar
 				$vals .= ',' . $pdo->quote($r[$f]);
 		}
 
-		$stmt = $pdo->prepare("INSERT INTO `$table`(`year`,$names) VALUES ('$newfairyear'$vals)");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO `$table` (`year`,?) VALUES (?,?)");
+		$stmt->execute([$names,$newfairyear,$vals]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
@@ -134,119 +134,119 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 
 		// now the dates
 		echo i18n('Rolling dates') . '<br />';
-		$q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT DATE_ADD(date,INTERVAL 365 DAY) AS newdate,name,description FROM dates WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO dates (date,name,description,year) VALUES (
-				'" . $r->newdate . "',
-				'" . $r->name . "',
-				'" . $r->description . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->newdate,$r->name,$r->description,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		// page text
 		echo i18n('Rolling page texts') . '<br />';
-		$q = $pdo->prepare("SELECT * FROM pagetext WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM pagetext WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO pagetext (textname,textdescription,text,lastupdate,year,lang) VALUES (
-				'" . $r->textname . "',
-				'" . $r->textdescription . "',
-				'" . $r->text . "',
-				'" . $r->lastupdate . "',
-				'" . $newfairyear . "',
-                '" . $r->lang . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?,
+				?,
+                ?)");
+			$stmt->execute([$r->textname,$r->textdescription,$r->text,$r->lastupdate,$newfairyear,$r->lang]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling project categories') . '<br />';
 		// project categories
-		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectcategories (id,category,category_shortform,mingrade,maxgrade,year) VALUES (
-				'" . $r->id . "',
-				'" . $r->category . "',
-				'" . $r->category_shortform . "',
-				'" . $r->mingrade . "',
-				'" . $r->maxgrade . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->id,$r->category,$r->category_shortform,$r->mingrade,$r->maxgrade,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling project divisions') . '<br />';
 		// project divisions
-		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectdivisions (id,division,division_shortform,cwsfdivisionid,year) VALUES (
-				'" . $r->id . "',
-				'" . $r->division . "',
-				'" . $r->division_shortform . "',
-				'" . $r->cwsfdivisionid . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->id,$r->division,$r->division_shortform,$r->cwsfdivisionid,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling project category-division links') . '<br />';
 		// project categories divisions links
-		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectcategoriesdivisions_link WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectcategoriesdivisions_link (projectdivisions_id,projectcategories_id,year) VALUES (
-				'" . $r->projectdivisions_id . "',
-				'" . $r->projectcategories_id . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->projectdivisions_id,$r->projectcategories_id ,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling project sub-divisions') . '<br />';
 		// project subdivisions
-		$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (
-				'" . $r->id . "',
-				'" . $r->projectsubdivisions_id . "',
-				'" . $r->subdivision . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->id,$r->projectsubdivisions_id,$r->subdivision,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling safety questions') . '<br />';
 		// safety questions
-		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES (
-				'" . $r->question . "',
-				'" . $r->type . "',
-				'" . $r->required . "',
-				'" . $r->ord . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?,
+				?");
+			$stmt->execute([$r->question,$r->type,$r->required ,$r->ord,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling awards') . '<br />';
 		// awards
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			/* Roll the one award */
@@ -265,69 +265,42 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 
 		echo i18n('Rolling award types') . '<br />';
 		// award types
-		$q = $pdo->prepare("SELECT * FROM award_types WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_types WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$stmt = $pdo->prepare("INSERT INTO award_types (id,type,`order`,year) VALUES (
-				'" . $r->id . "',
-				'" . $r->type . "',
-				'" . $r->order . "',
-				'" . $newfairyear . "')");
-			$stmt->execute();
+				?,
+				?,
+				?,
+				?)");
+			$stmt->execute([$r->id,$r->type,$r->order,$newfairyear]);
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling schools') . '<br />';
 		// award types
-		$q = $pdo->prepare("SELECT * FROM schools WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$puid = ($r->principal_uid == null) ? 'NULL' : ("'" . intval($r->principal_uid) . "'");
 			$shuid = ($r->sciencehead_uid == null) ? 'NULL' : ("'" . intval($r->sciencehead_uid) . "'");
 
-			$stmt = $pdo->prepare('INSERT INTO schools (school,schoollang,schoollevel,board,district,phone,fax,address,city,province_code,postalcode,principal_uid,schoolemail,sciencehead_uid,accesscode,lastlogin,junior,intermediate,senior,registration_password,projectlimit,projectlimitper,year) VALUES (
-				' . $pdo->quote($r->school) . ',
-				' . $pdo->quote($r->schoollang) . ',
-				' . $pdo->quote($r->schoollevel) . ',
-				' . $pdo->quote($r->board) . ',
-				' . $pdo->quote($r->district) . ',
-				' . $pdo->quote($r->phone) . ',
-				' . $pdo->quote($r->fax) . ',
-				' . $pdo->quote($r->address) . ',
-				' . $pdo->quote($r->city) . ',
-				' . $pdo->quote($r->province_code) . ',
-				' . $pdo->quote($r->postalcode) . ",$puid,
-				" . $pdo->quote($r->schoolemail) . ",$shuid,
-				" . $pdo->quote($r->accesscode) . ',
-				NULL,
-				' . $pdo->quote($r->junior) . ',
-				' . $pdo->quote($r->intermediate) . ',
-				' . $pdo->quote($r->senior) . ',
-				' . $pdo->quote($r->registration_password) . ',
-				' . $pdo->quote($r->projectlimit) . ',
-				' . $pdo->quote($r->projectlimitper) . ',
-				' . $newfairyear . ')');
-			$stmt->execute();
+			$stmt = $pdo->prepare('INSERT INTO schools (school, schoollang, schoollevel, board, district, phone, fax, address, city, province_code, postalcode, principal_uid, schoolemail, sciencehead_uid, accesscode, lastlogin, junior, intermediate, senior, registration_password, projectlimit, projectlimitper, year) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?)');
+			$stmt->execute([$r->school, $r->schoollang, $r->schoollevel, $r->board, $r->district, $r->phone, $r->fax, $r->address, $r->city, $r->province_code, $r->postalcode, $puid, $r->schoolemail, $shuid, $r->accesscode, $r->junior, $r->intermediate, $r->senior, $r->registration_password, $r->projectlimit, $r->projectlimitper, $newfairyear]);
+			
 			show_pdo_errors_if_any($pdo);
 		}
 
 		echo i18n('Rolling questions') . '<br />';
-		$q = $pdo->prepare("SELECT * FROM questions WHERE year='$currentfairyear'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-			$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord) VALUES (
-				'',
-				'$newfairyear',
-				" . $pdo->quote($r->section) . ',
-				' . $pdo->quote($r->db_heading) . ',
-				' . $pdo->quote($r->question) . ',
-				' . $pdo->quote($r->type) . ',
-				' . $pdo->quote($r->required) . ',
-				' . $pdo->quote($r->ord) . ')');
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO questions (id, year, section, db_heading, question, type, required, ord) VALUES ('', ?, ?, ?, ?, ?, ?, ?)");
+			$stmt->execute([$newfairyear, $r->section, $r->db_heading, $r->question, $r->type, $r->required, $r->ord]);
+
 			show_pdo_errors_if_any($pdo);
 		}
 
@@ -341,32 +314,32 @@ if (get_value_from_array($_POST, 'action') == 'rollover' && get_value_from_array
 
 		// timeslots and rounds
 		echo i18n('Rolling judging timeslots and rounds') . '<br />';
-		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='$currentfairyear' AND round_id='0'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=? AND round_id='0'");
+		$q->execute([$currentfairyear]);
 		show_pdo_errors_if_any($pdo);
 		while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 			$d = $newfairyear - $currentfairyear;
 			$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`,`name`)
-				VALUES ('$newfairyear','0','{$r['type']}',DATE_ADD('{$r['date']}', INTERVAL $d YEAR),
-					'{$r['starttime']}','{$r['endtime']}','{$r['name']}')");
-			$stmt->execute();
+				VALUES (?,'0',?,DATE_ADD(?, INTERVAL ? YEAR),
+					?,?,?)");
+			$stmt->execute([$newfairyear,$r['type'],$r['date'],$d,$r['starttime'],$r['endtime'],$r['name']]);
 			show_pdo_errors_if_any($pdo);
 			$round_id = $pdo->lastInsertId();
-			$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id='{$r['id']}'");
-			$qq->execute();
+			$qq = $pdo->prepare("SELECT * FROM judges_timeslots WHERE round_id=?");
+			$qq->execute([$r['id']]);
 			show_pdo_errors_if_any($pdo);
 			while ($rr = $qq->fetch(PDO::FETCH_ASSOC)) {
 				$stmt = $pdo->prepare("INSERT INTO judges_timeslots (`year`,`round_id`,`type`,`date`,`starttime`,`endtime`)
-						VALUES ('$newfairyear','$round_id','timeslot',DATE_ADD('{$rr['date']}', INTERVAL $d YEAR),
-							'{$rr['starttime']}','{$rr['endtime']}')");
-				$stmt->execute();
+						VALUES (?,?,'timeslot',DATE_ADD(?, INTERVAL ? YEAR),
+							?,?)");
+				$stmt->execute([$newfairyear,$round_id,$rr['date'],$d,$rr['starttime'],$rr['endtime']]);
 				show_pdo_errors_if_any($pdo);
 			}
 		}
 
 		echo '<br /><br />';
-		$stmt = $pdo->prepare("UPDATE config SET val='$newfairyear' WHERE var='FAIRYEAR' AND year=0");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FAIRYEAR' AND year=0");
+		$stmt->execute([$newfairyear]);
 		show_pdo_errors_if_any($pdo);
 		echo happy(i18n('Fair year has been rolled over from %1 to %2', array($currentfairyear, $newfairyear)));
 		send_footer();
diff --git a/config/rolloverfiscal.php b/config/rolloverfiscal.php
index e2a7133c..8d5401e6 100644
--- a/config/rolloverfiscal.php
+++ b/config/rolloverfiscal.php
@@ -82,8 +82,8 @@ function rolloverfiscalyear($newYear)
 
 	// first we'll roll over fundraising_campaigns:
 	$fields = '`name`,`type`,`startdate`,`enddate`,`followupdate`,`active`,`target`,`fundraising_goal`,`filterparameters`';
-	$q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear = $oldYear");
-	$q->execute();
+	$q = $pdo->prepare("SELECT $fields FROM fundraising_campaigns WHERE fiscalyear =?");
+	$q->execute([$oldYear]);
 
 	while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
 		foreach (array('startdate', 'enddate', 'followupdate') as $dateField) {
@@ -100,16 +100,16 @@ function rolloverfiscalyear($newYear)
 		foreach ($values as $idx => $val) {
 			$values[$idx] = $val;
 		}
-		$query = 'INSERT INTO fundraising_campaigns (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+		$query = 'INSERT INTO fundraising_campaigns (`' . implode('`,`', $fields) . "`) VALUES(?)";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([implode("','", $values)]);
 	}
 
 	// next we'll hit findraising_donor_levels
 	$fields = '`level`,`min`,`max`,`description`';
 	if ($pdo->errorInfo()[0] == 0)
-		$q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear = $oldYear");
-	$q->execute();
+		$q = $pdo->prepare("SELECT $fields FROM fundraising_donor_levels WHERE fiscalyear =?");
+	$q->execute([$oldYear]);
 	while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$r['fiscalyear'] = $newYear;
 		$fields = array_keys($r);
@@ -117,16 +117,16 @@ function rolloverfiscalyear($newYear)
 		foreach ($values as $idx => $val) {
 			$values[$idx] = $val;
 		}
-		$query = 'INSERT INTO fundraising_donor_levels (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+		$query = 'INSERT INTO fundraising_donor_levels (`' . implode('`,`', $fields) . "`) VALUES(?)";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([implode("','", $values)]);
 	}
 
 	// and now we'll do findraising_goals
 	$fields = '`goal`,`name`,`description`,`system`,`budget`,`deadline`';
 	if ($pdo->errorInfo()[0] == 0) {
-		$q = $pdo->prepare("SELECT $fields FROM fundraising_goals WHERE fiscalyear = $oldYear");
-		$q->execute();
+		$q = $pdo->prepare("SELECT ? FROM fundraising_goals WHERE fiscalyear =?");
+		$q->execute([$fields,$oldYear]);
 	}
 	while ($pdo->errorInfo()[0] == 0 && $r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$dateval = $r['deadline'];
@@ -142,15 +142,15 @@ function rolloverfiscalyear($newYear)
 		foreach ($values as $idx => $val) {
 			$values[$idx] = $val;
 		}
-		$query = 'INSERT INTO fundraising_goals (`' . implode('`,`', $fields) . "`) VALUES('" . implode("','", $values) . "')";
+		$query = 'INSERT INTO fundraising_goals (`' . implode('`,`', $fields) . "`) VALUES(?)";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([implode("','", $values)]);
 	}
 
 	// finally, let's update the fiscal year itself:
 	if ($pdo->errorInfo()[0] == 0) {
-		$stmt = $pdo->prepare("UPDATE config SET val='$newYear' WHERE var='FISCALYEAR'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='FISCALYEAR'");
+		$stmt->execute([$newYear]);
 	}
 
 	if ($pdo->errorInfo()[0] == 0) {
diff --git a/config/safetyquestions.php b/config/safetyquestions.php
index 320e54c2..039c73ef 100644
--- a/config/safetyquestions.php
+++ b/config/safetyquestions.php
@@ -36,12 +36,13 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P
 			echo notice(i18n('Defaulting non-numeric order value %1 to 0', array($_POST['ord'])));
 
 		$stmt = $pdo->prepare("UPDATE safetyquestions SET 
-				question='" . stripslashes($_POST['question']) . "',
-				`type`='" . stripslashes($_POST['type']) . "',
-				`required`='" . stripslashes($_POST['required']) . "',
-				ord='" . stripslashes($_POST['ord']) . "'
-				WHERE id='" . $_POST['save'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+				question=?,
+				`type`=?,
+				`required`=?,
+				ord=?
+				WHERE id=? AND year=?");
+		$stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']),
+		stripslashes($_POST['ord']),$_POST['save'],$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 
 		echo happy(i18n('Safety question successfully saved'));
@@ -52,13 +53,14 @@ if (get_value_from_array($_POST, 'action') == 'save' && get_value_from_array($_P
 if (get_value_from_array($_POST, 'action') == 'new') {
 	if ($_POST['question']) {
 		$stmt = $pdo->prepare("INSERT INTO safetyquestions (question,type,required,ord,year) VALUES ( 
-					'" . stripslashes($_POST['question']) . "',
-					'" . stripslashes($_POST['type']) . "',
-					'" . stripslashes($_POST['required']) . "',
-					'" . stripslashes($_POST['ord']) . "',
-					'" . $config['FAIRYEAR'] . "'
+					?,
+					?,
+					?,
+					?,
+					?
 					)");
-		$stmt->execute();
+		$stmt->execute([stripslashes($_POST['question']),stripslashes($_POST['type']),stripslashes($_POST['required']),
+		stripslashes($_POST['ord']),$config['FAIRYEAR'] ]);
 		show_pdo_errors_if_any($pdo);
 
 		echo happy(i18n('Safety question successfully added'));
@@ -67,8 +69,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 }
 
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
-	$stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id='" . $_GET['remove'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM safetyquestions WHERE id=? AND year=?");
+	$stmt->execute([$_GET['remove'],$config['FAIRYEAR']]);
 	echo happy(i18n('Safety question successfully removed'));
 }
 
@@ -82,8 +84,8 @@ if ((get_value_from_array($_GET, 'action') == 'edit' && get_value_from_array($_G
 	} else if ($_GET['action'] == 'edit') {
 		$buttontext = 'Save safety question';
 		echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
-		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id='" . $_GET['edit'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE id=? AND year=?");
+		$q->execute([$_GET['edit'],$config['FAIRYEAR'] ]);
 		echo '<input type="hidden" name="save" value="' . $_GET['edit'] . "\">\n";
 		if (!$r = $q->fetch(PDO::FETCH_OBJ)) {
 			$showform = false;
@@ -141,8 +143,8 @@ echo '<br />';
 echo '<a href="safetyquestions.php?action=new">' . i18n('Add new safety question') . '</a>';
 
 echo '<table class="summarytable">';
-$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY ord");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
+$q->execute([$config['FAIRYEAR']]);
 echo '<tr><th>' . i18n('Ord') . '</th><th>' . i18n('Question') . '</th><th>' . i18n('Type') . '</th><th>' . i18n('Required') . '</th><th>' . i18n('Actions') . '</th></tr>';
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr>';
diff --git a/config/signaturepage.php b/config/signaturepage.php
index 1afa723f..1b70d811 100644
--- a/config/signaturepage.php
+++ b/config/signaturepage.php
@@ -66,10 +66,10 @@ if (get_value_from_array($_POST, 'action') == 'save') {
     $stmt->bindParam(':text', $val);
     $stmt->execute();
 
-    $stmt = $pdo->prepare("UPDATE signaturepage SET `use`='$usepa', `text`='" . get_value_from_array($_POST, 'postamble') . "' WHERE name='postamble'");
-    $stmt->execute();
-    $stmt = $pdo->prepare("UPDATE signaturepage SET `use`='$userf', `text`='' WHERE name='regfee'");
-    $stmt->execute();
+    $stmt = $pdo->prepare("UPDATE signaturepage SET `use`=?, `text`=? WHERE name='postamble'");
+    $stmt->execute([$usepa,get_value_from_array($_POST, 'postamble')]);
+    $stmt = $pdo->prepare("UPDATE signaturepage SET `use`=?, `text`='' WHERE name='regfee'");
+    $stmt->execute([$userf]);
     echo happy(i18n("$sentence_begin_participationform text successfully saved"));
 }
 
diff --git a/config/subdivisions.php b/config/subdivisions.php
index 7d810540..c59f3f14 100644
--- a/config/subdivisions.php
+++ b/config/subdivisions.php
@@ -41,17 +41,17 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 
 if (get_value_from_array($_POST, 'action') == 'edit') {
 	if (get_value_from_array($_POST, 'id') && get_value_from_array($_POST, 'projectdivisions_id') && get_value_from_array($_POST, 'subdivision')) {
-		$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id='" . $_POST['id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id=? AND year=?");
+		$q->execute([$_POST['id'],$config['FAIRYEAR']]);
 		if ($q->rowCount() && $_POST['saveid'] != $_POST['id']) {
 			echo error(i18n('Sub-Division ID %1 already exists', array($_POST['id'])));
 		} else {
 			$stmt = $pdo->prepare('UPDATE projectsubdivisions SET '
-				. "id='" . $_POST['id'] . "', "
-				. "projectdivisions_id='" . $_POST['projectdivisions_id'] . "', "
-				. "subdivision='" . stripslashes($_POST['subdivision']) . "' "
-				. "WHERE id='" . $_POST['saveid'] . "'");
-			$stmt->execute();
+				. "id=?, "
+				. "projectdivisions_id=?, "
+				. "subdivision=?"
+				. "WHERE id=?");
+			$stmt->execute([$_POST['id'],$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$_POST['saveid']]);
 			echo happy(i18n('Sub-Division successfully saved'));
 		}
 	} else {
@@ -69,17 +69,13 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 		} else
 			$newid = $_POST['id'];
 
-		$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id='$newid' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM projectsubdivisions WHERE id=? AND year=?");
+		$q->execute([$newid,$config['FAIRYEAR']]);
 		if ($q->rowCount()) {
 			echo error(i18n('Sub-Division ID %1 already exists', array($newid)));
 		} else {
-			$stmt = $pdo->prepare('INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES ( '
-				. "'$newid', "
-				. "'" . $_POST['projectdivisions_id'] . "', "
-				. "'" . stripslashes($_POST['subdivision']) . "', "
-				. "'" . $config['FAIRYEAR'] . "') ");
-			$stmt->execute();
+			$stmt = $pdo->prepare('INSERT INTO projectsubdivisions (id,projectdivisions_id,subdivision,year) VALUES (?,?,?,?) ');
+			$stmt->execute([$newid,$_POST['projectdivisions_id'],stripslashes($_POST['subdivision']),$config['FAIRYEAR']]);
 			echo happy(i18n('Sub-Division successfully added'));
 		}
 	} else {
@@ -88,8 +84,8 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 }
 
 if (get_value_from_array($_GET, 'action') == 'remove' && get_value_from_array($_GET, 'remove')) {
-	$stmt = $pdo->prepare("DELETE FROM projectsubdivisions WHERE id='" . $_GET['remove'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM projectsubdivisions WHERE id=?");
+	$stmt->execute([$_GET['remove']]);
 	echo happy(i18n('Sub-Division successfully removed'));
 }
 
@@ -111,8 +107,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	$divisionr = array();
 	if (get_value_from_array($_GET, 'action') == 'edit') {
 		echo '<input type="hidden" name="saveid" value="' . get_value_from_array($_GET, 'edit') . "\">\n";
-		$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE id='" . get_value_from_array($_GET, 'edit') . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE id=? AND year=?");
+		$q->execute([get_value_from_array($_GET, 'edit'),$config['FAIRYEAR']]);
 		$divisionr = $q->fetch(PDO::FETCH_OBJ);
 		$buttontext = 'Save';
 	} else if ($_GET['action'] == 'new') {
@@ -121,8 +117,8 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 	echo '<tr>';
 	echo ' <td>';
 	echo '<select name="projectdivisions_id">';
-	$dq = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division");
-	$dq->execute();
+	$dq = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
+	$dq->execute([$config['FAIRYEAR']]);
 	while ($dr = $dq->fetch(PDO::FETCH_OBJ)) {
 		if ($dr->id == $divisionr->projectdivisions_id)
 			$sel = 'selected="selected"';
@@ -146,12 +142,12 @@ if (get_value_from_array($_GET, 'action') == 'edit' || get_value_from_array($_GE
 					projectsubdivisions,
 					projectdivisions
 				WHERE 
-					projectsubdivisions.year='" . $config['FAIRYEAR'] . "' 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
+					projectsubdivisions.year=? 
+					AND projectdivisions.year=?
 					AND projectsubdivisions.projectdivisions_id=projectdivisions.id
 				ORDER BY 
 					division,subdivision");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo '<tr>';
diff --git a/config/variables.php b/config/variables.php
index fe6149fd..ea4deb31 100644
--- a/config/variables.php
+++ b/config/variables.php
@@ -32,22 +32,23 @@ $q = $pdo->prepare("SELECT * FROM config WHERE year='-1'");
 $q->execute();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$q = $pdo->prepare("INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
-		'" . $r->var . "',
-		'" . $r->val . "',
-		'" . $r->category . "',
-		'" . $r->type . "',
-		'" . $r->type_values . "',
-		'" . $r->ord . "',
-		'" . $r->description . "',
-		'" . $config['FAIRYEAR'] . "')");
+		?,
+		?,
+		?,
+		?,
+		?,
+		?,
+		?,
+		?)");
+	$q->execute([$r->var,$r->val,$r->category,$r->type,$r->type_values,$r->ord,$r->description,$config['FAIRYEAR']]);
 }
 
 // for the Special category
 if (get_value_from_array($_POST, 'action') == 'save') {
 	if (get_value_from_array($_POST, 'specialconfig')) {
 		foreach ($_POST['specialconfig'] as $key => $val) {
-			$stmt = $pdo->prepare("UPDATE config SET val='" . stripslashes($val) . "' WHERE year='0' AND var='$key'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE config SET val=? WHERE year='0' AND var=?");
+			$stmt->execute([stripslashes($val),$key]);
 		}
 	}
 	message_push(happy(i18n('Configuration successfully saved')));
diff --git a/config_editor.inc.php b/config_editor.inc.php
index 96fd2feb..f5087022 100644
--- a/config_editor.inc.php
+++ b/config_editor.inc.php
@@ -29,9 +29,9 @@ include_once ('helper.inc.php');
 function config_editor_load($category, $year)
 {
 	global $pdo;
-	$query = "SELECT * FROM config WHERE year='$year' AND category='$category' ORDER BY ord";
+	$query = "SELECT * FROM config WHERE year=? AND category=? ORDER BY ord";
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$year, $category]);
 	// print_r($pdo->errorInfo());
 
 	$var = array();
@@ -94,10 +94,10 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
 	 */
 	$q = $pdo->prepare("SELECT config.var FROM `config` 
 		LEFT JOIN `config` AS C2 ON(config.var=C2.var 
-					AND C2.year='$fairyear') 
+					AND C2.year=?) 
 		WHERE config.year=-1 AND C2.year IS NULL");
 
-	$q->execute();
+	$q->execute([$fairyear]);
 	show_pdo_errors_if_any($pdo);
 
 	while ($i = $q->fetch(PDO::FETCH_ASSOC)) {
@@ -108,11 +108,11 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
 		 * the -1 year, prefer last year's value
 		 */
 		$r2 = $pdo->prepare("SELECT * FROM `config` 
-			WHERE config.var='$var'
-				AND (config.year='$lastfairyear' 
+			WHERE config.var=?
+				AND (config.year=? 
 					OR config.year='-1')
 			ORDER BY config.year DESC");
-		$r2->execute();
+		$r2->execute([$var, $lastfairyear]);
 		show_pdo_errors_if_any($pdo);
 
 		if ($r2->rowCount() < 1) {
@@ -123,17 +123,8 @@ function config_update_variables($fairyear = NULL, $lastfairyear = NULL)
 
 		$v = $r2->fetch(PDO::FETCH_ASSOC);
 
-		$r3 = $pdo->prepare('INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (
-			' . $pdo->quote($v['var']) . ',
-			' . $pdo->quote($v['val']) . ',
-			' . $pdo->quote($v['category']) . ',
-			' . $pdo->quote($v['type']) . ',
-			' . $pdo->quote($v['type_values']) . ',
-			' . $pdo->quote($v['ord']) . ',
-			' . $pdo->quote($v['description']) . ",
-			'$fairyear')");
-
-		$r3->execute();
+		$r3 = $pdo->prepare('INSERT INTO config (var,val,category,type,type_values,ord,description,year) VALUES (?,?,?,?,?,?,?,?)');
+		$r3->execute([$pdo->quote($v['var']),$pdo->quote($v['val']),$pdo->quote($v['category']),$pdo->quote($v['type']),$pdo->quote($v['type_values']),$pdo->quote($v['ord']),$pdo->quote($v['description']),$fairyear]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
diff --git a/confirmed_participants.php b/confirmed_participants.php
index b09870a5..d7eabec4 100644
--- a/confirmed_participants.php
+++ b/confirmed_participants.php
@@ -32,8 +32,8 @@ send_header('Confirmed Participants');
 global $stats_totalstudents;
 // first, lets make sure someone isnt tryint to see something that they arent allowed to!
 
-$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['postparticipants'] . "') AS test");
-$q->execute();
+$q = $pdo->prepare("SELECT (NOW()>? AS test");
+$q->execute($config['dates']['postparticipants']);
 $r = $q->fetch(PDO::FETCH_OBJ);
 if ($r->test != 1) {
 	list($d, $t) = explode(' ', $config['dates']['postparticipants']);
@@ -56,16 +56,16 @@ if ($r->test != 1) {
 					LEFT JOIN projectdivisions ON projectdivisions.id=projects.projectdivisions_id
 				WHERE
 					1
-					AND registrations.year='" . $config['FAIRYEAR'] . "' 
-					AND projectcategories.year='" . $config['FAIRYEAR'] . "' 
-					AND projectdivisions.year='" . $config['FAIRYEAR'] . "' 
+					AND registrations.year=? 
+					AND projectcategories.year=?
+					AND projectdivisions.year=?
 					AND (status='complete' OR status='paymentpending')
 				ORDER BY
 					projectcategories.id,
 					projectdivisions.id,
 					projects.projectnumber
 				");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
 
 	// Check for errors after the query execution
 	$errorInfo = $pdo->errorInfo();
@@ -129,11 +129,11 @@ if ($r->test != 1) {
 					FROM
 						students,schools
 					WHERE
-						students.registrations_id='$r->reg_id'
+						students.registrations_id=?
 						AND
 						students.schools_id=schools.id
 					");
-		$sq->execute();
+		$sq->execute([$r->reg_id]);
 
 		// Check for errors after the query execution
 		$errorInfo = $pdo->errorInfo();
diff --git a/contact.php b/contact.php
index 2bf9bc3f..56231fb7 100644
--- a/contact.php
+++ b/contact.php
@@ -39,9 +39,8 @@ if (get_value_from_array($_POST, 'action') == 'send') {
 		if (isEmailAddress(get_value_from_array($_POST, 'fromemail'))) {
 			list($id, $md5email) = explode(':', $_POST['to']);
 
-			$q = $pdo->prepare('SELECT * FROM users WHERE uid=.?. ORDER BY year DESC LIMIT 1');
-			$q->bindParam(1, $id);
-			$q->execute();
+			$q = $pdo->prepare('SELECT * FROM users WHERE uid=? ORDER BY year DESC LIMIT 1');
+			$q->execute([$id]);
 			// if a valid selection is made from the list, then this will always match.
 			if ($md5email == md5($r->email)) {
 				$from = cleanify($_POST['from']) . ' <' . cleanify($_POST['fromemail']) . '>';
@@ -99,11 +98,11 @@ while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 								users.deleted
 							FROM committees_link 
 							LEFT JOIN users ON users.uid = committees_link.users_uid 
-							WHERE committees_id=' . $r['id'] . '
+							WHERE committees_id=?
 							GROUP BY users.uid
 							ORDER BY ord,users.lastname');
 
-	$q2->execute();
+	$q2->execute([$r['id']]);
 
 	// if there's nobody in this committee, then just skip it and go on to the next one.
 
diff --git a/db/db.update.111.php b/db/db.update.111.php
index a06e669f..1c88a363 100644
--- a/db/db.update.111.php
+++ b/db/db.update.111.php
@@ -3,16 +3,16 @@ function db_update_111_post()
 {
 	global $config, $pdo;
 	// grab the index page
-	$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	if (!$q->rowCount()) {
 		$q = $pdo->prepare("SELECT * FROM pagetext WHERE textname='index' AND year='-1'");
 		$q->execute();
 	}
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		// insert it into the CMS under index.html
-		$stmt = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,showlogo) VALUES ('index.html','$r->lastupdate','$r->lang','" . $r->text . "','1')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO cms (filename,dt,lang,text,showlogo) VALUES ('index.html',?,?,?,'1')");
+		$stmt->execute([$r->lastupdate,$r->lang,$r->text]);
 	}
 	// and remove it from the pagetext
 	$stmt = $pdo->prepare("DELETE FROM pagetext WHERE textname='index'");
diff --git a/db/db.update.116.php b/db/db.update.116.php
index 7cf337ec..ebab6a87 100644
--- a/db/db.update.116.php
+++ b/db/db.update.116.php
@@ -4,8 +4,8 @@ function db_update_116_post()
 	global $config, $pdo;
 
 	/* Fix the users that have a 0 year */
-	$q = $pdo->prepare("UPDATE `users` SET year={$config['FAIRYEAR']} WHERE year=0");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE `users` SET year=? WHERE year=0");
+	$q->execute([$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	/* Fix users without a username */
@@ -25,8 +25,8 @@ function db_update_116_post()
 		$username = '';
 		for ($x = 0; $x < 16; $x++)
 			$username .= $available[rand(0, $len)];
-		$stmt = $pdo->prepare("UPDATE users SET username='$username' WHERE id='$r->id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET username=? WHERE id=?");
+		$stmt->execute([$username,$r->id]);
 	}
 
 	// okay now finally, there's a chance of duplicates from
@@ -37,9 +37,9 @@ function db_update_116_post()
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$orig_r = $r;
 		$qq = $pdo->prepare("SELECT * FROM `users` WHERE
-					(`username`='{$r['username']}' OR `email`='{$r['email']}')
-					AND `id`!={$r['id']}");
-		$qq->execute();
+					(`username`=? OR `email`=?)
+					AND `id`!=?");
+		$qq->execute([$r['username'],$r['email'],$r['id']]);
 		if ($qq->rowCount() == 0)
 			continue;
 
@@ -93,8 +93,8 @@ function db_update_116_post()
 		}
 		if (count($set)) {
 			$query = join(',', $set);
-			$stmt = $pdo->prepare("UPDATE `users` SET $query WHERE id={$r['id']}");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE `users` SET ? WHERE id=?");
+			$stmt->execute([$query,$r['id']]);
 			echo "Update query: UPDATE `users` SET $query WHERE id={$r['id']}\n";
 		}
 
@@ -104,13 +104,13 @@ function db_update_116_post()
 
 		echo "Merged... Deleting duplicate and adjusting volunteer tables...\n";
 		/* Delete the dupe */
-		$stmt = $pdo->prepare("DELETE FROM `users` $where_id");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM `users` ?");
+		$stmt->execute([$where_id]);
 		/* Update volunteer linkage */
-		$stmt = $pdo->prepare("UPDATE `users_volunteer` SET `users_id`={$r['id']} $where_users_id");
-		$stmt->execute();
-		$stmt = $pdo->prepare("UPDATE `volunteer_positions_signup` SET `users_id`={$r['id']} $where_users_id");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE `users_volunteer` SET `users_id`=? ?");
+		$stmt->execute([$r['id'],$where_users_id]);
+		$stmt = $pdo->prepare("UPDATE `volunteer_positions_signup` SET `users_id`=? ?");
+		$stmt->execute([$r['id'],$where_users_id]);
 
 		echo "done with this user.\n";
 	}
@@ -120,9 +120,9 @@ function db_update_116_post()
 	$q->execute();
 	while ($i = $q->fetch(PDO::FETCH_OBJ)) {
 		$stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`,`volunteer_active`,`volunteer_complete`)
-				VALUES ('{$i->id}','yes','{$i->complete}')");
+				VALUES (?,'yes',?)");
 
-		$stmt->execute();
+		$stmt->execute([$i->id,$i->complete]);
 	}
 
 	/* Update any remaining volunteer entries */
@@ -130,9 +130,9 @@ function db_update_116_post()
 	$q->execute();
 	while ($i = $q->fetch(PDO::FETCH_OBJ)) {
 		$stmt = $pdo->prepare("UPDATE users_volunteer 
-				SET volunteer_complete='{$i->complete}' 
-				WHERE users_id='{$i->id}'");
-		$stmt->execute();
+				SET volunteer_complete=? 
+				WHERE users_id=?");
+		$stmt->execute([$i->complete,$i->id]);
 		show_pdo_errors_if_any($pdo);
 	}
 
@@ -142,8 +142,8 @@ function db_update_116_post()
 	while ($i = $q->fetch(PDO::FETCH_OBJ)) {
 		$stmt = $pdo->prepare("UPDATE users_committee
 				SET committee_active='yes' 
-				WHERE users_id='{$i->id}'");
-		$stmt->execute();
+				WHERE users_id=?");
+		$stmt->execute([$i->id]);
 		show_pdo_errors_if_any($pdo);
 	}
 
@@ -196,8 +196,8 @@ function db_update_116_post()
 		$updateexclude = array('id', 'uid', 'types', 'username', 'password', 'passwordset', 'oldpassword', 'year', 'created', 'lastlogin', 'firstaid', 'cpr', 'deleted', 'deleteddatetime');
 
 		// check if a user already exists with this username
-		$uq = $pdo->prepare("SELECT * FROM users WHERE (username='" . $j->email . "' OR email='" . $j->email . "') AND year='$j->year'");
-		$uq->execute();
+		$uq = $pdo->prepare("SELECT * FROM users WHERE (username? OR email=?) AND year=?");
+		$uq->execute([$j->email,$j->email,$j->year]);
 		if ($j->email && $ur = $uq->fetch(PDO::FETCH_OBJ)) {
 			$id = $ur->id;
 			echo "Using existing users.id=$id for judges.id=$j->id because email address/year ($j->email/$j->year) matches\n";
@@ -208,9 +208,9 @@ function db_update_116_post()
 					$sqlset .= "`$f`='" . $j->$f . "', ";
 				}
 			}
-			$sql = "UPDATE users SET $sqlset `types`='{$ur->types},judge',`username`='" . $j->email . "' WHERE id='$id'";
+			$sql = "UPDATE users SET ? `types`=?,judge',`username`=? WHERE id=?";
 			$stmt = $pdo->prepare($sql);
-			$stmt->execute();
+			$stmt->execute([$sqlset,$ur->types,$j->email,$id]);
 			show_pdo_errors_if_any($pdo);
 			echo "   Updated user record with judge info, but only merged:\n";
 			echo "   ($sqlset)\n";
@@ -218,14 +218,14 @@ function db_update_116_post()
 			/* Insert the judge */
 			$fields = '`' . join('`,`', array_keys($u)) . '`';
 			$vals = "'" . join("','", array_values($u)) . "'";
-			$q = $pdo->prepare("INSERT INTO users ($fields) VALUES ($vals)");
-			$q->execute();
+			$q = $pdo->prepare("INSERT INTO users (?) VALUES (?)");
+			$q->execute([$fields,$vals]);
 			$id = $pdo->lastInsertId();
 
 			if ($map[$j->id]['uid'] == '') {
 				$map[$j->id]['uid'] = $id;
-				$q = $pdo->prepare("UPDATE users SET `uid`='$id' WHERE id='$id'");
-				$q->execute();
+				$q = $pdo->prepare("UPDATE users SET `uid`=? WHERE id=?");
+				$q->execute([$id,$id]);
 			}
 		}
 
@@ -246,8 +246,8 @@ function db_update_116_post()
 		//			$j->attending_lunch,
 
 		/* catprefs */
-		$q = $pdo->prepare("SELECT * FROM judges_catpref WHERE judges_id='{$j->id}' AND year='{$j->year}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_catpref WHERE judges_id=? AND year=?");
+		$q->execute([$j->id,$j->year]);
 		$catpref = array();
 		while ($i = $q->fetch(PDO::FETCH_OBJ)) {
 			$catpref[$i->projectcategories_id] = $i->rank;
@@ -256,8 +256,8 @@ function db_update_116_post()
 		$uj['cat_prefs'] = serialize($catpref);
 
 		/* divprefs and subdivision prefs */
-		$q = $pdo->prepare("SELECT * FROM judges_expertise WHERE judges_id='{$j->id}' AND year='{$j->year}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_expertise WHERE judges_id=? AND year=?");
+		$q->execute([$j->id,$j->year]);
 		$divpref = array();
 		$divsubpref = array();
 		while ($i = $q->fetch(PDO::FETCH_OBJ)) {
@@ -270,8 +270,8 @@ function db_update_116_post()
 		$uj['divsub_prefs'] = serialize($divsubpref);
 
 		/* languages */
-		$q = $pdo->prepare("SELECT * FROM judges_languages WHERE judges_id='{$j->id}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_languages WHERE judges_id=?");
+		$q->execute([$j->id]);
 		$langs = array();
 
 		while ($i = $q->fetch(PDO::FETCH_OBJ)) {
@@ -291,8 +291,8 @@ function db_update_116_post()
 			'willing_chair' => 'Willing Chair');
 		foreach ($qmap as $field => $head) {
 			/* Find the question ID */
-			$q = $pdo->prepare("SELECT id FROM questions WHERE year='{$j->year}' AND db_heading='{$head}'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT id FROM questions WHERE year=? AND db_heading=?");
+			$q->execute([$j->year,$head]);
 			if ($q->rowCount() == 0) {
 				echo "Warning: Question '$head' for judge {$j->id} doesn't exist in year '{$j->year}', cannot copy answer.\n";
 				continue;
@@ -302,10 +302,10 @@ function db_update_116_post()
 
 			/* Now find the answer */
 			$q = $pdo->prepare("SELECT * FROM question_answers WHERE 
-					year='{$j->year}' AND 
-					registrations_id='{$j->id}' AND
-					questions_id='{$i->id}'");
-			$q->execute();
+					year=? AND 
+					registrations_id=? AND
+					questions_id=?");
+			$q->execute([$j->year,$j->id,$i->id]);
 			show_pdo_errors_if_any($pdo);
 			if ($q->rowCount() == 0) {
 				echo "Warning: Judge {$j->id} did not answer question '$head' in year '{$j->year}', cannot copy answer.\n";
@@ -319,8 +319,8 @@ function db_update_116_post()
 
 		$fields = '`' . join('`,`', array_keys($uj)) . '`';
 		$vals = "'" . join("','", array_values($uj)) . "'";
-		$q = $pdo->prepare("INSERT INTO users_judge ($fields) VALUES ($vals)");
-		$q->execute();
+		$q = $pdo->prepare("INSERT INTO users_judge (?) VALUES (?)");
+		$q->execute([$fields,$vals]);
 		show_pdo_errors_if_any($pdo);
 
 		/*
@@ -329,24 +329,24 @@ function db_update_116_post()
 		 */
 
 		/* judges_teams_link */
-		$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_id='{$j->id}' AND year='{$j->year}'");
+		$q = $pdo->prepare("SELECT * FROM judges_teams_link WHERE judges_id=? AND year=?");
 
-		$q->execute();
+		$q->execute([$j->id,$j->year]);
 		while ($i = $q->fetch(PDO::FETCH_OBJ))
 			$jtl[$i->id] = $id;
 
 		/* judges_specialawards_sel */
-		$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE judges_id='{$j->id}' AND year='{$j->year}'");
+		$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE judges_id=? AND year=?");
 
-		$q->execute();
+		$q->execute([$j->id,$j->year]);
 		show_pdo_errors_if_any($pdo);
 		while ($i = $q->fetch(PDO::FETCH_OBJ))
 			$jsal[$i->id] = $id;
 
 		/* question_answers */
-		$q = $pdo->prepare("SELECT * FROM question_answers WHERE registrations_id='{$j->id}' AND year='{$j->year}'");
+		$q = $pdo->prepare("SELECT * FROM question_answers WHERE registrations_id=? AND year=?");
 
-		$q->execute();
+		$q->execute([$j->id,$j->year]);
 		show_pdo_errors_if_any($pdo);
 		while ($i = $q->fetch(PDO::FETCH_OBJ))
 			$qa[$i->id] = $id;
@@ -355,21 +355,21 @@ function db_update_116_post()
 	/* Now write back the judge ids */
 	if (count($jtl)) {
 		foreach ($jtl as $id => $new_id)
-			$q = $pdo->prepare("UPDATE judges_teams_link SET judges_id='$new_id' WHERE id='$id' ");
+			$q = $pdo->prepare("UPDATE judges_teams_link SET judges_id=? WHERE id=? ");
 
-		$q->execute();
+		$q->execute([$new_id,$id]);
 	}
 	if (count($jsal)) {
 		foreach ($jsal as $id => $new_id)
-			$q = $pdo->prepare("UPDATE judges_specialaward_sel SET judges_id='$new_id' WHERE id='$id' ");
+			$q = $pdo->prepare("UPDATE judges_specialaward_sel SET judges_id=? WHERE id=? ");
 
-		$q->execute();
+		$q->execute([$new_id,$id]);
 	}
 	if (count($qa)) {
 		foreach ($qa as $id => $new_id)
-			$q = $pdo->prepare("UPDATE question_answers SET registrations_id='$new_id' WHERE id='$id' ");
+			$q = $pdo->prepare("UPDATE question_answers SET registrations_id=? WHERE id=? ");
 
-		$q->execute();
+		$q->execute([$new_id,$id]);
 	}
 }
 ?>
diff --git a/db/db.update.117.php b/db/db.update.117.php
index 8af6e8d7..805c9dd8 100644
--- a/db/db.update.117.php
+++ b/db/db.update.117.php
@@ -9,20 +9,20 @@ function db_update_117_post()
 		'willing_chair' => 'Willing Chair');
 
 	foreach ($qmap as $field => $head) {
-		$q = $pdo->prepare("SELECT id FROM questions WHERE db_heading='{$head}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM questions WHERE db_heading=?");
+		$q->execute([$head]);
 		while ($i = $q->fetch(PDO::FETCH_OBJ)) {
 			$id = $i->id;
 
 			/* Drop all answers for this question */
 			$stmt = $pdo->prepare("DELETE FROM question_answers
-					WHERE questions_id='$id'");
-			$stmt->execute();
+					WHERE questions_id=?");
+			$stmt->execute([$id]);
 		}
 
 		/* Now dump the question itself */
 		$stmt = $pdo->prepare("DELETE FROM questions 
-				WHERE id='$id'");
-		$stmt->execute();
+				WHERE id=?");
+		$stmt->execute([$id]);
 	}
 }
diff --git a/db/db.update.118.php b/db/db.update.118.php
index 442d2544..66c616bf 100644
--- a/db/db.update.118.php
+++ b/db/db.update.118.php
@@ -23,8 +23,8 @@ function db_update_118_post()
 			$active = 'yes';
 		}
 		// see if a user exists with this email
-		$uq = $pdo->prepare("SELECT * FROM users WHERE (username='" . $r->email . "' OR email='" . $r->email . "') ORDER BY year DESC LIMIT 1");  // AND year='$r->year'");
-		$uq->execute();
+		$uq = $pdo->prepare("SELECT * FROM users WHERE (username=? OR email=?) ORDER BY year DESC LIMIT 1");  // AND year='$r->year'");
+		$uq->execute([ $r->email,$r->email]);
 		if ($r->email && $ur = $uq->fetch(PDO::FETCH_OBJ)) {
 			$user_id = $ur->id;
 			echo "Using existing users.id=$user_id for award_contacts.id=$r->id because email address ($r->email) matches\n";
@@ -37,9 +37,9 @@ function db_update_118_post()
 					$sqlset .= "`$f`='" . $r->$f . "', ";
 				}
 			}
-			$sql = "UPDATE users SET $sqlset `types`='{$ur->types},sponsor' WHERE id='$user_id'";
+			$sql = "UPDATE users SET ? `types`=?,sponsor' WHERE id=?";
 			$stmt = $pdo->prepare($sql);
-			$stmt->execute();
+			$stmt->execute([$sqlset,$ur->types,$user_id]);
 			show_pdo_errors_if_any($pdo);
 			echo "  Updated user record\n";
 		} else {
@@ -58,33 +58,33 @@ function db_update_118_post()
 				$password .= $available[rand(0, $availlen)];
 
 			// set passwordset to 0000-00-00 to force it to expire on next login
-			$sql = 'INSERT INTO users (`types`,`username`,`created`,`password`,`passwordset`,`' . implode('`,`', $userfields) . '`,`year`) VALUES (';
-			$sql .= "'sponsor','" . $username . "',NOW(),'$password','0000-00-00'";
+			$sql = 'INSERT INTO users (`types`,`username`,`created`,`password`,`passwordset`,`' . implode('`,`,?') . '`,`year`) VALUES (';
+			$sql .= "'sponsor',?,NOW(),?,'0000-00-00'";
 			foreach ($userfields AS $f) {
 				$sql .= ",'" . $r->$f . "'";
 			}
 			$sql .= ",'" . $r->year . "')";
 			$stmt = $pdo->prepare($sql);
-			$stmt->execute();
+			$stmt->execute([$userfields,$username,$password]);
 			show_pdo_errors_if_any($pdo);
 
 			$user_id = $pdo->lastInsertId();
 			// and link it to themselves as a starting record
-			$stmt = $pdo->prepare("UPDATE users SET uid='$user_id' WHERE id='$user_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
+			$stmt->execute([$user_id,$user_id]);
 			echo "Creating new users.id=$user_id for award_contacts.id=$r->id\n";
 		}
 
 		echo "  Linking $user_id to users_sponsor record\n";
 		$stmt = $pdo->prepare("INSERT INTO users_sponsor (`users_id`,`sponsors_id`,`sponsor_complete`,`sponsor_active`,`primary`,`position`,`notes`) VALUES (
-				'" . $user_id . "',
-				'" . $r->award_sponsors_id . "',
-				'$complete',
-				'$active',
-				'" . $r->primary . "',
-				'" . $r->position . "',
-				'" . $r->notes . "')");
-		$stmt->execute();
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?)");
+		$stmt->execute([$user_id,$r->award_sponsors_id,$complete,$active,$r->primary,$r->position,$r->notes]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
diff --git a/db/db.update.122.php b/db/db.update.122.php
index 91ab2eb0..b693f010 100644
--- a/db/db.update.122.php
+++ b/db/db.update.122.php
@@ -4,8 +4,8 @@ function db_update_122_post()
 {
 	global $config, $pdo;
 	$year = $config['FAIRYEAR'];
-	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM judges_timeslots WHERE year=?");
+	$q->execute([$year]);
 	$round = array();
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$type = $r['type'];
@@ -27,21 +27,21 @@ function db_update_122_post()
 
 	foreach ($round as $type => $d) {
 		$stmt = $pdo->prepare("INSERT INTO judges_timeslots (round_id,type,date,starttime,endtime,year)
-			VALUES ('0','$type','{$d['date']}','{$d['starttime']}','{$d['endtime']}','$year')");
-		$stmt->execute();
+			VALUES ('0',?,?,?,?,?)");
+		$stmt->execute([$type,$d['date'],$d['starttime'],$d['endtime'],$year]);
 		$round_id = $pdo->lastInsertId();
 
 		$stmt = $pdo->prepare("UPDATE judges_timeslots SET 
-				round_id='$round_id', type='timeslot'
+				round_id=?, type='timeslot'
 		
-				WHERE type='$type' AND year='$year'");
-		$stmt->execute();
+				WHERE type=? AND year=?");
+		$stmt->execute([$round_id,$type,$year]);
 		/* Undo the set we just did to the round we just inserted */
 		$stmt = $pdo->prepare("UPDATE judges_timeslots SET 
-				round_id='0',type='$type'
+				round_id='0',type=?
 		
-				WHERE id='$round_id'");
-		$stmt->execute();
+				WHERE id=?");
+		$stmt->execute([$type,$round_id]);
 	}
 }
 
diff --git a/db/db.update.129.php b/db/db.update.129.php
index 9b5ba962..ac3dbe32 100644
--- a/db/db.update.129.php
+++ b/db/db.update.129.php
@@ -26,9 +26,9 @@ function db_update_129_pre()
 		$stmt = $pdo->prepare("INSERT INTO fairs (`id`,`name`,`abbrv`,`type`,
 		`url`,`website`,`username`,`password`,`enable_stats`,
 		`enable_awards`,`enable_winners`) VALUES (
-			'', '$name', '', 'ysf', '$url', '$web',
-			'$username','$password','no','$en','$en')");
-		$stmt->execute();
+			'',?, '', 'ysf',?,?,
+			?,?,'no',?,?)");
+		$stmt->execute([$name,$url,$web,$username,$password,$en,$en]);
 
 		/* Link the fair to the user */
 		$u['fairs_id'] = $pdo->lastInsertId();
@@ -48,9 +48,9 @@ function db_update_129_pre()
 		if (!in_array($old_id, $keys))
 			continue;
 
-		$qq = $pdo->prepare("UPDATE award_awards SET award_sources_id='{$source_map[$old_id]}'
-					WHERE id='{$r['id']}'");
-		$qq->execute();
+		$qq = $pdo->prepare("UPDATE award_awards SET award_sources_id=?
+					WHERE id=?");
+		$qq->execute([$source_map[$old_id],$r['id']]);
 	}
 }
 
diff --git a/db/db.update.129.user.inc.php b/db/db.update.129.user.inc.php
index 4027c0b0..a3d51270 100644
--- a/db/db.update.129.user.inc.php
+++ b/db/db.update.129.user.inc.php
@@ -240,8 +240,8 @@ function db129_user_set_password($id, $password = NULL)
 	/* pass $u by reference so we can update it */
 	$save_old = false;
 	if ($password == NULL) {
-		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
+		$q->execute([$id]);
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		/* Generate a new password */
 		$password = db129_user_generate_password(12);
@@ -260,9 +260,9 @@ function db129_user_set_password($id, $password = NULL)
 	$set = ($save_old == true) ? 'oldpassword=password, ' : '';
 	$set .= "password='$p', passwordset=$save_set ";
 
-	$query = "UPDATE users SET $set WHERE id='$id'";
+	$query = "UPDATE users SET ? WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$set,$id]);
 	show_pdo_errors_if_any($pdo);
 
 	return $password;
@@ -296,9 +296,9 @@ function db129_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@@ -372,9 +372,9 @@ function db129_user_save($u)
 	// print_r($u);
 	// echo "</pre>";
 	if ($set != '') {
-		$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$set,$u['id']]);
 		//		echo "query=[$query]";
 		show_pdo_errors_if_any($pdo);
 	}
@@ -395,8 +395,8 @@ function db129_user_save($u)
 
 function db129_user_delete_committee($u)
 {
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
+	$stmt->execute([$u['uid']]);
 }
 
 function db129_user_delete_volunteer($u) {}
@@ -405,10 +405,10 @@ function db129_user_delete_judge($u)
 {
 	global $config;
 	$id = $u['id'];
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?");
+	$stmt->execute([$id]);
+	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?");
+	$stmt->execute([$id]);
 }
 
 function db129_user_delete_fair($u) {}
@@ -442,8 +442,8 @@ function db129_user_delete($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_delete = true;
 		}
@@ -455,8 +455,8 @@ function db129_user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -491,8 +491,8 @@ function db129_user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@@ -503,21 +503,21 @@ function db129_user_purge($u, $type = false)
 		 */
 		call_user_func("db129_user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
+		$stmt->execute([$type,$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("db129_user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
+			$stmt->execute([$t,$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -526,8 +526,8 @@ function db129_user_dupe_row($db, $key, $val, $newval)
 {
 	global $config;
 	$nullfields = array('deleteddatetime');  /* Fields that can be null */
-	$q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM ? WHERE ?=?");
+	$q->execute([$db,$key,$val]);
 	if ($q->rowCount() != 1) {
 		echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
 		exit;
@@ -547,10 +547,10 @@ function db129_user_dupe_row($db, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
 
-	$q = "INSERT INTO $db ($keys) VALUES ($vals)";
+	$q = "INSERT INTO ? (?) VALUES (?)";
 	//	echo "Dupe Query: [$q]";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$db,$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 
 	$id = $pdo->lastInsertId();
@@ -570,9 +570,9 @@ function db129_user_dupe($u, $new_year)
 	 */
 
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
@@ -584,8 +584,8 @@ function db129_user_dupe($u, $new_year)
 	}
 
 	$id = db129_user_dupe_row('users', 'id', $u['id'], NULL);
-	$q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE users SET year=? WHERE id=?");
+	$q->execute([$new_year,$id]);
 
 	/* Load the new user */
 	$u2 = db129_user_load($id);
@@ -630,12 +630,12 @@ function db129_user_create($type, $username, $u = NULL)
 	global $config;
 	if (!is_array($u)) {
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) 
-			VALUES ('$type', '$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+			VALUES (?,?,'0000-00-00', NOW(),?)");
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
+		$stmt->execute([$uid,$uid]);
 		db129_user_set_password($uid, NULL);
 	} else {
 		/*
@@ -649,34 +649,34 @@ function db129_user_create($type, $username, $u = NULL)
 			exit;
 		}
 		$new_types = implode(',', $u['types']) . ',' . $type;
-		$stmt = $pdo->prepare("UPDATE users SET types='$new_types' WHERE id='$uid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+		$stmt->execute([$new_types,$uid]);
 	}
 
 	switch ($type) {
 		case 'volunteer':
-			$stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`, `volunteer_active`) VALUES ('$uid', 'yes')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO users_volunteer(`users_id`, `volunteer_active`) VALUES (?, 'yes')");
+			$stmt->execute([$uid]);
 			break;
 		case 'student':
-			//		$stmt = $pdo->prepare("INSERT INTO users_student(`users_id`, `student_active`) VALUES ('$uid', 'yes')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO users_student(`users_id`, `student_active`) VALUES (?, 'yes')");
+			$stmt->execute([$uid]);
 			break;
 		case 'judge':
-			$stmt = $pdo->prepare("INSERT INTO users_judge(`users_id`, `judge_active`) VALUES ('$uid', 'yes')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO users_judge(`users_id`, `judge_active`) VALUES (?, 'yes')");
+			$stmt->execute([$uid]);
 			break;
 		case 'fair':
-			$stmt = $pdo->prepare("INSERT INTO users_fair(`users_id`, `fair_active`) VALUES ('$uid', 'yes')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO users_fair(`users_id`, `fair_active`) VALUES (?, 'yes')");
+			$stmt->execute([$uid]);
 			break;
 		case 'committee':
-			$stmt = $pdo->prepare("INSERT INTO users_committee(`users_id`, `committee_active`) VALUES ('$uid', 'yes')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO users_committee(`users_id`, `committee_active`) VALUES (?, 'yes')");
+			$stmt->execute([$uid]);
 			break;
 		case 'sponsor':
-			$stmt = $pdo->prepare("INSERT INTO users_sponsor(`users_id`) VALUES ('$uid')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO users_sponsor(`users_id`) VALUES (?)");
+			$stmt->execute([$uid]);
 			break;
 	}
 	return db129_user_load($uid);
diff --git a/db/db.update.131.php b/db/db.update.131.php
index 6c6ebcd3..fed88c41 100644
--- a/db/db.update.131.php
+++ b/db/db.update.131.php
@@ -12,11 +12,11 @@ function db_update_131_pre()
     $q->execute();
     while ($r = $q->fetch(PDO::FETCH_OBJ)) {
         $total = 0;
-        $awardq = $pdo->prepare("SELECT * FROM award_awards WHERE sponsors_id='$r->id' AND year='$year'");
-        $awardq->execute();
+        $awardq = $pdo->prepare("SELECT * FROM award_awards WHERE sponsors_id=? AND year=?");
+        $awardq->execute([$r->id,$year]);
         while ($awardr = $awardq->fetch(PDO::FETCH_OBJ)) {
-            $prizeq = $pdo->prepare("SELECT cash,scholarship,value,number FROM award_prizes WHERE award_awards_id='$awardr->id'");
-            $prizeq->execute();
+            $prizeq = $pdo->prepare("SELECT cash,scholarship,value,number FROM award_prizes WHERE award_awards_id=?");
+            $prizeq->execute([$awardr->id]);
             while ($prizer = $prizeq->fetch(PDO::FETCH_OBJ)) {
                 // some people never set the value for some reason, i dunno why..
                 $realvalue = max($prizer->cash + $prizer->scholarship, $prizer->value);
@@ -26,15 +26,15 @@ function db_update_131_pre()
         }
         echo "Creating sponsorship for ID: $r->id value: $total\n";
         $pdo->prepare("INSERT INTO sponsorships (sponsors_id,fundraising_type,value,status,probability,year) VALUES (
-            '$r->id',
+            ?,
             'sfawards',
-            '$total',
+            ?,
             'pending',
             '25',
-            '$year')");
-        $pdo->execute();
-        $stmt = $pdo->prepare("INSERT INTO sponsors_logs (sponsors_id,dt,users_id,log) VALUES ('$r->id',NOW(),0,'Automatically created sponsorship from existing sponsor. type=award, value=\$$total, status=pending, probability=25%')");
-        $stmt->execute();
+            ?)");
+        $pdo->execute([$r->id,$total,$year]);
+        $stmt = $pdo->prepare("INSERT INTO sponsors_logs (sponsors_id,dt,users_id,log) VALUES (?,NOW(),0,'Automatically created sponsorship from existing sponsor. type=award, value=\$?, status=pending, probability=25%')");
+        $stmt->execute([$r->id,$total]);
     }
 }
 
diff --git a/db/db.update.136.php b/db/db.update.136.php
index b01e00c3..9b51e3ba 100644
--- a/db/db.update.136.php
+++ b/db/db.update.136.php
@@ -9,12 +9,12 @@ function db_update_136_pre()
 				`enable_stats` = 'yes',
 				`enable_awards` = 'yes',
 				`enable_winners` = 'yes',
-				`username` = '{$config['ysf_region_id']}',
-				`password` = '{$config['ysf_region_password']}'
+				`username` =?,
+				`password` =?
 
 			WHERE 
 				`url`='https://secure.ysf-fsj.ca/awarddownloader/index.php'");
-	$stmt->execute();
+	$stmt->execute([$config['ysf_region_id'],$config['ysf_region_password']]);
 
 	$stmt = $pdo->prepare("UPDATE fairs SET `abbrv` = 'STO',
 				`website` = 'http://www.scitechontario.org/awarddownloader/help.php',
diff --git a/db/db.update.142.php b/db/db.update.142.php
index 4381a12c..b356b6ec 100644
--- a/db/db.update.142.php
+++ b/db/db.update.142.php
@@ -15,8 +15,8 @@ function db_update_142_post()
 			$fiscalyearsuggest = date('Y') + 1;
 		else
 			$fiscalyearsuggest = date('Y');
-		$stmt = $pdo->prepare("INSERT INTO `config` ( `var` , `val` , `category` , `type` , `type_values` , `ord` , `description` , `year`) VALUES ( 'FISCALYEAR', '$fiscalyearsuggest', 'Special', '', '', '0', 'The current fiscal year that the fundraising module is using', '0')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO `config` ( `var` , `val` , `category` , `type` , `type_values` , `ord` , `description` , `year`) VALUES ( 'FISCALYEAR',?, 'Special', '', '', '0', 'The current fiscal year that the fundraising module is using', '0')");
+		$stmt->execute([$fiscalyearsuggest]);
 	}
 }
 
diff --git a/db/db.update.146.php b/db/db.update.146.php
index 4e089e08..ec62406d 100644
--- a/db/db.update.146.php
+++ b/db/db.update.146.php
@@ -38,8 +38,8 @@ function db_update_146_handle($name, $email, $phone, $type)
 function db_update_146_post()
 {
 	global $config, $pdo;
-	$q = $pdo->prepare("SELECT * FROM schools WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($s = $q->fetch(PDO::FETCH_ASSOC)) {
 		/* Science head */
 		if (trim($s['sciencehead']) != '') {
@@ -48,8 +48,8 @@ function db_update_146_post()
 				$s['scienceheadphone'],
 				'teacher');
 			if ($u != false) {
-				$stmt = $pdo->prepare("UPDATE schools SET sciencehead_uid='{$u['uid']}' WHERE id='{$s['id']}'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE schools SET sciencehead_uid=? WHERE id=?");
+				$stmt->execute([$u['uid'],$s['id']]);
 			}
 		}
 
@@ -60,8 +60,8 @@ function db_update_146_post()
 				$s['phone'],
 				'principal');
 			if ($u != false) {
-				$stmt = $pdo->prepare("UPDATE schools SET principal_uid='{$u['uid']}' WHERE id='{$s['id']}'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE schools SET principal_uid=? WHERE id=?");
+				$stmt->execute([$u['uid'],$s['id']]);
 			}
 		}
 	}
diff --git a/db/db.update.146.user.inc.php b/db/db.update.146.user.inc.php
index 54561519..d38bac6d 100644
--- a/db/db.update.146.user.inc.php
+++ b/db/db.update.146.user.inc.php
@@ -141,8 +141,8 @@ function db146_user_load_sponsor(&$u)
 	$u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no';
 	$u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no';
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
-		$q->execute(0);
+		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+		$q->execute([0,$u['sponsors_id']]);
 		$u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC);
 	}
 	return true;
@@ -279,8 +279,8 @@ function db146_user_load_by_email($email)
 {
 	/* Find the most recent uid for the email, regardless of deleted status */
 	$e = $email;
-	$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
+	$q->execute([$e,$e]);
 
 	if ($q->rowCount() == 1) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
@@ -291,8 +291,8 @@ function db146_user_load_by_email($email)
 
 function db146_user_load_by_uid_year($uid, $year)
 {
-	$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <=?");
+	$q->execute([$uid,$year]);
 	if (!$q->rowCount())
 		return false;
 	$i = $q->fetch(PDO::FETCH_ASSOC);
@@ -304,8 +304,8 @@ function db146_user_set_password($id, $password = NULL)
 	/* pass $u by reference so we can update it */
 	$save_old = false;
 	if ($password == NULL) {
-		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
+		$q->execute([$id]);
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		/* Generate a new password */
 		$password = db146_user_generate_password(12);
@@ -324,9 +324,9 @@ function db146_user_set_password($id, $password = NULL)
 	$set = ($save_old == true) ? 'oldpassword=password, ' : '';
 	$set .= "password='$p', passwordset=$save_set ";
 
-	$query = "UPDATE users SET $set WHERE id='$id'";
+	$query = "UPDATE users SET ? WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$set,$id]);
 	show_pdo_errors_if_any($pdo);
 
 	return $password;
@@ -360,9 +360,9 @@ function db146_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@@ -430,8 +430,8 @@ function db146_user_save(&$u)
 			exit;
 		}
 		// give em a record, the primary key on the table takes care of uniqueness
-		$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')");
-		$q->execute();
+		$q = $pdo->prepare("INSERT INTO users_? (users_id) VALUES (?)");
+		$q->execute([$t,$u['id']]);
 	}
 
 	$fields = array('salutation', 'firstname', 'lastname', 'username',
@@ -459,9 +459,9 @@ function db146_user_save(&$u)
 	//	print_r($u);
 	//	echo "</pre>";
 	if ($set != '') {
-		$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$set,$u['id']]);
 		//		echo "query=[$query]";
 		show_pdo_errors_if_any($pdo);
 	}
@@ -491,8 +491,8 @@ function db146_user_save(&$u)
 
 function db146_user_delete_committee($u)
 {
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
+	$stmt->execute([$u['uid']]);
 }
 
 function db146_user_delete_volunteer($u) {}
@@ -501,10 +501,10 @@ function db146_user_delete_judge($u)
 {
 	global $config;
 	$id = $u['id'];
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?");
+	$stmt->execute([$id]);
+	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?");
+	$stmt->execute([$id]);
 }
 
 function db146_user_delete_fair($u) {}
@@ -548,8 +548,8 @@ function db146_user_delete($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_delete = true;
 		}
@@ -563,8 +563,8 @@ function db146_user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -599,8 +599,8 @@ function db146_user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@@ -611,21 +611,21 @@ function db146_user_purge($u, $type = false)
 		 */
 		call_user_func("db146_user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
+		$stmt->execute([$type,$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("db146_user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
+			$stmt->execute([$t,$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -634,8 +634,8 @@ function db146_user_dupe_row($db, $key, $val, $newval)
 {
 	global $config;
 	$nullfields = array('deleteddatetime');  /* Fields that can be null */
-	$q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM ? WHERE ?=?");
+	$q->execute([$db,$key,$val]);
 	if ($q->rowCount() != 1) {
 		echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
 		exit;
@@ -655,10 +655,10 @@ function db146_user_dupe_row($db, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
 
-	$q = "INSERT INTO $db ($keys) VALUES ($vals)";
+	$q = "INSERT INTO ? (?) VALUES (?)";
 	//	echo "Dupe Query: [$q]";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$db,$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 
 	$id = $pdo->lastInsertId();
@@ -678,9 +678,9 @@ function db146_user_dupe($u, $new_year)
 	 */
 
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
@@ -692,9 +692,9 @@ function db146_user_dupe($u, $new_year)
 	}
 
 	$id = db146_user_dupe_row('users', 'id', $u['id'], NULL);
-	$q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'");
+	$q = $pdo->prepare("UPDATE users SET year=? WHERE id=?");
 
-	$q->execute();
+	$q->execute([$new_year,$id]);
 	/* Load the new user */
 	$u2 = db146_user_load($id);
 
@@ -743,17 +743,17 @@ function db146_user_create($type, $username, $u = NULL)
 	global $config;
 	if (!is_array($u)) {
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) 
-			VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+			VALUES (?,?,'0000-00-00', NOW(),?)");
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
 		if (db146_user_valid_email($username)) {
-			$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?");
+			$stmt->execute([$username,$uid]);
 		}
 
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
+		$stmt->execute([$uid,$uid]);
 		show_pdo_errors_if_any($pdo);
 		db146_user_set_password($uid, NULL);
 
@@ -761,8 +761,8 @@ function db146_user_create($type, $username, $u = NULL)
 		 * Since the user already has a type, user_save won't create this
 		 * entry for us, so do it here
 		 */
-		$stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)");
+		$stmt->execute([$type,$uid]);
 		show_pdo_errors_if_any($pdo);
 		/* Load the complete user */
 		$u = db146_user_load($uid);
diff --git a/db/db.update.149.user.inc.php b/db/db.update.149.user.inc.php
index 05a4dbca..bf35bdde 100644
--- a/db/db.update.149.user.inc.php
+++ b/db/db.update.149.user.inc.php
@@ -141,8 +141,8 @@ function db149_user_load_sponsor(&$u)
 	$u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no';
 	$u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no';
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+		$q->execute([$u['sponsors_id']]);
 		$u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC);
 	}
 	return true;
@@ -194,13 +194,13 @@ function db149_user_load($user, $uid = false)
 			WHERE ';
 	if ($uid != false) {
 		$uid = intval($uid);
-		$query .= "`users`.`uid`='$uid' ORDER BY `users`.`year` DESC LIMIT 1";
+		$query .= "`users`.`uid`=? ORDER BY `users`.`year` DESC LIMIT 1";
 	} else {
 		$id = intval($user);
-		$query .= "	`users`.`id`='$id'";
+		$query .= "	`users`.`id`=?";
 	}
 	$q = $pdo->prepare($query);
-	$q->execute();
+	$q->execute([$uid,$id]);
 	if ($q->rowCount() != 1) {
 		//		echo "Query [$query] returned ".$q->rowCount()." rows\n";
 		//		echo "<pre>";
@@ -278,8 +278,8 @@ function db149_user_load_by_email($email)
 {
 	/* Find the most recent uid for the email, regardless of deleted status */
 	$e = $email;
-	$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
+	$q->execute([$e,$e]);
 
 	if ($q->rowCount() == 1) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
@@ -290,8 +290,8 @@ function db149_user_load_by_email($email)
 
 function db149_user_load_by_uid_year($uid, $year)
 {
-	$q = $pdo->prepare("SELECT id FROM users WHERE uid='$uid' AND year <= '$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM users WHERE uid=? AND year <=?");
+	$q->execute([$uid,$year]);
 	if (!$q->rowCount())
 		return false;
 	$i = $q->fetch(PDO::FETCH_ASSOC);
@@ -303,8 +303,8 @@ function db149_user_set_password($id, $password = NULL)
 	/* pass $u by reference so we can update it */
 	$save_old = false;
 	if ($password == NULL) {
-		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT passwordset FROM users WHERE id=?");
+		$q->execute([$id]);
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		/* Generate a new password */
 		$password = db149_user_generate_password(12);
@@ -323,9 +323,9 @@ function db149_user_set_password($id, $password = NULL)
 	$set = ($save_old == true) ? 'oldpassword=password, ' : '';
 	$set .= "password='$p', passwordset=$save_set ";
 
-	$query = "UPDATE users SET $set WHERE id='$id'";
+	$query = "UPDATE users SET ? WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$set,$id]);
 	show_pdo_errors_if_any($pdo);
 
 	return $password;
@@ -359,9 +359,9 @@ function db149_user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 			echo error("Full query: $query");
@@ -429,8 +429,8 @@ function db149_user_save(&$u)
 			exit;
 		}
 		// give em a record, the primary key on the table takes care of uniqueness
-		$q = $pdo->prepare("INSERT INTO users_$t (users_id) VALUES ('{$u['id']}')");
-		$q->execute();
+		$q = $pdo->prepare("INSERT INTO users_? (users_id) VALUES (?)");
+		$q->execute([$t,$u['id']]);
 	}
 
 	$fields = array('salutation', 'firstname', 'lastname', 'username',
@@ -458,9 +458,9 @@ function db149_user_save(&$u)
 	//	print_r($u);
 	//	echo "</pre>";
 	if ($set != '') {
-		$query = "UPDATE users SET $set WHERE id='{$u['id']}'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$set,$u['id']]);
 		//		echo "query=[$query]";
 		show_pdo_errors_if_any($pdo);
 	}
@@ -490,8 +490,8 @@ function db149_user_save(&$u)
 
 function db149_user_delete_committee($u)
 {
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
+	$stmt->execute([$u['uid']]);
 }
 
 function db149_user_delete_volunteer($u) {}
@@ -500,10 +500,10 @@ function db149_user_delete_judge($u)
 {
 	global $config;
 	$id = $u['id'];
-	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id='$id'");
-	$stmt->execute();
-	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id='$id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id=?");
+	$stmt->execute([$id]);
+	$stmt = $pdo->prepare("DELETE FROM judges_specialawards_sel WHERE users_id=?");
+	$stmt->execute([$id]);
 }
 
 function db149_user_delete_fair($u) {}
@@ -547,8 +547,8 @@ function db149_user_delete($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_delete = true;
 		}
@@ -562,8 +562,8 @@ function db149_user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -598,8 +598,8 @@ function db149_user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types,$u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@@ -610,21 +610,21 @@ function db149_user_purge($u, $type = false)
 		 */
 		call_user_func("db149_user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
+		$stmt->execute([$type,$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("db149_user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM users_? WHERE users_id=?");
+			$stmt->execute([$t,$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -633,8 +633,8 @@ function db149_user_dupe_row($db, $key, $val, $newval)
 {
 	global $config;
 	$nullfields = array('deleteddatetime');  /* Fields that can be null */
-	$q = $pdo->prepare("SELECT * FROM $db WHERE $key='$val'");
-	$q->exectue();
+	$q = $pdo->prepare("SELECT * FROM ? WHERE ?=?");
+	$q->exectue([$db,$key,$val]);
 	if ($q->rowCount() != 1) {
 		echo "ERROR duplicating row in $db: $key=$val NOT FOUND.\n";
 		exit;
@@ -654,10 +654,10 @@ function db149_user_dupe_row($db, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
 
-	$q = "INSERT INTO $db ($keys) VALUES ($vals)";
+	$q = "INSERT INTO ? (?) VALUES (?)";
 	//	echo "Dupe Query: [$q]";
 	$r = $pdo->prepare($q);
-	$r->execute(0);
+	$r->execute([0,$db,$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 
 	$id = $pdo->lastInsertId();
@@ -677,9 +677,9 @@ function db149_user_dupe($u, $new_year)
 	 */
 
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	if ($r->deleted == 'yes') {
 		echo "Cannot duplicate user ID {$u['id']}, they are deleted.  Undelete them first.\n";
@@ -691,8 +691,8 @@ function db149_user_dupe($u, $new_year)
 	}
 
 	$id = db149_user_dupe_row('users', 'id', $u['id'], NULL);
-	$q = $pdo->prepare("UPDATE users SET year='$new_year' WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE users SET year=? WHERE id=?");
+	$q->execute([$new_year,$id]);
 	/* Load the new user */
 	$u2 = db149_user_load($id);
 
@@ -743,16 +743,16 @@ function db149_user_create($type, $username, $u = NULL)
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`) 
 		
 		
-			VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}')");
-		$stmt->execute();
+			VALUES (?,?,'0000-00-00', NOW(),?)");
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
 		if (db149_user_valid_email($username)) {
-			$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
+			$stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?");
 		}
 
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
+		$stmt->execute([$username,$uid,$uid,$uid]);
 
 		show_pdo_errors_if_any($pdo);
 
@@ -762,8 +762,8 @@ function db149_user_create($type, $username, $u = NULL)
 		 * Since the user already has a type, user_save won't create this
 		 * entry for us, so do it here
 		 */
-		$stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)");
+		$stmt->execute([$type,$uid]);
 
 		show_pdo_errors_if_any($pdo);
 
diff --git a/db/db.update.155.php b/db/db.update.155.php
index 5c484b22..fd71acdd 100644
--- a/db/db.update.155.php
+++ b/db/db.update.155.php
@@ -9,11 +9,11 @@ function db_update_155_post()
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		echo "Updating email id $r->id\n";
 		$stmt = $pdo->prepare("UPDATE emails SET
-		body='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->body) . "' ,
-		bodyhtml='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->bodyhtml) . "' ,
-		subject='" . iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->subject) . "'
+		body=?,
+		bodyhtml=?,
+		subject=?
 		WHERE id='$r->id'");
-		$stmt->execute();
+		$stmt->execute([iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->body),iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->bodyhtml),iconv('ISO-8859-1', 'UTF-8//TRANSLIT', $r->subject)]);
 	}
 }
 
diff --git a/db/db.update.174.php b/db/db.update.174.php
index 414a03b6..4da744b2 100644
--- a/db/db.update.174.php
+++ b/db/db.update.174.php
@@ -5,9 +5,9 @@ function db_update_174_post()
 
 	$q = $pdo->prepare("SELECT * FROM users WHERE deleted = 'yes'");
 	while ($row = $q->fetch(PDO::FETCH_ASSOC)) {
-		echo 'Flagging user records prior to ' . $row['year'] . ' for user ' . $row['uid'] . ' as deleted - ';
-		$stmt = $pdo->prepare("UPDATE users SET deleted = 'yes' WHERE uid = " . $row['uid'] . ' AND year < ' . $row['year']);
-		$stmt->execute();
+		echo 'Flagging user records prior to ? for user ? as deleted - ';
+		$stmt = $pdo->prepare("UPDATE users SET deleted = 'yes' WHERE uid = ? AND year < ?");
+		$stmt->execute([$row['year'],$row['uid'],$row['uid'],$row['year']]);
 		echo $pdo->rowCount() . " rows affected.\n";
 	}
 }
diff --git a/db/db.update.62.php b/db/db.update.62.php
index 079ca2f8..8aac3a31 100644
--- a/db/db.update.62.php
+++ b/db/db.update.62.php
@@ -48,19 +48,19 @@ function db_update_62_post()
 			(`types`,`firstname`,`lastname`,`username`,`password`,`passwordexpiry`,
 			`email`,`phonehome`,`phonework`,`phonecell`,`fax`,`organization`,
 			`created`,`deleted`) 
-			VALUES ('committee','$fn', '$ln', '$username',
-				'" . $c['password'] . "',
-				$passwordexpiry,
-				'{$c['email']}',
-				'{$c['phonehome']}',
-				'{$c['phonework']}',
-				'{$c['phonecell']}',
-				'{$c['fax']}',
-				'" . $c['organization'] . "',
+			VALUES ('committee',?,?,?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
+				?,
 				NOW(),
-				'$deleted')";
+				?)";
 		$stmt = $pdo->prepare($q);
-		$stmt->execute();
+		$stmt->execute([$fn,$ln,$username,$c['password'],$passwordexpiry,$c['email'],$c['phonehome'],$c['phonework'],$c['phonecell'],$c['fax'],$c['organization'],$deleted]);
 		echo "$q\n";
 		$id = $pdo->lastInsertId();
 
@@ -71,22 +71,22 @@ function db_update_62_post()
 		$q = "INSERT INTO users_committee(`users_id`,`emailprivate`,
 				`ord`,`displayemail`,`access_admin`,`access_config`,
 				`access_super`) VALUES (
-					'$id', '{$c['emailprivate']}',
-					'{$c['ord']}',
-					'$displayemail',
-					'$access_admin',
-					'$access_config',
-					'$access_super')";
+					?,?,
+					?,
+					?,
+					?,
+					?,
+					?)";
 		$stmt = $pdo->prepare($q);
-		$stmt->execute();
+		$stmt->execute([$id,$c['emailprivate'],$c['ord'],$displayemail,$access_admin,$access_config,$access_super]);
 		echo "$q\n";
 		show_pdo_errors_if_any($pdo);
 
 		/* Update committee links */
-		$q = "UPDATE committees_link SET users_id='$id'
-				WHERE committees_members_id='{$c['id']}'";
+		$q = "UPDATE committees_link SET users_id=?
+				WHERE committees_members_id=?";
 		$stmt = $pdo->prepare($q);
-		$stmt->execute();
+		$stmt->execute([$id,$c['id']]);
 		echo "$q\n";
 	}
 }
diff --git a/db/db.update.75.php b/db/db.update.75.php
index cb34deb6..7cb5ae20 100644
--- a/db/db.update.75.php
+++ b/db/db.update.75.php
@@ -18,8 +18,8 @@ function db_update_75_post()
 		foreach ($sid as $s) {
 			if ($s > 0) {
 				$qq = $pdo->prepare("SELECT id FROM reports WHERE 
-						system_report_id='$s'");
-				$qq->execute();
+						system_report_id=?");
+				$qq->execute([$s]);
 				$ii = $qq->fetch(PDO::FETCH_OBJ);
 				$rid[$x] = $ii->id;
 			} else {
@@ -30,31 +30,32 @@ function db_update_75_post()
 
 		/* Find all committee members */
 		$qq = "INSERT INTO `reports_committee` (`id`, `users_id`, `reports_id`, `category`, `comment`, `format`, `stock`) VALUES
-		(NULL, $uid, {$rid[0]}, '1. Fair Day', 'Checkin Lists for the Front Desk', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[1]}, '2. Old Custom Reports', 'School Access Codes and Passwords', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[2]}, '2. Old Custom Reports', 'Mailing Label Generator', '', ''),
-		(NULL, $uid, {$rid[3]}, '2. Old Custom Reports', 'Project Summary Details', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[4]}, '2. Old Custom Reports', 'Student emergency contact names and numbers', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[5]}, '2. Old Custom Reports', 'Students/Projects From Each School', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[6]}, '2. Old Custom Reports', 'Project Logistical Requirements (tables, electricity)', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[7]}, '2. Old Custom Reports', 'Project Table Labels', 'label', 'fullpage_landscape'),
-		(NULL, $uid, {$rid[8]}, '2. Old Custom Reports', 'Student Nametags', 'label', 'nametag'),
-		(NULL, $uid, {$rid[9]}, '2. Old Custom Reports', 'Judge Nametags', 'label', 'nametag'),
-		(NULL, $uid, {$rid[10]}, '2. Old Custom Reports', 'Committee Member Nametags', 'label', 'nametag'),
-		(NULL, $uid, {$rid[11]}, '2. Old Custom Reports', 'Judges List', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[12]}, '2. Old Custom Reports', 'Judging Teams', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[13]}, '2. Old Custom Reports', 'Awards each Judging Team will judge for', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[14]}, '2. Old Custom Reports', 'Judging Teams Project Assignments', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[15]}, '2. Old Custom Reports', 'Projects Judging Team Assignments', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[16]}, '2. Old Custom Reports', 'Project Identification Labels (for judging sheets)', 'label', '5961'),
-		(NULL, $uid, {$rid[17]}, '2. Old Custom Reports', 'Award List for Award Ceremony Program', 'pdf', 'fullpage'),
-		(NULL, $uid, {$rid[18]}, '2. Old Custom Reports', 'Winners for each award', 'pdf', 'fullpage');";
+		(NULL, ?, ?, '1. Fair Day', 'Checkin Lists for the Front Desk', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'School Access Codes and Passwords', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Mailing Label Generator', '', ''),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Summary Details', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Student emergency contact names and numbers', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Students/Projects From Each School', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Logistical Requirements (tables, electricity)', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Table Labels', 'label', 'fullpage_landscape'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Student Nametags', 'label', 'nametag'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judge Nametags', 'label', 'nametag'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Committee Member Nametags', 'label', 'nametag'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judges List', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judging Teams', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Awards each Judging Team will judge for', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Judging Teams Project Assignments', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Projects Judging Team Assignments', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Project Identification Labels (for judging sheets)', 'label', '5961'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Award List for Award Ceremony Program', 'pdf', 'fullpage'),
+		(NULL, ?, ?, '2. Old Custom Reports', 'Winners for each award', 'pdf', 'fullpage');";
 
 		echo $qq;
 		echo "\n\n";
 
 		$stmt = $pdo->prepare($qq);
-		$stmt->execute();
+		$stmt->execute([$uid,$rid[0],$uid,$rid[1],$uid,$rid[2],$uid,$rid[3],$uid,$rid[4],$uid,$rid[5],$uid,$rid[6],$uid,$rid[7],$uid,$rid[8],$uid,$rid[9],$uid,$rid[10],$uid,$rid[11],$uid,$rid[12],$uid,$rid[13],$uid,$rid[14],$uid,$rid[15],$uid,$rid[16],$uid,$rid[17],$uid,$rid[18]]);
+
 	}
 }
 
diff --git a/db/db.update.76.php b/db/db.update.76.php
index dca7da65..93a35849 100644
--- a/db/db.update.76.php
+++ b/db/db.update.76.php
@@ -15,8 +15,8 @@ function db_update_76_pre()
 		if ($user == '')
 			continue;
 
-		$qq = $pdo->prepare("SELECT * FROM users WHERE username='$user'");
-		$qq->execute();
+		$qq = $pdo->prepare("SELECT * FROM users WHERE username=?");
+		$qq->execute([$user]);
 		if ($qq->rowCount() <= 1)
 			continue;
 
@@ -60,16 +60,16 @@ function db_update_76_pre()
 			}
 		}
 
-		$query = "UPDATE users SET $query WHERE id='$cid'";
+		$query = "UPDATE users SET ? WHERE id=?";
 		echo "$query\n";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$query,$cid]);
 
 		/* Now fix the volunteers links */
-		$query = "UPDATE volunteer_positions_signup SET users_id='$cid' WHERE users_id='$vid'";
+		$query = "UPDATE volunteer_positions_signup SET users_id=? WHERE users_id=?";
 		echo "$query\n";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$cid,$vid]);
 
 		/*
 		 * The user_volunteer table is empty, we should just delete it,
@@ -77,10 +77,10 @@ function db_update_76_pre()
 		 */
 
 		/* Delete the old user */
-		$query = "DELETE FROM users WHERE id='$vid'";
+		$query = "DELETE FROM users WHERE id=?";
 		echo "$query\n";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$vid]);
 	}
 }
 
diff --git a/db/db.update.81.php b/db/db.update.81.php
index c874b63b..d6f11851 100644
--- a/db/db.update.81.php
+++ b/db/db.update.81.php
@@ -5,8 +5,8 @@ function db_update_81_post()
 	$q->execute();
 	while ($i = $q->fetch(PDO::FETCH_OBJ)) {
 		$asid = $i->award_sponsors_id;
-		$stmt = $pdo->prepare("UPDATE award_contacts SET `primary`='yes' WHERE award_sponsors_id='$asid' LIMIT 1");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE award_contacts SET `primary`='yes' WHERE award_sponsors_id=? LIMIT 1");
+		$stmt->execute([$asid]);
 	}
 }
 ?>
diff --git a/db/db.update.87.php b/db/db.update.87.php
index 2c042f58..2174834f 100644
--- a/db/db.update.87.php
+++ b/db/db.update.87.php
@@ -40,10 +40,10 @@ function db_update_87_post()
 			}
 		}
 		if ($newval != false) {
-			$query = "UPDATE users SET passwordset=$newval WHERE id='$id'";
+			$query = "UPDATE users SET passwordset=? WHERE id=?";
 			echo "$query\n";
 			$stmt = $pdo->prepare($query);
-			$stmt->execute();
+			$stmt->execute([$newval,$id]);
 		}
 	}
 }
diff --git a/db/db_update.php b/db/db_update.php
index 59dddd9e..11848978 100644
--- a/db/db_update.php
+++ b/db/db_update.php
@@ -38,8 +38,8 @@ $r = $q->fetch(PDO::FETCH_OBJ);
 $config = array('FAIRYEAR' => $r->val);
 
 /* Load config just in case there's a PHP script that wants it */
-$q = $pdo->prepare("SELECT * FROM config WHERE year='{$config['FAIRYEAR']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM config WHERE year=?");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$config[$r->var] = $r->val;
 
@@ -129,8 +129,8 @@ if ($dbcodeversion && $dbdbversion) {
 		}
 
 		echo "\nAll done - updating new DB version to $dbcodeversion\n";
-		$stmt = $pdo->prepare("UPDATE config SET val='$dbcodeversion' WHERE var='DBVERSION' AND year='0'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE config SET val=? WHERE var='DBVERSION' AND year='0'");
+		$stmt->execute([$dbcodeversion]);
 	}
 } else {
 	echo "ERROR: dbcodeversion and dbdbversion are not defined\n";
diff --git a/fair_additional_materials.inc.php b/fair_additional_materials.inc.php
index 2a679a65..e52c37b0 100644
--- a/fair_additional_materials.inc.php
+++ b/fair_additional_materials.inc.php
@@ -42,9 +42,9 @@ function fair_additional_materials($fair, $award, $year)
 	/* Grab a list of winners */
 	$q = $pdo->prepare("SELECT * FROM award_prizes
 				LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
-			WHERE winners.year='$year' 
-				AND winners.fairs_id='{$fair['id']}'");
-	$q->execute();
+			WHERE winners.year=? 
+				AND winners.fairs_id=?");
+	$q->execute([$year, $fair['id']]);
 	while ($r = $q->fetch()) {
 		$pid = $r['projects_id'];
 		$rep->newPage('', '', 1);
diff --git a/fair_info.php b/fair_info.php
index 30486d52..90284a63 100644
--- a/fair_info.php
+++ b/fair_info.php
@@ -72,13 +72,13 @@ switch (get_value_from_array($_GET, 'action')) {
 		$enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no';
 		$enable_winners = ($_POST['enable_winners'] == 'yes') ? 'yes' : 'no';
 
-		$q = $pdo->prepare("UPDATE contacts SET name = $name, abbrv = '$abbrv', url = '$url', website='$website',
-				type='$type' , username='$username',
-				password='$password',
-				enable_stats='$enable_stats',
-				enable_awards='$enable_awards',
-				enable_winners='$enable_winners' WHERE id = $id");
-		$q->execute([$name, $age, $email, $id]);
+		$q = $pdo->prepare("UPDATE contacts SET name =?, abbrv =?, url =?, website=?,
+				type=? , username=?,
+				password=?,
+				enable_stats=?,
+				enable_awards=?,
+				enable_winners=? WHERE id =?");
+		$q->execute([$name, $abbrv, $url, $website, $type, $username, $password, $enable_stats, $enable_awards, $enable_winners, $age, $email, $id]);
 
 		$u['fairs_id'] = $id;
 		user_save($u);
@@ -130,8 +130,8 @@ function fairinfo_save()
 
 <?
 /* Load the fair info */
-$q = $pdo->prepare('SELECT * FROM fairs WHERE id=' . $u['fairs_id'] . '');
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM fairs WHERE id=?');
+$q->execute([$u['fairs_id']]);
 
 if ($q->rowCount() != 0) {
 	$f = $q->fetch();
diff --git a/fair_stats.php b/fair_stats.php
index aaee63df..0dc44d76 100644
--- a/fair_stats.php
+++ b/fair_stats.php
@@ -61,8 +61,8 @@ switch (get_value_from_array($_GET, 'action')) {
 			':fairs_id' => $u['fairs_id'],
 			':year' => $year
 		]);
-		$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,?) VALUES ('',?)");
+		$stmt->execute([$keys,$vals]);
 
 		happy_('Fair Information Saved.');
 		exit;
diff --git a/judge.inc.php b/judge.inc.php
index a89503fe..8798c75c 100644
--- a/judge.inc.php
+++ b/judge.inc.php
@@ -48,15 +48,15 @@ function judge_status_expertise(&$u)
 	}
 
 	/* Check to see if they have ranked all project age categories, and all divisions */
-	$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectcategories WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$numcats = $r->num;
 	if ($numcats != count(get_value_from_array($u, 'cat_prefs', [])))
 		return 'incomplete';
 
-	$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT COUNT(id) AS num FROM projectdivisions WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$numdivisions = $r->num;
 	if ($numdivisions != count($u['div_prefs']))
@@ -85,16 +85,16 @@ function judge_status_questions($u)
 	 */
 	global $config, $pdo;
 	// get the questions we're looking for
-	$q = $pdo->prepare('SELECT id FROM questions WHERE year=' . $config['FAIRYEAR'] . " AND required='yes'");
-	$q->execute();
+	$q = $pdo->prepare('SELECT id FROM questions WHERE year=? AND required=yes');
+	$q->execute([$config['FAIRYEAR']]);
 	$idList = array();
 	while ($row = $q->fetch(PDO::FETCH_ASSOC))
 		$idList[] = $row['id'];
 
 	$rval = 'complete';
 	if (count($idList)) {
-		$q = $pdo->prepare('SELECT COUNT(*) AS tally FROM question_answers WHERE questions_id IN(' . implode(',', $idList) . ') AND users_id=' . $u['id'] . ' AND answer IS NOT NULL');
-		$q->execute();
+		$q = $pdo->prepare('SELECT COUNT(*) AS tally FROM question_answers WHERE questions_id IN(' . implode(',', $idList) . ') AND users_id=? AND answer IS NOT NULL');
+		$q->execute([$u['id']]);
 		$row = $q->fetch(PDO::FETCH_ASSOC);
 		if (intval($row['tally']) != count($idList))
 			$rval = 'incomplete';
@@ -116,8 +116,8 @@ function judge_status_special_awards(&$u)
 	 */
 
 	$qq = $pdo->prepare("SELECT COUNT(id) AS num FROM judges_specialaward_sel 
-				WHERE users_id='{$u['id']}'");
-	$qq->execute();
+				WHERE users_id=?");
+	$qq->execute([$u['id']]);
 	$rr = $qq->fetch(PDO::FETCH_OBJ);
 	$awards_selected = $rr->num;
 	//	echo "$awards_selected awards selected, ({$config['judges_specialaward_min']} - {$config['judges_specialaward_max']})";
@@ -148,8 +148,8 @@ function judge_status_availability(&$u)
 	if ($config['judges_availability_enable'] == 'no')
 		return 'complete';
 
-	$q = $pdo->prepare("SELECT id FROM judges_availability 
-			WHERE users_id=\"{$u['id']}\"");
+		$q = $pdo->prepare("SELECT id FROM judges_availability WHERE users_id=?");
+		$q->execute([$u['id']]);		
 	if ($q->rowCount() > 0)
 		return 'complete';
 
diff --git a/judge_availability.php b/judge_availability.php
index 740c0c4c..70cc726c 100644
--- a/judge_availability.php
+++ b/judge_availability.php
@@ -49,8 +49,8 @@ $u = user_load($eid);
 $times = array();
 
 /* Load the judging rounds */
-$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year='{$config['FAIRYEAR']}' ORDER BY starttime,type");
-$q->execute();
+$q = $pdo->prepare("SELECT date,starttime,endtime,name FROM judges_timeslots WHERE round_id='0' AND year=? ORDER BY starttime,type");
+$q->execute([$config['FAIRYEAR']]);
 $x = 0;
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$found = false;
@@ -72,8 +72,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 
 switch (get_value_from_array($_GET, 'action')) {
 	case 'save':
-		$stmt = $pdo->prepare("DELETE FROM judges_availability WHERE users_id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_availability WHERE users_id=?");
+		$stmt->execute([$u['id']]);
 
 		if (is_array($_POST['time'])) {
 			foreach ($_POST['time'] as $x) {
@@ -81,10 +81,10 @@ switch (get_value_from_array($_GET, 'action')) {
 					continue;
 
 				$stmt = $pdo->prepare("INSERT INTO judges_availability (users_id, `date`,`start`,`end`) 
-					VALUES ('{$u['id']}',
-					'{$times[$x]['date']}',
-					'{$times[$x]['starttime']}','{$times[$x]['endtime']}')");
-				$stmt->execute();
+					VALUES (?,
+					?,
+					?,?)");
+				$stmt->execute([$u['id'],$times[$x]['date'],$times[$x]['starttime'],$times[$x]['endtime']]);
 			}
 		}
 		happy_('Time Availability preferences successfully saved');
@@ -129,8 +129,8 @@ if (get_value_from_array($_SESSION, 'embed') != true) {
 <table>
 <?
 /* Get all their available times */
-$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=\"{$u['id']}\" ORDER BY `start`");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_availability WHERE users_id=? ORDER BY `start`");
+$q->execute([$u['id']]);
 $sel = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	foreach ($times as $x => $t) {
diff --git a/judge_expertise.php b/judge_expertise.php
index c40061fb..ccb55ba6 100644
--- a/judge_expertise.php
+++ b/judge_expertise.php
@@ -133,8 +133,8 @@ if ($u['special_award_only'] == 'yes') {
 echo "<form name=\"expertiseform\" id=\"judgeexpertise_form\">\n";
 echo "<input type=\"hidden\" name=\"users_id\" value=\"{$u['id']}\">\n";
 
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='{$config['FAIRYEAR']}' ORDER BY mingrade");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY mingrade");
+$q->execute([$config['FAIRYEAR']]);
 echo '<br /><h4>' . i18n('Age Category Preferences') . '</h4><br>';
 echo '<table class="editor" style="width: 300px;" >';
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -171,8 +171,8 @@ echo '<br />';
 echo "<table>\n";
 
 // query all of the categories
-$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='{$config['FAIRYEAR']}' ORDER BY division");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
+$q->execute([$config['FAIRYEAR']]);
 $first = true;
 $trclass = '';
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
@@ -199,8 +199,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 
 	// only show the sub-divisions if the 'main' division is scored >=3
 	if ($u['div_prefs'][$r->id] >= 3) {
-		$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE projectdivisions_id='$r->id' AND year='" . $config['FAIRYEAR'] . "' ORDER BY subdivision");
-		$subq->execute();
+		$subq = $pdo->prepare("SELECT * FROM projectsubdivisions WHERE projectdivisions_id=? AND year=? ORDER BY subdivision");
+		$subq->execute([$r->id, $config['FAIRYEAR']]);
 		while ($subr = $subq->fetch(PDO::FETCH_OBJ)) {
 			echo '<tr>';
 			echo '<td>&nbsp;</td>';
diff --git a/judge_main.php b/judge_main.php
index 1bdfb07b..8b33756e 100644
--- a/judge_main.php
+++ b/judge_main.php
@@ -49,8 +49,8 @@ echo '<br />';
 
 $scheduleok = false;
 if ($config['dates']['judgescheduleavailable'] && $config['dates']['judgescheduleavailable'] != '0000-00-00 00:00:00') {
-	$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['judgescheduleavailable'] . "') AS test");
-	$q->execute();
+	$q = $pdo->prepare("SELECT (NOW()>?) AS test");
+	$q->execute([$config['dates']['judgescheduleavailable']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$scheduleok = $r->test;
 } else {
@@ -64,8 +64,8 @@ if ($scheduleok) {
 	 * it's less obvious below
 	 */
 	$q = $pdo->prepare("SELECT id FROM judges_teams_link WHERE
-				users_id='{$u['id']}' AND year='{$config['FAIRYEAR']}'");
-	$q->execute();
+				users_id=? AND year=?");
+	$q->execute([$u['id'], $config['FAIRYEAR']]);
 	if ($q->rowCount() > 0) {
 		echo '<span style="font-size: 1.2em; font-weight: bold;">';
 		echo i18n('You have been assigned to a judging team.  %1Click here%2 to view the judging schedule',
diff --git a/judge_project_summary.php b/judge_project_summary.php
index bceec950..5b76be87 100644
--- a/judge_project_summary.php
+++ b/judge_project_summary.php
@@ -31,9 +31,9 @@ user_auth_required(array('judge', 'committee'));
 $pn = stripslashes($_GET['pn']);
 
 $q = $pdo->prepare("SELECT * FROM projects WHERE 
-			projectnumber='$pn'
-			AND year='{$config['FAIRYEAR']}'");
-$q->execute();
+			projectnumber=?
+			AND year=?");
+$q->execute([$pn, $config['FAIRYEAR']]);
 if ($q->rowCount() == 0) {
 	echo 'not found';
 	exit;
@@ -43,9 +43,9 @@ $pi = $q->fetch(PDO::FETCH_OBJ);
 $sq = $pdo->prepare("SELECT firstname,lastname,school FROM students 
 		LEFT JOIN schools ON schools.id = students.schools_id
 		WHERE
-		registrations_id='{$pi->registrations_id}'
-		AND students.year='{$config['FAIRYEAR']}'");
-$sq->execute();
+		registrations_id=?
+		AND students.year=?");
+$sq->execute([$pi->registrations_id, $config['FAIRYEAR']]);
 
 $student = array();
 while ($si = $sq->fetch(PDO::FETCH_OBJ)) {
diff --git a/judge_schedule.php b/judge_schedule.php
index 02f06602..d576d014 100644
--- a/judge_schedule.php
+++ b/judge_schedule.php
@@ -57,8 +57,8 @@ send_header('Schedule',
 
 $scheduleok = false;
 if ($config['dates']['judgescheduleavailable'] && $config['dates']['judgescheduleavailable'] != '0000-00-00 00:00:00') {
-	$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['judgescheduleavailable'] . "') AS test");
-	$q->execute();
+	$q = $pdo->prepare("SELECT (NOW()>?");
+	$q->execute([$config['dates']['judgescheduleavailable']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	$scheduleok = $r->test;
 } else {
@@ -76,17 +76,17 @@ if (!$scheduleok) {
 /* Find all judging teams this judge is on */
 $q = $pdo->prepare("SELECT * FROM judges_teams_link
 			LEFT JOIN judges_teams ON judges_teams.id=judges_teams_link.judges_teams_id
-			WHERE judges_teams_link.users_id='{$u['id']}'
-			AND judges_teams_link.year='{$config['FAIRYEAR']}'");
-$q->execute();
+			WHERE judges_teams_link.users_id=?
+			AND judges_teams_link.year=?");
+$q->execute([$u['id'], $config['FAIRYEAR']]);
 $teams = array();
 while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
 	/* Load timeslot data for this team (team -> judges_timeslots_link -> timeslot -> parent timeslot */
 	$qq = $pdo->prepare("SELECT T.* FROM judges_teams_timeslots_link
 				LEFT JOIN judges_timeslots ON judges_timeslots.id=judges_teams_timeslots_link.judges_timeslots_id
 				LEFT JOIN judges_timeslots AS T ON T.id=judges_timeslots.round_id
-				WHERE judges_teams_timeslots_link.judges_teams_id={$t['judges_teams_id']}");
-	$qq->execute();
+				WHERE judges_teams_timeslots_link.judges_teams_id=?");
+	$qq->execute([$t['judges_teams_id']]);
 	$tt = $qq->fetch(PDO::FETCH_ASSOC);
 	show_pdo_errors_if_any($pdo);
 	$t['timeslot'] = $tt;
@@ -95,8 +95,8 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
 	$qq = $pdo->prepare("SELECT award_awards.*,T.type FROM judges_teams_awards_link
 				LEFT JOIN award_awards ON award_awards.id=judges_teams_awards_link.award_awards_id
 				LEFT JOIN award_types as T ON T.id=award_awards.award_types_id
-				WHERE judges_teams_awards_link.judges_teams_id={$t['judges_teams_id']}");
-	$qq->execute();
+				WHERE judges_teams_awards_link.judges_teams_id=?");
+	$qq->execute([$t['judges_teams_id']]);
 	show_pdo_errors_if_any($pdo);
 	$aa = $qq->fetch(PDO::FETCH_ASSOC);
 	$t['award'] = $aa;
@@ -104,9 +104,9 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
 	/* Load team members */
 	$qq = $pdo->prepare("SELECT * FROM judges_teams_link 
 				LEFT JOIN users ON users.id=judges_teams_link.users_id
-				WHERE judges_teams_link.judges_teams_id={$t['judges_teams_id']}
+				WHERE judges_teams_link.judges_teams_id=?
 				ORDER BY judges_teams_link.captain,users.lastname,users.firstname");
-	$qq->execute();
+	$qq->execute([$t['judges_teams_id']]);
 	$t['members'] = array();
 
 	while (($mm = $qq->fetch(PDO::FETCH_ASSOC))) {
@@ -116,8 +116,8 @@ while ($t = $q->fetch(PDO::FETCH_ASSOC)) {
 	/* Load projects */
 	$qq = $do->prepare("SELECT projects.id,projects.projectnumber,projects.title FROM judges_teams_timeslots_projects_link
 				LEFT JOIN projects ON projects.id=judges_teams_timeslots_projects_link.projects_id
-				WHERE judges_teams_id={$t['judges_teams_id']}");
-	$qq->execute();
+				WHERE judges_teams_id=?");
+	$qq->execute([$t['judges_teams_id']]);
 	$p = array();
 	while (($pp = $qq->fetch(PDO::FETCH_ASSOC)))
 		$p[] = $pp;
diff --git a/judge_special_awards.php b/judge_special_awards.php
index cadb22b0..c363f2c9 100644
--- a/judge_special_awards.php
+++ b/judge_special_awards.php
@@ -50,14 +50,14 @@ $u = user_load($eid);
 switch (get_value_from_array($_GET, 'action')) {
 	case 'save':
 		// first delete all their old associations for this year..
-		$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id=?");
+		$stmt->execute([$u['id']]);
 
 		if (array_key_exists('spaward', $_POST)) {
 			foreach ($_POST['spaward'] AS $aid) {
 				$stmt = $pdo->prepare("INSERT INTO judges_specialaward_sel (users_id, award_awards_id) 
-					VALUES ('{$u['id']}','$aid')");
-				$stmt->execute();
+					VALUES (?,?)");
+				$stmt->execute([$u['id'], $aid]);
 			}
 		}
 		happy_('Special Award preferences successfully saved');
@@ -110,8 +110,8 @@ if ($u['special_award_only'] == 'yes') {
 echo '<br />';
 echo '<br />';
 
-$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id='{$u['id']}'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id=?");
+$q->execute([$u['id']]);
 $spawards = array();
 while ($r = $q->fetch(PDO::FETCH_OBJ))
 	$spawards[] = $r->award_awards_id;
@@ -131,11 +131,11 @@ $q = $pdo->prepare("SELECT award_awards.id,
 			award_types.id=award_awards.award_types_id\t\t
 			AND sponsors.id=award_awards.sponsors_id\t\t
 			AND (award_types.type='Special' OR award_types.type='Other')
-			AND award_awards.year='{$config['FAIRYEAR']}' 
-			AND award_types.year='{$config['FAIRYEAR']}' 
+			AND award_awards.year=? 
+			AND award_types.year=? 
 		ORDER BY 
 			name");
-$q->execute();
+$q->execute([$config['FAIRYEAR'], $config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	?>
diff --git a/lpdf.php b/lpdf.php
index c0c2d2dd..dcb6bc66 100644
--- a/lpdf.php
+++ b/lpdf.php
@@ -223,8 +223,8 @@ class lpdf
 //				echo "breaking because nr==prevnr ($nr==$prevnr) trying to output [$textstr] (debug: fontsize=$fontsize, lineheight=$lineheight, stringwidth=$stringwidth, left=".$this->loc(0.75).", top=".$this->loc($this->yloc).", width=".$this->loc(7).", height=$lineheight)\n";
 				break;
 			}
-			$q=$pdo->prepare("SELECT * FROM translations WHERE lang='".$_SESSION['lang']."' AND strmd5='".md5($str)."'");
-			$q->execute();
+			$q=$pdo->prepare("SELECT * FROM translations WHERE lang=? AND strmd5=?");
+			$q->execute([$_SESSION['lang'], md5($str)]);
 			if($r=$q->fetch(PDO::FETCH_OBJ))
 
 			$prevnr=$nr;
diff --git a/projects.inc.php b/projects.inc.php
index 6765eb15..6910f871 100644
--- a/projects.inc.php
+++ b/projects.inc.php
@@ -42,17 +42,17 @@ function getProjectsEligibleForAward($award_id)
 				award_awards_projectdivisions,
 				projects
 			WHERE
-				award_awards.id='$award_id'
+				award_awards.id=?
 				AND award_awards.id=award_awards_projectcategories.award_awards_id
 				AND award_awards.id=award_awards_projectdivisions.award_awards_id
 				AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id
 				AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
 				AND projects.projectnumber is not null
-				AND projects.year='" . $config['FAIRYEAR'] . "'
+				AND projects.year=?'
 			ORDER BY
 				projectsort
 				");
-	$prjq->execute();
+	$prjq->execute($award_id, [$config['FAIRYEAR']]);
 	$projects = array();
 	while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) {
 		$projects[$prjr->projectnumber] = array(
@@ -76,17 +76,17 @@ function getLanguagesOfProjectsEligibleForAward($award_id)
 				award_awards_projectdivisions,
 				projects
 			WHERE
-				award_awards.id='$award_id'
+				award_awards.id=?
 				AND award_awards.id=award_awards_projectcategories.award_awards_id
 				AND award_awards.id=award_awards_projectdivisions.award_awards_id
 				AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id
 				AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
 				AND projects.projectnumber is not null
-				AND projects.year='" . $config['FAIRYEAR'] . "'
+				AND projects.year=?
 			ORDER BY
 				language
 				");
-	$prjq->execute();
+	$prjq->execute([$award_id, $config['FAIRYEAR']]);
 	$languages = array();
 	while ($r = $prjq->fetch(PDO::FETCH_OBJ)) {
 		if ($r->language)
@@ -100,8 +100,8 @@ function getProjectsEligibleOrNominatedForAwards($awards_ids_array)
 	global $pdo;
 	$projects = array();
 	foreach ($awards_ids_array AS $award_id) {
-		$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.id='$award_id' AND award_awards.award_types_id=award_types.id");
-		$q->execute();
+		$q = $pdo->prepare("SELECT award_types.type FROM award_awards, award_types WHERE award_awards.id=? AND award_awards.award_types_id=award_types.id");
+		$q->execute([$award_id]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 
 		$awardprojects = array();
@@ -149,14 +149,14 @@ function getSpecialAwardsEligibleForProject($projectid)
 				AND projects.projectcategories_ipreparequeryd=award_awards_projectcategories.projectcategories_id
 				AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
 				AND award_awards.id is not null
-				AND projects.year='" . $config['FAIRYEAR'] . "'
-				AND projects.id='$projectid'
-				AND award_types.year='" . $config['FAIRYEAR'] . "'
-				AND award_awards.year='" . $config['FAIRYEAR'] . "'
+				AND projects.year=?
+				AND projects.id=?
+				AND award_types.year=?
+				AND award_awards.year=?
 			ORDER BY
 				award_awards.name
 				");
-	$awardsq->execute();
+	$awardsq->execute([$config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
 	$awards = array();
 	show_pdo_errors_if_any($pdo);
 	while ($r = $awardsq->fetch(PDO::FETCH_OBJ)) {
@@ -185,14 +185,14 @@ function getSpecialAwardsNominatedForProject($projectid)
 				project_specialawards_link,
 				projects
 			WHERE
-				project_specialawards_link.projects_id='$projectid'
+				project_specialawards_link.projects_id=?
 				AND project_specialawards_link.award_awards_id=award_awards.id
-				AND projects.year='" . $config['FAIRYEAR'] . "'
-				AND projects.id='$projectid'
+				AND projects.year=?
+				AND projects.id=?
 			ORDER BY
 				award_awards.name
 				");
-	$awardsq->execute();
+	$awardsq->execute([$projectid, $config['FAIRYEAR'], $projectid]);
 	$awards = array();
 	show_pdo_errors_if_any($pdo);
 	while ($r = $awardsq->fetch(PDO::FETCH_OBJ)) {
@@ -215,12 +215,12 @@ function getNominatedForNoSpecialAwardsForProject($projectid)
 				project_specialawards_link,
 				projects
 			WHERE
-				project_specialawards_link.projects_id='$projectid'
-				AND projects.year='" . $config['FAIRYEAR'] . "'
-				AND projects.id='$projectid'
+				project_specialawards_link.projects_id=?
+				AND projects.year=?
+				AND projects.id=?
 				AND project_specialawards_link.award_awards_id IS NULL
 				");
-	$awardsq->execute();
+	$awardsq->execute([$projectid, $config['FAIRYEAR'], $projectid]);
 	if ($awardsq->rowCount() == 1)
 		return true;
 	return false;
@@ -242,14 +242,14 @@ function getProjectsNominatedForSpecialAward($award_id)
 					project_specialawards_link,
 					projects
 				WHERE
-					project_specialawards_link.award_awards_id='$award_id'
+					project_specialawards_link.award_awards_id=?
 					AND project_specialawards_link.projects_id=projects.id
 					AND projects.projectnumber is not null
-					AND projects.year='" . $config['FAIRYEAR'] . "'
+					AND projects.year=?
 				ORDER BY
 					projectsort
 					");
-		$prjq->execute();
+		$prjq->execute([$award_id, $config['FAIRYEAR']]);
 		$projects = array();
 		while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) {
 			$projects[$prjr->projectnumber] = array(
@@ -279,13 +279,13 @@ function getLanguagesOfProjectsNominatedForSpecialAward($award_id)
 					project_specialawards_link,
 					projects
 				WHERE
-					project_specialawards_link.award_awards_id='$award_id'
+					project_specialawards_link.award_awards_id=?
 					AND project_specialawards_link.projects_id=projects.id
 					AND projects.projectnumber is not null
-					AND projects.year='" . $config['FAIRYEAR'] . "'
+					AND projects.year=?
 					ORDER BY language
 					");
-		$prjq->execute();
+		$prjq->execute([$award_id, $config['FAIRYEAR']]);
 		$languages = array();
 		while ($r = $prjq->fetch(PDO::FETCH_OBJ)) {
 			// dont count "" as a language, if the project doesnt have a language specified too bad they're up shit creek without a paddle
@@ -316,17 +316,17 @@ function getSpecialAwardsNominatedByRegistrationID($id)
 				award_awards_projectdivisions,
 				projects
 			WHERE
-				award_awards.id='$award_id'
+				award_awards.id=?
 				AND award_awards.id=award_awards_projectcategories.award_awards_id
 				AND award_awards.id=award_awards_projectdivisions.award_awards_id
 				AND projects.projectcategories_id=award_awards_projectcategories.projectcategories_id
 				AND projects.projectdivisions_id=award_awards_projectdivisions.projectdivisions_id
 				AND projects.projectnumber is not null
-				AND projects.year='" . $config['FAIRYEAR'] . "'
+				AND projects.year=?
 			ORDER BY
 				projectsort
 				");
-	$awardq->execute();
+	$awardq->execute([$award_id, $config['FAIRYEAR']]);
 	$projects = array();
 	while ($prjr = $prjq->fetch(PDO::FETCH_OBJ)) {
 		$projects[$prjr->projectnumber] = array(
@@ -342,15 +342,15 @@ function project_load($pid)
 {
 	global $pdo;
 	/* Load this project */
-	$q = $pdo->prepare("SELECT * FROM projects WHERE id='$pid'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projects WHERE id=?");
+	$q->execute([$pid]);
 	$proj = $q->fetch();
 
 	/* Load the students */
 	$q = $pdo->prepare("SELECT students.*,schools.school FROM students 
 		LEFT JOIN schools ON schools.id=students.schools_id
-		WHERE registrations_id='{$proj['registrations_id']}' AND students.year='{$proj['year']}' ORDER BY students.id");
-	$q->execute();
+		WHERE registrations_id=? AND students.year=? ORDER BY students.id");
+	$q->execute([$proj['registrations_id'], $proj['year']]);
 	$proj['num_students'] = 0;
 	while ($s = $q->fetch(PDO::FETCH_OBJ)) {
 		$proj['num_students']++;
diff --git a/questions.inc.php b/questions.inc.php
index 994f00bb..e96d2872 100644
--- a/questions.inc.php
+++ b/questions.inc.php
@@ -27,15 +27,15 @@
 function questions_load_answers($section, $users_id)
 {
 	global $pdo, $config;
-	$yearq = $pdo->prepare("SELECT `year` FROM users WHERE id='$users_id'");
-	$yearq->execute();
+	$yearq = $pdo->prepare("SELECT `year` FROM users WHERE id=?");
+	$yearq->execute([$users_id]);
 	$yearr = $yearq->fetch(PDO::FETCH_OBJ);
 	$ans = array();
 
 	$qs = questions_load_questions($section, $yearr->year);
 	foreach ($qs AS $id => $question) {
-		$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id='$users_id' AND questions_id='$id'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM question_answers WHERE users_id=? AND questions_id=?");
+		$q->execute([$users_id, $id]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$ans[$id] = get_value_or_default($r, 'answer', '');
 	}
@@ -46,10 +46,10 @@ function questions_load_questions($section, $year)
 {
 	global $pdo;
 	$q = $pdo->prepare('SELECT * FROM questions '
-		. "WHERE year='$year' "
-		. "   AND section='$section'  "
+		. "WHERE year=?"
+		. "   AND section=?"
 		. 'ORDER BY ord ASC');
-	$q->execute();
+	$q->execute([$year, $section]);
 
 	show_pdo_errors_if_any($pdo);
 
@@ -71,11 +71,11 @@ function questions_save_answers($section, $id, $answers)
 	global $config, $pdo;
 	$qs = questions_load_questions($section, $config['FAIRYEAR']);
 	$keys = array_keys($answers);
-	$q = $pdo->prepare("SELECT * FROM questions WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
-		$stmt = $pdo->prepare("DELETE FROM question_answers WHERE users_id='$id' AND questions_id='$r->id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM question_answers WHERE users_id=? AND questions_id=?");
+		$stmt->execute([$id, $r->id]);
 		show_pdo_errors_if_any($pdo);
 	}
 
@@ -83,10 +83,8 @@ function questions_save_answers($section, $id, $answers)
 	foreach ($keys as $qid) {
 		/* Poll key */
 		$stmt = $pdo->prepare("INSERT INTO question_answers
-				(users_id,questions_id,answer) VALUES(
-				'$id','$qid',
-				'" . $answers[$qid] . "')");
-		$stmt->execute();
+				(users_id,questions_id,answer) VALUES(?,?,?)");
+		$stmt->execute([$id, $qid, $answers[$qid]]);
 	}
 }
 
@@ -94,9 +92,9 @@ function questions_find_question_id($section, $dbheading)
 {
 	global $pdo;
 	$q = $pdo->prepare('SELECT id FROM questions WHERE '
-		. " section='$section' "
-		. " AND db_heading='$dbheading' ");
-	$q->execute();
+		. " section=?"
+		. " AND db_heading=?");
+	$q->execute([$section, $dbheading]);
 	if ($q->rowCount() == 1) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		return $r->id;
@@ -182,29 +180,21 @@ function questions_update_question($qs)
 	global $pdo;
 	$qs['ord'] = $qs['ord'] ?? '';
 	$stmt = $pdo->prepare("UPDATE questions SET 
-			`question`='" . $qs['question'] . "',
-			`type`='" . $qs['type'] . "',
-			`db_heading`='" . $qs['db_heading'] . "',
-			`required`='" . $qs['required'] . "',
-			`ord`=" . intval($qs['ord'] . "
-			WHERE id='{$qs['id']}' "));
-	$stmt->execute();
+			question=?,
+			type=?,
+			db_heading=?,
+			required=?,
+			ord=?
+			WHERE id=?");
+	$stmt->execute([$qs['question'], $qs['type'], $qs['db_heading'], $qs['required'], intval($qs['ord']), $qs['id']]);
 	show_pdo_errors_if_any($pdo);
 }
 
 function questions_save_new_question($qs, $year)
 {
 	global $pdo;
-	$stmt = $pdo->prepare('INSERT INTO questions '
-		. '(question,type,section,db_heading,required,ord,year) VALUES ('
-		. "'" . $qs['question'] . "',"
-		. "'" . $qs['type'] . "',"
-		. "'" . $qs['section'] . "',"
-		. "'" . $qs['db_heading'] . "',"
-		. "'" . $qs['required'] . "',"
-		. "'" . $qs['ord'] . "',"
-		. "'$year' )");
-	$stmt->execute();
+	$stmt = $pdo->prepare('INSERT INTO questions (question,type,section,db_heading,required,ord,year) VALUES (?,?,?,?,?,?,?)');
+	$stmt->execute([$qs['question'],$qs['type'],$qs['section'],$qs['db_heading'],$qs['required'],$year]);
 	show_pdo_errors_if_any($pdo);
 }
 
@@ -251,8 +241,8 @@ function questions_editor($section, $year, $array_name, $self)
 		$qs = questions_load_questions($section, $year);
 
 		/* Delete this question */
-		$stmt = $pdo->prepare("DELETE FROM questions WHERE id='$qid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM questions WHERE id=?");
+		$stmt->execute([$qid]);
 
 		/* Update the order of all questions after this one */
 		$keys = array_keys($qs);
@@ -261,8 +251,8 @@ function questions_editor($section, $year, $array_name, $self)
 				continue;
 			if ($qs[$q]['ord'] > $qs[$qid]['ord']) {
 				$qs[$q]['ord']--;
-				$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE questions SET ord='{}' WHERE id=?");
+				$stmt->execute([$qs[$q]['ord'], $q]);
 			}
 		}
 		echo happy(i18n('Question successfully removed'));
@@ -270,20 +260,13 @@ function questions_editor($section, $year, $array_name, $self)
 
 	if (get_value_from_array($_GET, 'action') == 'import' && get_value_from_array($_GET, 'impyear')) {
 		$x = 0;
-		$q = $pdo->prepare("SELECT * FROM questions WHERE year='{$_GET['impyear']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM questions WHERE year=?");
+		$q->execute([$_GET['impyear']]);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$x++;
 			$stmt = $pdo->prepare("INSERT INTO questions (id,year,section,db_heading,question,type,required,ord)
- 								VALUES (
-                                '', '$year',
-                                '" . $r->section . "',
-                                '" . $r->db_heading . "',
-                                '" . $r->question . "',
-                                '" . $r->type . "',
-                                '" . $r->required . "',
-                                '" . $r->ord) . "')";
-			$stmt->execute();
+ 								VALUES (?,?,?,?,?,?,?)");
+			$stmt->execute([$year,$r->section,$r->question,$r->type,$r->required,$r->ord]);
 		}
 
 		echo happy(i18n('%1 question(s) successfully imported',
@@ -331,8 +314,8 @@ function questions_editor($section, $year, $array_name, $self)
 	if ($qdir != 0) {
 		$qs[$qid]['ord'] += $qdir;
 		/* Update the db */
-		$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$qid]['ord']}' WHERE id='$qid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?");
+		$stmt->execute([$qs[$qid]['ord'], $qid]);
 		$keys = array_keys($qs);
 		$originalq = $qs[$qid];
 
@@ -343,12 +326,12 @@ function questions_editor($section, $year, $array_name, $self)
 				continue;
 			if ($qdir == 1) {
 				$qs[$q]['ord']--;
-				$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?");
+				$stmt->execute([$qs[$q]['ord'], $q]);
 			} else {
 				$qs[$q]['ord']++;
-				$stmt = $pdo->prepare("UPDATE questions SET ord='{$qs[$q]['ord']}' WHERE id='$q'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE questions SET ord=? WHERE id=?");
+				$stmt->execute([$qs[$q]['ord'], $q]);
 			}
 
 			/*
diff --git a/register_participants.inc.php b/register_participants.inc.php
index a172b049..d2022741 100644
--- a/register_participants.inc.php
+++ b/register_participants.inc.php
@@ -26,8 +26,8 @@ function registrationFormsReceived($reg_id="")
 {	global $pdo;
 	if($reg_id) $rid=$reg_id;
 	else $rid=$_SESSION['registration_id'];
-	$q=$pdo->prepare("SELECT status FROM registrations WHERE id='$rid'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT status FROM registrations WHERE id=?");
+	$q->execute([$rid]);
 	$r=$q->fetch(PDO::FETCH_OBJ);
 	if($r->status=="complete" || $r->status=="paymentpending")
 		return true;
@@ -38,8 +38,8 @@ function registrationFormsReceived($reg_id="")
 function registrationDeadlinePassed()
 {
 	global $config, $pdo;
-	$q=$pdo->prepare("SELECT (NOW()<'".$config['dates']['regclose']."') AS datecheck");
-	$q->execute();
+	$q=$pdo->prepare("SELECT (NOW()<?) AS datecheck");
+	$q->execute([$config['dates']['regclose']]);
 	$datecheck=$q->fetch(PDO::FETCH_OBJ);
 	if($datecheck->datecheck==1)
 		return false;
@@ -62,8 +62,8 @@ function studentStatus($reg_id="")
 	if($reg_id) $rid=$reg_id;
 	else $rid=$_SESSION['registration_id'];
 
-	$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
+	$q->execute([$rid,$config['FAIRYEAR']]);
 	//if we dont have the minimum, return incomplete
 	if($q->rowCount()<$config['minstudentsperproject'])
 		return "incomplete";
@@ -97,14 +97,14 @@ function emergencycontactStatus($reg_id="")
 	if($reg_id) $rid=$reg_id;
 	else $rid=$_SESSION['registration_id'];
 
-	$sq=$pdo->prepare("SELECT id FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
-	$sq->execute();
+	$sq=$pdo->prepare("SELECT id FROM students WHERE registrations_id=? AND year=?");
+	$sq->execute([$rid, $config['FAIRYEAR']]);
 	$numstudents=$sq->rowCount();
 
 	while($sr=$sq->fetch(PDO::FETCH_OBJ))
 	{
-		$q=$pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."' AND students_id='$sr->id'");
-		$q->execute();
+		$q=$pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id=? AND year=? AND students_id=?");
+		$q->execute([$rid, $config['FAIRYEAR'], $sr->id]);
 		$r=$q->fetch(PDO::FETCH_OBJ);
 
 		foreach ($required_fields AS $req)
@@ -139,8 +139,8 @@ function projectStatus($reg_id="")
 	if($reg_id) $rid=$reg_id;
 	else $rid=$_SESSION['registration_id'];
 
-	$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
+	$q->execute([$rid, $config['FAIRYEAR']]);
 	//if we dont have a project entry yet, return empty
 	if(!$q->rowCount())
 		return "empty";
@@ -169,14 +169,14 @@ function mentorStatus($reg_id="")
 	else $rid=$_SESSION['registration_id'];
 
 	//first check the registrations table to see if 'nummentors' is set, or if its null
-	$q=$pdo->prepare("SELECT nummentors FROM registrations WHERE id='$rid' AND year='".$config['FAIRYEAR']."'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT nummentors FROM registrations WHERE id=? AND year=?");
+	$q->execute([$rid, $config['FAIRYEAR']]);
 	$r=$q->fetch(PDO::FETCH_OBJ);
 	if($r->nummentors==null)
 		return "incomplete";
 
-	$q=$pdo->prepare("SELECT * FROM mentors WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
-$q->execute();
+	$q=$pdo->prepare("SELECT * FROM mentors WHERE registrations_id=? AND year=?");
+$q->execute([$rid, $config['FAIRYEAR']]);
 
 	//if we dont have the minimum, return incomplete
 	if($q->rowCount()<get_value_from_array($config, 'minmentorserproject'))
@@ -206,16 +206,16 @@ function safetyStatus($reg_id="")
 	else $rid=$_SESSION['registration_id'];
 
 	//grab all of their answers
-	$q=$pdo->prepare("SELECT * FROM safety WHERE registrations_id='$rid'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM safety WHERE registrations_id=?");
+	$q->execute([$rid]);
 	while($r=$q->fetch(PDO::FETCH_OBJ))
 	{
 		$safetyanswers[$r->safetyquestions_id]=$r->answer;
 	}
 
 	//now grab all the questions
-	$q=$pdo->prepare("SELECT * FROM safetyquestions WHERE year='".$config['FAIRYEAR']."' ORDER BY ord");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
+	$q->execute([$config['FAIRYEAR']]);
 	while($r=$q->fetch(PDO::FETCH_OBJ))
 	{
 		if($r->required=="yes" && !$safetyanswers[$r->id])
@@ -233,8 +233,8 @@ function spawardStatus($reg_id="")
 	if($reg_id) $rid=$reg_id;
 	else $rid=$_SESSION['registration_id'];
 
-	$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id='$rid'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
+	$q->execute([$rid]);
 	$project=$q->fetch(PDO::FETCH_OBJ);
 
 	/* We want this query to get any awards with a NULL award_awards_id */
@@ -244,10 +244,10 @@ function spawardStatus($reg_id="")
 				project_specialawards_link,
 				projects
 			WHERE
-				project_specialawards_link.projects_id='".$project->id."'
-				AND projects.year='".$config['FAIRYEAR']."'
+				project_specialawards_link.projects_id=?
+				AND projects.year=?
 				");
-	$awardsq->execute();
+	$awardsq->execute([$project->id,$config['FAIRYEAR']]);
 
 	if($awardsq->rowCount())
 		return "complete";
@@ -263,16 +263,16 @@ function tourStatus($reg_id="")
 	else $rid=$_SESSION['registration_id'];
 
 	/* Get the students for this project */
-	$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$rid' AND year='".$config['FAIRYEAR']."'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
+	$q->execute([$rid,$config['FAIRYEAR']]);
 	$num_found = $q->rowCount();
 
 	$ret = "complete";
 	while($s=$q->fetch(PDO::FETCH_OBJ)) {
 		//grab all of their tour prefs
 		$sid = $s->id;
-		$qq=$pdo->prepare("SELECT * FROM tours_choice WHERE students_id='$sid' and year='{$config['FAIRYEAR']}' ORDER BY rank");
-		$qq->execute();
+		$qq=$pdo->prepare("SELECT * FROM tours_choice WHERE students_id=? and year=? ORDER BY rank");
+		$qq->execute([$sid, $config['FAIRYEAR']]);
 		$n_tours = $qq->rowCount();
 		if($n_tours > 0) {
 			/* See if there's a rank 0 tour (rank 0 == their tour assignment) */
@@ -300,14 +300,14 @@ function namecheckStatus($reg_id="")
 
 	if($reg_id) {
 		$q=$pdo->prepare("SELECT * FROM students WHERE 
-				registrations_id='$reg_id'
+				registrations_id=?
 		
-				AND year='".$config['FAIRYEAR']."'");
-				$q->execute();
+				AND year=?");
+				$q->execute([$config['FAIRYEAR']]);
 	} else {
 		$q=$pdo->prepare("SELECT * FROM students WHERE 
-				id='{$_SESSION['students_id']}'");
-	$q->execute();	
+				id=?");
+	$q->execute([$reg_id, $_SESSION['students_id']]);	
 }
 
 	/* Get the students for this project */
@@ -335,13 +335,13 @@ function generateProjectNumber($registration_id)
 				projectcategories,
 				projectdivisions
 			WHERE 
-				registrations_id='$reg_id'
+				registrations_id=?
 			AND	projects.projectdivisions_id=projectdivisions.id
 			AND	projects.projectcategories_id=projectcategories.id
-			AND	projectcategories.year='{$config['FAIRYEAR']}'
-			AND	projectdivisions.year='{$config['FAIRYEAR']}'
+			AND	projectcategories.year=?
+			AND	projectdivisions.year=?
 				");
-	$q->execute();
+	$q->execute([$reg_id,$config['FAIRYEAR'],$config['FAIRYEAR']]);
 				show_pdo_errors_if_any($pdo);
 	$r=$q->fetch(PDO::FETCH_OBJ);
 
@@ -376,10 +376,10 @@ function generateProjectNumber($registration_id)
 	$q = $pdo->prepare("SELECT projectnumber_seq,projectsort_seq,
 				projectdivisions_id,projectcategories_id 
 			FROM projects 
-			WHERE year='{$config['FAIRYEAR']}'
+			WHERE year=?
 				AND projectnumber_seq!='0'
 				AND projectnumber IS NOT NULL");
-	$q->execute();
+	$q->execute([$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	while($i = $q->fetch(PDO::FETCH_OBJ)) {
 		if( ($r->projectdivisions_id == $i->projectdivisions_id)
@@ -455,12 +455,12 @@ function computeRegistrationFee($regid)
 
 	$regfee_items = array();
 	$q = $pdo->prepare("SELECT * FROM regfee_items
-				WHERE year='{$config['FAIRYEAR']}'");
-	$q->execute();
+				WHERE year=?");
+	$q->execute([$config['FAIRYEAR']]);
 	while($i = $q->fetch(PDO::FETCH_ASSOC)) $regfee_items[] = $i;
 
-	$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id='$regid' AND year='".$config['FAIRYEAR']."'");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM students WHERE registrations_id=? AND year=?");
+	$q->execute([$regid, $config['FAIRYEAR']]);
 	$n_students = $q->rowCount();
 	$n_tshirts = 0;
 	$sel = array();
@@ -471,8 +471,8 @@ function computeRegistrationFee($regid)
 		if($config['participant_regfee_items_enable'] != 'yes') continue;
 
 		$sel_q = $pdo->prepare("SELECT * FROM regfee_items_link 
-					WHERE students_id={$s->id}");
-		$sel_q->execute();
+					WHERE students_id=?");
+		$sel_q->execute([$s->id]);
 		while($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) {
 			$sel[] = $info_q['regfee_items_id'];
 		}
diff --git a/register_participants.php b/register_participants.php
index 9f366ce1..71421cb3 100644
--- a/register_participants.php
+++ b/register_participants.php
@@ -33,17 +33,17 @@ $q = $pdo->query("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()<
 $datecheck = $q->fetch(PDO::FETCH_OBJ);
 
 if (get_value_from_array($_POST, 'action') == 'new') {
-	$q = $pdo->prepare("SELECT email,num,id,schools_id FROM registrations WHERE email='" . $_SESSION['email'] . "' AND num='" . $_POST['regnum'] . "' AND year=" . $config['FAIRYEAR']);
-	$q->execute();
+	$q = $pdo->prepare('SELECT email,num,id,schools_id FROM registrations WHERE email=? AND num=? AND year=?');
+	$q->execute([$_SESSION['email'], $_POST['regnum'], $config['FAIRYEAR']]);
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		$_SESSION['registration_number'] = $r->num;
 		$_SESSION['registration_id'] = $r->id;
-		$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,schools_id,year) VALUES ('$r->id','" . $_SESSION['email'] . "','" . $r->schools_id . "','" . $config['FAIRYEAR'] . "')");
-		$stmt->execute();
+		$stmt = $pdo->prepare('INSERT INTO students (registrations_id,email,schools_id,year) VALUES (?,?,?,?)');
+		$stmt->execute([$r->id, $_SESSION['email'], $r->schools_id, $config['FAIRYEAR']]);
 
-		$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id='$r->id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE registrations SET status='open' WHERE id=?");
+		$stmt->execute([$r->id]);
 
 		header('Location: register_participants_main.php');
 		exit;
@@ -56,13 +56,24 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 	if (get_value_from_array($_POST, 'email'))
 		$_SESSION['email'] = stripslashes($_POST['email']);
 
-	$q = $pdo->prepare('SELECT registrations.id AS regid, registrations.num AS regnum, students.id AS studentid, students.firstname FROM registrations,students '
-		. "WHERE students.email='" . $_SESSION['email'] . "' "
-		. "AND registrations.num='" . intval($_POST['regnum']) . "' "
-		. 'AND students.registrations_id=registrations.id '
-		. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-		. 'AND students.year=' . $config['FAIRYEAR']);
-	$q->execute();
+	$q = $pdo->prepare('SELECT 
+        registrations.id AS regid, 
+        registrations.num AS regnum, 
+        students.id AS studentid, 
+        students.firstname 
+    FROM registrations 
+    JOIN students ON students.registrations_id = registrations.id 
+    WHERE students.email = ? 
+    AND registrations.num = ? 
+    AND registrations.year = ? 
+    AND students.year = ?');
+
+	$q->execute([
+		$_SESSION['email'],
+		intval($_POST['regnum']),
+		$config['FAIRYEAR'],
+		$config['FAIRYEAR']
+	]);
 
 	if ($q->rowCount()) {
 		$r = $q->fetch(PDO::FETCH_OBJ);
@@ -78,24 +89,24 @@ if (get_value_from_array($_POST, 'action') == 'new') {
 	}
 } else if (get_value_from_array($_GET, 'action') == 'resend' && get_value_from_array($_SESSION, 'email')) {
 	// first see if the email matches directly from the registrations table
-	$q = $pdo->prepare("SELECT registrations.num FROM 
+	$q = $pdo->prepare('SELECT registrations.num FROM 
 				registrations
 			WHERE 
-				registrations.email='" . $_SESSION['email'] . "' 
-				AND registrations.year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+				registrations.email=? 
+				AND registrations.year=?');
+	$q->execute([$_SESSION['email'], $config['FAIRYEAR']]);
 	if ($q->rowCount())
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	else {
 		// no match from registrations, so lets see if it matches from the students table
-		$q = $pdo->prepare("SELECT registrations.num FROM 
+		$q = $pdo->prepare('SELECT registrations.num FROM 
 					registrations, 
 					students 
 				WHERE 
-					students.email='" . $_SESSION['email'] . "' 
+					students.email=? 
 					AND students.registrations_id=registrations.id 
-					AND registrations.year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+					AND registrations.year=?');
+		$q->execute([$_SESSION['email'], $config['FAIRYEAR']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 	}
 
@@ -214,8 +225,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 			} else if ($config['participant_registration_type'] == 'schoolpassword') {
 				$showschoolpasswordform = true;
 				if ($_POST['schoolpassword'] && $_POST['schoolid']) {
-					$q = $pdo->prepare("SELECT registration_password FROM schools WHERE id='" . $_POST['schoolid'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-					$q->execute();
+					$q = $pdo->prepare('SELECT registration_password FROM schools WHERE id=? AND year=?');
+					$q->execute([$_POST['schoolid'], $config['FAIRYEAR']]);
 					$r = $q->fetch(PDO::FETCH_OBJ);
 
 					if ($_POST['schoolpassword'] == $r->registration_password) {
@@ -237,8 +248,8 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 					echo '<input type="hidden" name="action" value="login">';
 					echo i18n('Email Address:') . ' ' . $_SESSION['email'] . '<br />';
 					echo i18n('School: ');
-					$q = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
-					$q->execute();
+					$q = $pdo->prepare('SELECT id,school FROM schools WHERE year=? ORDER BY school');
+					$q->execute([$config['FAIRYEAR']]);
 					echo '<select name="schoolid">';
 					echo '<option value="">' . i18n('Choose your school') . "</option>\n";
 					while ($r = $q->fetch(PDO::FETCH_OBJ))
@@ -283,23 +294,24 @@ if (get_value_from_array($_POST, 'action') == 'login' && (get_value_from_array($
 					// random number between
 					// 100000 and 999999  (six digit integer)
 					$regnum = rand(100000, 999999);
-					$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=" . $config['FAIRYEAR']);
-					$q->execute();
+					$q = $pdo->prepare('SELECT * FROM registrations WHERE num=? AND year=?');
+					$q->execute([$regnum, $config['FAIRYEAR']]);
 				} while ($q->rowCount() > 0);
 
 				if (!$schoolidquery)
 					$schoolidquery = 'null';
 
 				// actually insert it
-				$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES ('
-					. "'$regnum',"
-					. "'" . $_SESSION['email'] . "',"
-					. 'NOW(),'
-					. "'new',"
-					. $schoolidquery . ','
-					. $config['FAIRYEAR']
-					. ')');
-				$stmt->execute();
+				$stmt = $pdo->prepare('INSERT INTO registrations (num, email, start, status, schools_id, year) 
+    									VALUES (?, ?, NOW(), ?, ?, ?)');
+
+				$stmt->execute([
+					$regnum,
+					$_SESSION['email'],
+					'new',
+					$schoolidquery,  
+					$config['FAIRYEAR']
+				]);
 
 				email_send('new_participant', $_SESSION['email'], array(), array('REGNUM' => $regnum, 'EMAIL' => $_SESSION['email']));
 
diff --git a/register_participants_emergencycontact.php b/register_participants_emergencycontact.php
index bd866390..c77befa8 100644
--- a/register_participants_emergencycontact.php
+++ b/register_participants_emergencycontact.php
@@ -40,12 +40,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?"
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -75,8 +76,8 @@ if ($_POST['action'] == 'save') {
 	} else {
 		// first, lets make sure this emergency contact really does belong to them
 		foreach ($_POST['ids'] AS $id) {
-			$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE id='$id' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE id=? AND registrations_id=? AND year=?");
+			$q->execute([$id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
 			if ($q->rowCount() == 1) {
 				$e = stripslashes($_POST['email'][$id]);
 				if ($_POST['relation'][$id] == 'Parent' && $e && user_valid_email($e)) {
@@ -100,16 +101,16 @@ if ($_POST['action'] == 'save') {
 				}
 
 				$stmt = $pdo->prepare('UPDATE emergencycontact SET '
-					. "firstname='" . stripslashes($_POST['firstname'][$id]) . "', "
-					. "lastname='" . stripslashes($_POST['lastname'][$id]) . "', "
-					. "relation='" . stripslashes($_POST['relation'][$id]) . "', "
-					. "phone1='" . stripslashes($_POST['phone1'][$id]) . "', "
-					. "phone2='" . stripslashes($_POST['phone2'][$id]) . "', "
-					. "phone3='" . stripslashes($_POST['phone3'][$id]) . "', "
-					. "phone4='" . stripslashes($_POST['phone4'][$id]) . "', "
-					. "email='" . stripslashes($_POST['email'][$id]) . "' "
-					. "WHERE id='$id'");
-				$stmt->execute();
+					. "firstname=?, "
+					. "lastname=?, "
+					. "relation=?, "
+					. "phone1=?, "
+					. "phone2=?, "
+					. "phone3=?, "
+					. "phone4=?, "
+					. "email=? "
+					. "WHERE id=?");
+				$stmt->execute([stripslashes($_POST['firstname'][$id]),stripslashes($_POST['lastname'][$id]),stripslashes($_POST['relation'][$id]),stripslashes($_POST['phone1'][$id]),stripslashes($_POST['phone2'][$id]),stripslashes($_POST['phone3'][$id]),stripslashes($_POST['phone4'][$id]),stripslashes($_POST['email'][$id]),$id]);
 				show_pdo_errors_if_any($pdo);
 				echo notice(i18n('Emergency contact information successfully updated'));
 			} else {
@@ -127,19 +128,19 @@ if ($newstatus != 'complete') {
 	echo happy(i18n('Emergency Contact Information Complete'));
 }
 
-$sq = $pdo->prepare("SELECT id,firstname,lastname FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$sq->execute();
+$sq = $pdo->prepare("SELECT id,firstname,lastname FROM students WHERE registrations_id=? AND year=?");
+$sq->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 $numstudents = $sq->rowCount();
 
 echo "<form name=\"emergencycontactform\" method=\"post\" action=\"register_participants_emergencycontact.php\">\n";
 echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
 
 while ($sr = $sq->fetch(PDO::FETCH_OBJ)) {
-	$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "' AND students_id='$sr->id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM emergencycontact WHERE registrations_id=? AND year=? AND students_id=?");
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR'], $sr->id]);
 	if ($q->rowCount() == 0) {
-		$stmt = $pdo->prepare("INSERT INTO emergencycontact (registrations_id,students_id,year) VALUES ('" . $_SESSION['registration_id'] . "','" . $sr->id . "','" . $config['FAIRYEAR'] . "')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO emergencycontact (registrations_id,students_id,year) VALUES (?,?,?)");
+		$stmt->execute([$_SESSION['registration_id'], $sr->id, ]);
 		$id = $pdo->lastInsertId();
 		unset($r);
 	} else {
diff --git a/register_participants_isefforms.php b/register_participants_isefforms.php
index b2d92508..fd01dd18 100644
--- a/register_participants_isefforms.php
+++ b/register_participants_isefforms.php
@@ -38,14 +38,14 @@
 	exit;
  }
 
- $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students ".
- 	"WHERE students.email='".$_SESSION['email']."' ".
-	"AND registrations.num='".$_SESSION['registration_number']."' ". 
-	"AND registrations.id='".$_SESSION['registration_id']."' ".
-	"AND students.registrations_id=registrations.id ".
-	"AND registrations.year=".$config['FAIRYEAR']." ".
-	"AND students.year=".$config['FAIRYEAR']);
-$q->execute();
+ $q=$pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students 
+ 	WHERE students.email=?
+	AND registrations.num=?
+	AND registrations.id=?
+	AND students.registrations_id=registrations.id 
+	AND registrations.year=?
+	AND students.year=?");
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
  if($q->rowCount()==0)
@@ -73,20 +73,20 @@ show_pdo_errors_if_any($pdo);
 				//because it will be added below by the _FILES, and if its not added there then that means we just said yes and didnt upload anything
 				//so removing it makes it go all red again so you are aware
 
-				$stmt = $po->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID='$r->id' AND FormID='$k' AND `year`='$CURRENT_FAIRYEAR'");
-				$stmt->execute();
+				$stmt = $po->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID=? AND FormID=? AND `year`=?");
+				$stmt->execute([$r->id, $k, $CURRENT_FAIRYEAR]);
 				//just look at hte first letter, since its either   "no:<id>" or "yes:<id>";
 				if($v[0]=="n")
 				{
 					$stmt = $pdo->prepare("INSERT INTO TC_ProjectForms (`FormID`,`ProjectID`,`uploaded`,`dt`,`year`) VALUES (
 						
-						'$k',
-						'$r->id',
+						?,
+						?,
 						'0',
 						NOW(),
-						'$CURRENT_FAIRYEAR'
+						?
 					)");
-					$stmt->execute();
+					$stmt->execute([$k,$r->id,$CURRENT_FAIRYEAR]);
 
 				}
 
@@ -129,8 +129,8 @@ show_pdo_errors_if_any($pdo);
 						if($pgs) $p="'$pgs'";
 						else $p="null";
 
-						$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID='$r->id' AND FormID='$k' AND `year`='$CURRENT_FAIRYEAR'");
-						$stmt->execute();
+						$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE ProjectID=? AND FormID=? AND `year`=?");
+						$stmt->execute([$r->id, $k, $CURRENT_FAIRYEAR]);
 						$stmt = $pdo->prepare("INSERT INTO TC_ProjectForms (`FormID`,`ProjectID`,`uploaded`,`filename`,`pages`,`dt`,`year`) VALUES (
 						$stmt->execute();
 							'$k',
@@ -182,13 +182,13 @@ show_pdo_errors_if_any($pdo);
 	if($_GET['action']=="delete" && $_GET['delete'])
 	{
 		//first we need to make sure that this is their own!
-		$chq=$pdo->prepare("SELECT * FROM TC_ProjectForms WHERE id='".$_GET['delete']."' AND ProjectID='$r->id' AND `year`='$CURRENT_FAIRYEAR'");
-		$chq->execute();
+		$chq=$pdo->prepare("SELECT * FROM TC_ProjectForms WHERE id=? AND ProjectID=? AND `year`=?");
+		$chq->execute([$_GET['delete'], $r->id, $CURRENT_FAIRYEAR]);
 		if($chr=$chq->fetch(PDO::FETCH_OBJ))
 		{
 			@unlink($TCFORMSLOCATION."/".$CURRENT_FAIRYEAR."/$r->id/$chr->FormID.pdf");
-			$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE id='".$_GET['delete']."' AND ProjectID='$r->id' AND `year`='$CURRENT_FAIRYEAR'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM TC_ProjectForms WHERE id=? AND ProjectID=? AND `year`=?");
+			$stmt->execute([$_GET['delete'], $r->id, $CURRENT_FAIRYEAR]);
 			$display_happy=i18n("Form successfully deleted");
 		}
 		else
diff --git a/register_participants_main.php b/register_participants_main.php
index 2994bf70..f2c96deb 100644
--- a/register_participants_main.php
+++ b/register_participants_main.php
@@ -41,13 +41,13 @@ if (!($_SESSION['registration_number'] && $_SESSION['registration_id'])) {
 global $pdo;
 
 $q = $pdo->prepare('SELECT registrations.status AS status, registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?"
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -66,8 +66,8 @@ echo '<br />';
 
 if (registrationFormsReceived()) {
 	// now select their project number
-	$q = $pdo->prepare("SELECT projectnumber FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT projectnumber FROM projects WHERE registrations_id=? AND year=?");
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 
 	if ($r->status == 'complete') {
@@ -242,8 +242,8 @@ if ($config['specialawardnomination'] != 'none') {
 
 	if ($special_awards_open == true) {
 		if ($config['specialawardnomination'] == 'date') {
-			$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['specawardregopen'] . "' AND NOW()<'" . $config['dates']['specawardregclose'] . "') AS datecheck");
-			$q->execute();
+			$q = $pdo->prepare("SELECT (NOW()>? AND NOW()<?) AS datecheck");
+			$q->execute([$config['dates']['specawardregopen'], $config['dates']['specawardregclose']]);
 			$r = $q->fetch(PDO::FETCH_OBJ);
 			// this will return 1 if its between the dates, 0 otherwise.
 			if ($r->datecheck == 1) {
@@ -259,8 +259,8 @@ if ($config['specialawardnomination'] != 'none') {
 			}
 		}
 
-		$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='{$config['FAIRYEAR']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
+		$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 		$project = $q->fetch(PDO::FETCH_OBJ);
 		$nominatedawards = getSpecialAwardsNominatedForProject($project->id);
 		$num = count($nominatedawards);
diff --git a/register_participants_mentor.php b/register_participants_mentor.php
index c51a9f5a..71bc2aa0 100644
--- a/register_participants_mentor.php
+++ b/register_participants_mentor.php
@@ -39,13 +39,13 @@ if (!($_SESSION['registration_number'] && $_SESSION['registration_id'])) {
 global $pdo;
 
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?"
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -72,33 +72,37 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 				// only insert if we have a name
 				if ($_POST['lastname'][$x]) {
 					// INSERT new record
-					$stmt = $pdo->prepare('INSERT INTO mentors (registrations_id,firstname,lastname,email,phone,organization,position,description,year) VALUES ('
-						. "'" . $_SESSION['registration_id'] . "', "
-						. "'" . stripslashes($_POST['firstname'][$x]) . "', "
-						. "'" . stripslashes($_POST['lastname'][$x]) . "', "
-						. "'" . stripslashes($_POST['email'][$x]) . "', "
-						. "'" . stripslashes($_POST['phone'][$x]) . "', "
-						. "'" . stripslashes($_POST['organization'][$x]) . "', "
-						. "'" . stripslashes($_POST['position'][$x]) . "', "
-						. "'" . stripslashes($_POST['description'][$x]) . "', "
-						. "'" . $config['FAIRYEAR'] . "')");
-					$stmt->execute();
+					$stmt = $pdo->prepare('INSERT INTO mentors (registrations_id,firstname,lastname,email,phone,organization,position,description,year) VALUES (
+						?, 
+						?, 
+						?,
+						?,
+						?,
+						?,
+						?,
+						?,
+						?)');
+					$stmt->execute([$_SESSION['registration_id'],stripslashes($_POST['firstname'][$x]),stripslashes($_POST['lastname'][$x]),
+					stripslashes($_POST['email'][$x]),stripslashes($_POST['phone'][$x]),stripslashes($_POST['organization'][$x]),stripslashes($_POST['position'][$x]),
+					stripslashes($_POST['description'][$x]),$config['FAIRYEAR']]);
 					show_pdo_errors_if_any($pdo);
 
 					echo notice(i18n('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
 				}
 			} else {
 				// UPDATE existing record
-				$stmt = $pdo->prepare('UPDATE mentors SET '
-					. "firstname='" . stripslashes($_POST['firstname'][$x]) . "', "
-					. "lastname='" . stripslashes($_POST['lastname'][$x]) . "', "
-					. "email='" . stripslashes($_POST['email'][$x]) . "', "
-					. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
-					. "organization='" . stripslashes($_POST['organization'][$x]) . "', "
-					. "position='" . stripslashes($_POST['position'][$x]) . "', "
-					. "description='" . stripslashes($_POST['description'][$x]) . "' "
-					. "WHERE id='" . $_POST['id'][$x] . "'");
-				$stmt->execute();
+				$stmt = $pdo->prepare('UPDATE mentors SET 
+					?,
+					?,
+					?,
+					?,
+					. "organization=?,"
+					. "position=?",
+					. "description=?"
+					. "WHERE id=?"');
+				$stmt->execute([stripslashes($_POST['firstname'][$x]),stripslashes($_POST['lastname'][$x]),stripslashes($_POST['email'][$x]),
+				stripslashes($_POST['phone'][$x]),stripslashes($_POST['organization'][$x]),stripslashes($_POST['position'][$x]),
+				stripslashes($_POST['description'][$x]),$_POST['id'][$x]]);
 				echo notice(i18n('%1 %2 successfully updated', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
 			}
 			$x++;
@@ -111,11 +115,11 @@ if (get_value_from_array($_GET, 'action') == 'removementor') {
 		echo error(i18n('Cannot make changes to forms once they have been received by the fair'));
 	} else {
 		// first make sure this is one belonging to this registration id
-		$q = $pdo->prepare("SELECT id FROM mentors WHERE id='" . $_GET['removementor'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT id FROM mentors WHERE id=? AND registrations_id=?");
+		$q->execute([$_GET['removementor'], $_SESSION['registration_id']]);
 		if ($q->rowCount() == 1) {
-			$stmt = $pdo->prepare("DELETE FROM mentors WHERE id='" . $_GET['removementor'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM mentors WHERE id=? AND registrations_id=?");
+			$stmt->execute([$_GET['removementor'], $_SESSION['registration_id']]);
 			echo notice(i18n('Mentor successfully removed'));
 		} else {
 			echo error(i18n('Invalid mentor to remove'));
@@ -125,18 +129,18 @@ if (get_value_from_array($_GET, 'action') == 'removementor') {
 
 // now query and display
 
-$q = $pdo->prepare("SELECT nummentors FROM registrations WHERE id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT nummentors FROM registrations WHERE id=? AND year=?");
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 $r = $q->fetch(PDO::FETCH_OBJ);
 $registrations_nummentors = $r->nummentors;
 
-$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM mentors WHERE registrations_id=? AND year=?");
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 $numfound = $q->rowCount();
 
 if (isset($_GET['nummentors'])) {
-	$stmt = $pdo->prepare("UPDATE registrations SET nummentors='" . $_GET['nummentors'] . "' WHERE id='" . $_SESSION['registration_id'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE registrations SET nummentors=? WHERE id=?");
+	$stmt->execute([$_GET['nummentors'], $_SESSION['registration_id']]);
 	$registrations_nummentors = $_GET['nummentors'];
 	$numtoshow = $_GET['nummentors'];
 } else
diff --git a/register_participants_namecheck.php b/register_participants_namecheck.php
index 9c1f3e3f..d98b78fa 100644
--- a/register_participants_namecheck.php
+++ b/register_participants_namecheck.php
@@ -39,7 +39,8 @@ if (!$_SESSION['registration_number']) {
 
 global $pdo;
 
-$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='{$_SESSION['registration_id']}'");
+$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id=?");
+$q->execute([$_SESSION['registration_id']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -66,12 +67,12 @@ if ($_POST['action'] == 'save') {
 		$pu = ($_POST['punc'] == 'yes') ? true : false;
 
 		if ($sp && $ca && $pu) {
-			$q = $pdo->prepare("UPDATE students SET namecheck_complete='yes' WHERE registrations_id='{$_SESSION['registration_id']}'");
+			$q = $pdo->prepare("UPDATE students SET namecheck_complete='yes' WHERE registrations_id=?");
 
-			$q->execute();
+			$q->execute([$_SESSION['registration_id']]);
 		} else if ($s->namecheck_complete != 'no') {
-			$q = $pdo->prepare("UPDATE students SET namecheck_complete='no' WHERE registrations_id='{$_SESSION['registration_id']}'");
-			$q->execute();
+			$q = $pdo->prepare("UPDATE students SET namecheck_complete='no' WHERE registrations_id=?");
+			$q->execute([$_SESSION['registration_id']]);
 		}
 	}
 }
diff --git a/register_participants_project.php b/register_participants_project.php
index cbe9fd98..c5814e1c 100644
--- a/register_participants_project.php
+++ b/register_participants_project.php
@@ -43,13 +43,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?"
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -78,8 +78,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 		echo error(i18n('Cannot make changes to forms after registration deadline'));
 	} else {
 		// first, lets make sure this project really does belong to them
-		$q = $pdo->prepare("SELECT * FROM projects WHERE id='" . $_POST['id'] . "' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM projects WHERE id=? AND registrations_id=? AND year=?");
+		$q->execute([$_POST['id'], $_SESSION['registration_id'], $config['FAIRYEAR']]);
 		if ($q->rowCount() == 1) {
 			$summarywords = preg_split('/[\s,]+/', $_POST['summary']);
 			$summarywordcount = count($summarywords);
@@ -104,21 +104,24 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 			} else
 				$shorttitle = stripslashes($_POST['shorttitle']);
 
-			$stmt = $pdo->prepare('UPDATE projects SET '
-				. "title='" . $title . "', "
-				. "shorttitle='" . $shorttitle . "', "
-				. "projectdivisions_id='" . intval($_POST['projectdivisions_id']) . "', "
-				. "projecttype='" . stripslashes($_POST['projecttype']) . "', "
-				. "language='" . stripslashes($_POST['language']) . "', "
-				. "req_table='" . stripslashes($_POST['req_table']) . "', "
-				. "req_electricity='" . stripslashes($_POST['req_electricity']) . "', "
-				. "req_special='" . stripslashes($_POST['req_special']) . "', "
-				. "human_participants='" . stripslashes($_POST['human_participants']) . "', "
-				. "animal_participants='" . stripslashes($_POST['animal_participants']) . "', "
-				. "summary='" . stripslashes($_POST['summary']) . "', "
-				. "summarycountok='$summarycountok'"
-				. "WHERE id='" . $_POST['id'] . "'");
-			$stmt->execute();
+			$stmt = $pdo->prepare('UPDATE projects SET 
+				title=?, 
+				shorttitle=?, 
+				projectdivisions_id=?, 
+				projecttype=?, 
+				language=?, 
+				req_table=?, 
+				req_electricity=?, 
+				req_special=?, 
+				human_participants=?, 
+				animal_participants=?, 
+				summary=?,
+				summarycountok=?
+				WHERE id=?');
+			$stmt->execute([$title,$shorttitle,intval($_POST['projectdivisions_id']),stripslashes($_POST['projecttype']),
+			stripslashes($_POST['language']),stripslashes($_POST['req_table']),stripslashes($_POST['req_electricity']),
+			stripslashes($_POST['req_special']),stripslashes($_POST['human_participants']),stripslashes($_POST['animal_participants']),
+			stripslashes($_POST['summary']),$summarycountok,$_POST['id']]);
 			show_pdo_errors_if_any($pdo);
 			echo notice(i18n('Project information successfully updated'));
 		} else {
@@ -128,13 +131,13 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 }
 
 // now lets find out their MAX grade, so we can pre-set the Age Category
-$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT MAX(grade) AS maxgrade FROM students WHERE registrations_id=?");
+$q->execute([$_SESSION['registration_id']]);
 $gradeinfo = $q->fetch(PDO::FETCH_OBJ);
 
 // now lets grab all the age categories, so we can choose one based on the max grade
-$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+$q->execute([$config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	// save these in an array, just incase we need them later (FIXME: remove this array if we dont need it)
 	$agecategories[$r->id]['category'] = $r->category;
@@ -146,24 +149,24 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	}
 }
 // now select their project info
-$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 // check if it exists, if we didnt find any record, lets insert one
 if ($q->rowCount() == 0) {
-	$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES ('" . $_SESSION['registration_id'] . "','$projectcategories_id','" . $config['FAIRYEAR'] . "')");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,year) VALUES (?,?,?)");
+	$stmt->execute([$_SESSION['registration_id'],$projectcategories_id,$config['FAIRYEAR']]);
 	// now query the one we just inserted
 
-	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=? AND year=?");
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 }
 $projectinfo = $q->fetch(PDO::FETCH_OBJ);
 
 // make sure that if they changed their grade on the student page, we update their projectcategories_id accordingly
 if ($projectcategories_id && $projectinfo->projectcategories_id != $projectcategories_id) {
 	echo notice(i18n('Age category changed, updating to %1', array($agecategories[$projectcategories_id]['category'])));
-	$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id='$projectcategories_id' WHERE id='$projectinfo->id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE projects SET projectcategories_id=? WHERE id=?");
+	$stmt->execute([$projectcategories_id, $projectinfo->id]);
 }
 
 // output the current status
@@ -219,12 +222,12 @@ echo '<tr><td>' . i18n('Division') . ': </td><td>';
 
 // ###### Feature Specific - filtering divisions by category
 if ($config['filterdivisionbycategory'] == 'yes') {
-	$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year='" . $config['FAIRYEAR'] . "' AND projectcategoriesdivisions_link.year='" . $config['FAIRYEAR'] . "' ORDER BY division");
-	$q->execute();
+	$q = $pdo->prepare('SELECT projectdivisions.* FROM projectdivisions,projectcategoriesdivisions_link WHERE projectdivisions.id=projectdivisions_id AND projectcategories_id=' . $projectcategories_id . " AND projectdivisions.year=? AND projectcategoriesdivisions_link.year=? ORDER BY division");
+	$q->execute([$config['FAIRYEAR'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 } else
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY division");
-$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY division");
+$q->execute([$config['FAIRYEAR']]);
 echo '<select name="projectdivisions_id">';
 echo '<option value="">' . i18n('Select a division') . "</option>\n";
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
diff --git a/register_participants_project_divisionselector.php b/register_participants_project_divisionselector.php
index 84275ee4..f3e96717 100644
--- a/register_participants_project_divisionselector.php
+++ b/register_participants_project_divisionselector.php
@@ -39,13 +39,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?"
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -73,8 +73,8 @@ if ($_GET['division']) {
 			opener.document.forms.projectform.projectdivisions_id.selectedIndex=<?= $_GET['division'] ?>
 		</script>
 	<?
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id='" . $_GET['division'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE id=?");
+	$q->execute([$_GET['division']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	echo '<h2>' . i18n($r->division) . "</h2>\n";
 	echo '<a href="' . $_SERVER['PHP_SELF'] . '">' . i18n('Restart division selector') . '</a>';
@@ -86,8 +86,8 @@ if ($_GET['division']) {
 		$id = 1;
 	else
 		$id = $_GET['id'];
-	$q = $pdo->prepare("SELECT * FROM projectdivisionsselector WHERE id='$id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisionsselector WHERE id=?");
+	$q->execute([$id]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	echo i18n($r->question);
 	echo '<br />';
diff --git a/register_participants_safety.php b/register_participants_safety.php
index 1e9f2afc..7710bbaa 100644
--- a/register_participants_safety.php
+++ b/register_participants_safety.php
@@ -40,13 +40,13 @@ if (!$_SESSION['registration_number']) {
 global $pdo;
 
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?" 
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -68,13 +68,13 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 		echo error(i18n('Cannot make changes to forms after registration deadline'));
 	} else {
 		// first we will delete all their old answer, its easier to delete and re-insert in this case then it would be to find the corresponding answers and update them
-		$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id=? AND year=?");
+		$stmt->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 		if (is_array($_POST['safety'])) {
 			$safetyids = array_keys($_POST['safety']);
 			foreach ($safetyids AS $key => $val) {
-				$stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (' . $pdo->quote($_SESSION['registration_id']) . ', ' . $pdo->quote($val) . ', ' . $pdo->quote($config['FAIRYEAR']) . ', ' . $pdo->quote(stripslashes($_POST['safety'][$val]))) . ')';
-				$stmt->execute();
+				$stmt = $pdo->prepare('INSERT INTO safety (registrations_id,safetyquestions_id,year,answer) VALUES (?,?,?,?) ');
+				$stmt->execute([$pdo->quote($_SESSION['registration_id']),$pdo->quote($val),$pdo->quote($config['FAIRYEAR']),$pdo->quote(stripslashes($_POST['safety'][$val]))]);
 				show_pdo_errors_if_any($pdo);
 			}
 		}
@@ -89,14 +89,14 @@ if ($newstatus != 'complete') {
 	echo happy(i18n('Safety Information Complete'));
 }
 
-$q = $pdo->prepare("SELECT * FROM safety WHERE registrations_id='" . $_SESSION['registration_id'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM safety WHERE registrations_id=?");
+$q->execute([$_SESSION['registration_id']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$safetyanswers[$r->safetyquestions_id] = $r->answer;
 }
 
-$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY ord");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM safetyquestions WHERE year=? ORDER BY ord");
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount()) {
 	echo i18n('Please agree to / answer the following safety questions by checking the box next to the question, or choosing the appropriate answer');
 	echo '<br />';
diff --git a/register_participants_signature.php b/register_participants_signature.php
index d4f3bb5a..eff641e9 100644
--- a/register_participants_signature.php
+++ b/register_participants_signature.php
@@ -45,17 +45,25 @@ if ($_GET['sample']) {
 		exit;
 	}
 
-	$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-		. "WHERE students.email='" . $_SESSION['email'] . "' "
-		. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-		. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
-		. 'AND students.registrations_id=registrations.id '
-		. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-		. 'AND students.year=' . $config['FAIRYEAR']);
+	$q = $pdo->prepare('SELECT 
+	registrations.id AS regid, 
+	students.id AS studentid, 
+	students.firstname 
+FROM registrations 
+JOIN students ON students.registrations_id = registrations.id 
+WHERE students.email = ? 
+AND registrations.num = ? 
+AND registrations.id = ? 
+AND registrations.year = ? 
+AND students.year = ?');
 
-	$registration_number = $_SESSION['registration_number'];
-	$registration_id = $_SESSION['registration_id'];
-	$q->execute();
+	$q->execute([
+		$_SESSION['email'],
+		$_SESSION['registration_number'],
+		$_SESSION['registration_id'],
+		$config['FAIRYEAR'],
+		$config['FAIRYEAR']
+	]);
 
 	show_pdo_errors_if_any($pdo);
 
@@ -100,22 +108,22 @@ if ($_GET['sample']) {
 	$rr->school = 'SampleSchool';
 } else {
 	// grab the project info
-	$q = $pdo->prepare("SELECT projects.*, 
+	$q = $pdo->prepare('SELECT projects.*, 
                         projectcategories.category, 
                         projectdivisions.division
                  FROM projects
                  JOIN projectdivisions ON projects.projectdivisions_id=projectdivisions.id
                  JOIN projectcategories ON projects.projectcategories_id=projectcategories.id
-                 WHERE registrations_id='" . $_SESSION['registration_id'] . "' 
-                        AND projects.year='" . $config['FAIRYEAR'] . "'
-                        AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
-                        AND projectcategories.year='" . $config['FAIRYEAR'] . "'
-                        ");
-	$q->execute();
+                 WHERE registrations_id=? 
+                        AND projects.year=?
+                        AND projectdivisions.year=?
+                        AND projectcategories.year=?
+                        ');
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 
-	$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 	while ($si = $q->fetch(PDO::FETCH_OBJ))
 		$studentinfoarray[] = $si;
 }
@@ -136,8 +144,8 @@ $pdf->addTextX("Exhibitor$plural: ", 0.75);
 
 foreach ($studentinfoarray AS $studentinfo) {
 	if (!$_GET['sample']) {
-		$qq = $pdo->prepare("SELECT school FROM schools WHERE id={$studentinfo->schools_id}");
-		$qq->execute();
+		$qq = $pdo->prepare('SELECT school FROM schools WHERE id=?');
+		$qq->execute([$studentinfo->schools_id]);
 		$rr = $qq->fetch(PDO::FETCH_OBJ);
 	}
 
diff --git a/register_participants_signature_tcpdf.php b/register_participants_signature_tcpdf.php
index 49782983..a8f723ab 100644
--- a/register_participants_signature_tcpdf.php
+++ b/register_participants_signature_tcpdf.php
@@ -43,17 +43,22 @@ if (get_value_from_array($_GET, 'sample')) {
 		exit;
 	}
 
-	$q = $pdo->prepare("SELECT registrations.id AS regid, students.id AS studentid, students.firstname 
-\t \t\t\tFROM registrations,students
-	\t \t\tWHERE students.email='{$_SESSION['email']}' 
-				AND registrations.num='{$_SESSION['registration_number']}'
-				AND registrations.id='{$_SESSION['registration_id']}'
-				AND students.registrations_id=registrations.id
-				AND registrations.year={$config['FAIRYEAR']}
-				AND students.year={$config['FAIRYEAR']}");
-	$registration_number = $_SESSION['registration_number'];
-	$registration_id = $_SESSION['registration_id'];
-	$q->execute();
+	$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname 
+                    FROM registrations, students
+                    WHERE students.email=? 
+                        AND registrations.num=?
+                        AND registrations.id=?
+                        AND students.registrations_id = registrations.id
+                        AND registrations.year=?
+                        AND students.year=?');
+
+	$q->execute([
+		$_SESSION['email'],
+		$_SESSION['registration_number'],
+		$_SESSION['registration_id'],
+		$config['FAIRYEAR'],
+		$config['FAIRYEAR']
+	]);
 
 	show_pdo_errors_if_any($pdo);
 
@@ -85,22 +90,22 @@ if ($_GET['sample']) {
 	$rr->school = 'SampleSchool';
 } else {
 	// grab the project info
-	$q = $pdo->prepare("SELECT projects.*, 
+	$q = $pdo->prepare('SELECT projects.*, 
                         projectcategories.category, 
                         projectdivisions.division
                  FROM projects
                  JOIN projectdivisions ON projects.projectdivisions_id=projectdivisions.id
                  JOIN projectcategories ON projects.projectcategories_id=projectcategories.id
-                 WHERE registrations_id='" . $_SESSION['registration_id'] . "' 
-                        AND projects.year='" . $config['FAIRYEAR'] . "'
-                        AND projectdivisions.year='" . $config['FAIRYEAR'] . "'
-                        AND projectcategories.year='" . $config['FAIRYEAR'] . "'
-                        ");
-	$q->execute();
+                 WHERE registrations_id=? 
+                        AND projects.year=?
+                        AND projectdivisions.year=?
+                        AND projectcategories.year=?
+                        ');
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR'], $config['FAIRYEAR'], $config['FAIRYEAR']]);
 	$projectinfo = $q->fetch(PDO::FETCH_OBJ);
 
-	$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
+	$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 	while ($si = $q->fetch(PDO::FETCH_OBJ))
 		$studentinfoarray[] = $si;
 }
@@ -116,8 +121,8 @@ $pdf->WriteHTML('<h3>' . i18n('Registration Summary') . '</h3>
 $students = '';
 foreach ($studentinfoarray AS $studentinfo) {
 	if (!$_GET['sample']) {
-		$qq = $pdo->prepare("SELECT school FROM schools WHERE id={$studentinfo->schools_id}");
-		$qq->execute();
+		$qq = $pdo->prepare('SELECT school FROM schools WHERE id=?');
+		$qq->execute([$studentinfo->schools_id]);
 		$rr = $qq->fetch(PDO::FETCH_OBJ);
 	}
 	if ($students != '')
diff --git a/register_participants_spawards.php b/register_participants_spawards.php
index 224a14c5..88f9a754 100644
--- a/register_participants_spawards.php
+++ b/register_participants_spawards.php
@@ -40,13 +40,13 @@ if (!$_SESSION['registration_number']) {
 }
 
 $q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
+	. "WHERE students.email=?"
+	. "AND registrations.num=?"
+	. "AND registrations.id=?"
 	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+	. 'AND registrations.year=?'
+	. 'AND students.year=?');
+$q->execute([$_SESSION['email'],$_SESSION['registration_number'],$_SESSION['registration_id'],$config['FAIRYEAR'],$config['FAIRYEAR']]);
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -55,8 +55,8 @@ if ($q->rowCount() == 0) {
 }
 $authinfo = $q->fetch(PDO::FETCH_OBJ);
 
-$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id='" . $_SESSION['registration_id'] . "'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM projects WHERE registrations_id=?");
+$q->execute([$_SESSION['registration_id']]);
 $project = $q->fetch(PDO::FETCH_OBJ);
 
 // send the header
@@ -91,8 +91,8 @@ echo '<br />';
 
 if ($config['specialawardnomination'] == 'date') {
 	echo notice(i18n('Special award self-nomination is only available from %1 to %2.  Please make sure you complete your nominations between these dates.', array($config['dates']['specawardregopen'], $config['dates']['specawardregclose'])));
-	$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['specawardregopen'] . "' AND NOW()<'" . $config['dates']['specawardregclose'] . "') AS datecheck");
-	$q->execute();
+	$q = $pdo->prepare("SELECT (NOW()>? AND NOW()<?) AS datecheck");
+	$q->execute([$config['dates']['specawardregopen'],$config['dates']['specawardregclose']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 	// this will return 1 if its between the dates, 0 otherwise.
 	if ($r->datecheck == 1)
@@ -123,15 +123,15 @@ if ($_POST['action'] == 'save') {
 		if ($num > $config['maxspecialawardsperproject']) {
 			echo error(i18n('You can only apply to %1 special awards.  You have selected %2', array($config['maxspecialawardsperproject'], $num)));
 		} else {
-			$stmt = $pdo->prepare("DELETE FROM project_specialawards_link WHERE projects_id='$project->id' AND year='" . $config['FAIRYEAR'] . "'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM project_specialawards_link WHERE projects_id=? AND year=?");
+			$stmt->execute([$project->id,  $config['FAIRYEAR']]);
 			foreach ($splist AS $spaward) {
 				$s = ($spaward == -1) ? 'NULL' : "'$spaward'";
-				$stmt = $pdo->prepare('INSERT INTO project_specialawards_link (award_awards_id,projects_id,year) VALUES ('
-					. "$s, "
-					. "'$project->id', "
-					. "'" . $config['FAIRYEAR'] . "')");
-				$stmt->execute();
+				$stmt = $pdo->prepare('INSERT INTO project_specialawards_link (award_awards_id,projects_id,year) VALUES (
+					?, 
+					?,
+					?)');
+				$stmt->execute([$s,$project->id,$config['FAIRYEAR']]);
 				show_pdo_errors_if_any($pdo);
 			}
 			if ($num) {
diff --git a/register_participants_students.php b/register_participants_students.php
index 419b925a..effe450d 100644
--- a/register_participants_students.php
+++ b/register_participants_students.php
@@ -41,14 +41,26 @@ if (!($_SESSION['registration_number'] && $_SESSION['registration_id'])) {
 }
 
 $fairyear = intval($config['FAIRYEAR']);
-$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
-	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $fairyear . ' '
-	. 'AND students.year=' . $fairyear);
-$q->execute();
+$q = $pdo->prepare('SELECT 
+        registrations.id AS regid, 
+        students.id AS studentid, 
+        students.firstname 
+    FROM registrations 
+    JOIN students ON students.registrations_id = registrations.id 
+    WHERE students.email = ? 
+    AND registrations.num = ? 
+    AND registrations.id = ? 
+    AND registrations.year = ? 
+    AND students.year = ?');
+
+$q->execute([
+	$_SESSION['email'],
+	$_SESSION['registration_number'],
+	$_SESSION['registration_id'],
+	$fairyear,
+	$fairyear
+]);
+
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -63,8 +75,8 @@ echo '<br />';
 
 $regfee_items = array();
 $items_q = $pdo->prepare("SELECT * FROM regfee_items
- \t\t\t\tWHERE year='{$config['FAIRYEAR']}'");
-$items_q->execute();
+ \t\t\t\tWHERE year=?");
+$items_q->execute([$config['FAIRYEAR']]);
 while ($items_i = $items_q->fetch(PDO::FETCH_ASSOC)) {
 	$regfee_items[] = $items_i;
 }
@@ -82,8 +94,8 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 			if ($students_id == 0) {
 				// if they use schoolpassword or singlepassword, then we need to set the school based on the school stored in the registration record.  for anything else they can school the school on their own.
 				if ($config['participant_registration_type'] == 'schoolpassword' || $config['participant_registration_type'] == 'invite') {
-					$q = $pdo->prepare("SELECT schools_id FROM registrations WHERE id='" . $_SESSION['registration_id'] . "' AND YEAR='" . $config['FAIRYEAR'] . "'");
-					$q->execute();
+					$q = $pdo->prepare('SELECT schools_id FROM registrations WHERE id=? AND YEAR=?');
+					$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 					$r = $q->fetch(PDO::FETCH_OBJ);
 					$schools_id = $r->schools_id;
 
@@ -93,28 +105,35 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 				}
 				// INSERT new record
 				$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-				$stmt = $pdo->prepare('INSERT INTO students (registrations_id,firstname,lastname,pronunciation,sex,email,address,city,county,province,postalcode,phone,dateofbirth,grade,schools_id,tshirt,medicalalert,foodreq,teachername,teacheremail,year) VALUES ('
-					. "'" . $_SESSION['registration_id'] . "', "
-					. "'" . stripslashes($_POST['firstname'][$x]) . "', "
-					. "'" . stripslashes($_POST['lastname'][$x]) . "', "
-					. "'" . stripslashes($_POST['pronunciation'][$x]) . "', "
-					. "'" . stripslashes($_POST['sex'][$x]) . "', "
-					. "'" . stripslashes($_POST['email'][$x]) . "', "
-					. "'" . stripslashes($_POST['address'][$x]) . "', "
-					. "'" . stripslashes($_POST['city'][$x]) . "', "
-					. "'" . stripslashes($_POST['county'][$x]) . "', "
-					. "'" . stripslashes($_POST['province'][$x]) . "', "
-					. "'" . stripslashes($_POST['postalcode'][$x]) . "', "
-					. "'" . stripslashes($_POST['phone'][$x]) . "', "
-					. "'$dob', "
-					. "'" . stripslashes($_POST['grade'][$x]) . "', "
-					. $schoolvalue
-					. "'" . stripslashes($_POST['tshirt'][$x]) . "', "
-					. "'" . stripslashes($_POST['medicalalert'][$x]) . "', "
-					. "'" . stripslashes($_POST['foodreq'][$x]) . "', "
-					. "'" . stripslashes($_POST['teachername'][$x]) . "', "
-					. "'" . stripslashes($_POST['teacheremail'][$x]) . "', "
-					. "'" . $config['FAIRYEAR'] . "')");
+				$stmt = $pdo->prepare('INSERT INTO students 
+    (registrations_id, firstname, lastname, pronunciation, sex, email, address, city, county, province, 
+     postalcode, phone, dateofbirth, grade, schools_id, tshirt, medicalalert, foodreq, 
+     teachername, teacheremail, year) 
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?,?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)');
+				$stmt->execute([
+					$_SESSION['registration_id'],
+					stripslashes($_POST['firstname'][$x]),
+					stripslashes($_POST['lastname'][$x]),
+					stripslashes($_POST['pronunciation'][$x]),
+					stripslashes($_POST['sex'][$x]),
+					stripslashes($_POST['email'][$x]),
+					stripslashes($_POST['address'][$x]),
+					stripslashes($_POST['city'][$x]),
+					stripslashes($_POST['county'][$x]),
+					stripslashes($_POST['province'][$x]),
+					stripslashes($_POST['postalcode'][$x]),
+					stripslashes($_POST['phone'][$x]),
+					$dob,
+					stripslashes($_POST['grade'][$x]),
+					$schoolvalue,
+					stripslashes($_POST['tshirt'][$x]),
+					stripslashes($_POST['medicalalert'][$x]),
+					stripslashes($_POST['foodreq'][$x]),
+					stripslashes($_POST['teachername'][$x]),
+					stripslashes($_POST['teacheremail'][$x]),
+					$config['FAIRYEAR']
+				]);
+
 				$students_id = $pdo->lastInsertId();
 
 				echo notice(i18n('%1 %2 successfully added', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
@@ -128,39 +147,62 @@ if (get_value_from_array($_POST, 'action') == 'save') {
 
 				// UPDATE existing record
 				$dob = $_POST['year'][$x] . '-' . $_POST['month'][$x] . '-' . $_POST['day'][$x];
-				$stmt = $pdo->prepare('UPDATE students SET '
-					. "firstname='" . stripslashes($_POST['firstname'][$x]) . "', "
-					. "lastname='" . stripslashes($_POST['lastname'][$x]) . "', "
-					. "pronunciation='" . stripslashes($_POST['pronunciation'][$x]) . "', "
-					. "sex='" . stripslashes($_POST['sex'][$x]) . "', "
-					. "email='" . stripslashes($_POST['email'][$x]) . "', "
-					. "address='" . stripslashes($_POST['address'][$x]) . "', "
-					. "city='" . stripslashes($_POST['city'][$x]) . "', "
-					. "county='" . stripslashes($_POST['county'][$x]) . "', "
-					. "province='" . stripslashes($_POST['province'][$x]) . "', "
-					. "postalcode='" . stripslashes($_POST['postalcode'][$x]) . "', "
-					. "phone='" . stripslashes($_POST['phone'][$x]) . "', "
-					. "dateofbirth='$dob', "
-					. "grade='" . stripslashes($_POST['grade'][$x]) . "', "
-					. $schoolquery
-					. "medicalalert='" . stripslashes($_POST['medicalalert'][$x]) . "', "
-					. "foodreq='" . stripslashes($_POST['foodreq'][$x]) . "', "
-					. "teachername='" . stripslashes($_POST['teachername'][$x]) . "', "
-					. "teacheremail='" . stripslashes($_POST['teacheremail'][$x]) . "', "
-					. "tshirt='" . stripslashes($_POST['tshirt'][$x]) . "' "
-					. "WHERE id='$students_id'");
+				$stmt = $pdo->prepare('UPDATE students SET 
+					firstname =?, 
+					lastname =?, 
+					pronunciation =?,
+					sex =?, 
+					email =?, 
+					address =?, 
+					city =?,
+					county =?, 
+					province=?, 
+					postalcode =?, 
+					phone =?, 
+					dateofbirth =?,
+					grade =?, 
+					$schoolquery
+					medicalalert =?, 
+					foodreq =?, 
+					teachername =?,
+					teacheremail =?, 
+					tshirt =? 
+					WHERE id =?');
+
+				$stmt->execute([
+					stripslashes($_POST['firstname'][$x]),
+					stripslashes($_POST['lastname'][$x]),
+					stripslashes($_POST['pronunciation'][$x]),
+					stripslashes($_POST['sex'][$x]),
+					stripslashes($_POST['email'][$x]),
+					stripslashes($_POST['address'][$x]),
+					stripslashes($_POST['city'][$x]),
+					stripslashes($_POST['county'][$x]),
+					stripslashes($_POST['province'][$x]),
+					stripslashes($_POST['postalcode'][$x]),
+					stripslashes($_POST['phone'][$x]),
+					$dob,
+					stripslashes($_POST['grade'][$x]),
+					stripslashes($_POST['medicalalert'][$x]),
+					stripslashes($_POST['foodreq'][$x]),
+					stripslashes($_POST['teachername'][$x]),
+					stripslashes($_POST['teacheremail'][$x]),
+					stripslashes($_POST['tshirt'][$x]),
+					$students_id
+				]);
+
 				echo notice(i18n('%1 %2 successfully updated', array($_POST['firstname'][$x], $_POST['lastname'][$x])));
 			}
 			/* Update the regfee items link */
 			if ($config['participant_regfee_items_enable'] == 'yes') {
-				$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id='$students_id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare('DELETE FROM regfee_items_link WHERE students_id=?');
+				$stmt->execute([$students_id]);
 
 				if (is_array($_POST['regfee_item'][$x])) {
 					foreach ($_POST['regfee_item'][$x] as $id => $enabled) {
-						$stmt = $pdo->prepare("INSERT INTO regfee_items_link(`students_id`,`regfee_items_id`)
-								VALUES ('$students_id','$id') ");
-						$stmt->execute();
+						$stmt = $pdo->prepare('INSERT INTO regfee_items_link(`students_id`,`regfee_items_id`)
+								VALUES (?,?) ');
+						$stmt->execute([$students_id, $id]);
 					}
 				}
 			}
@@ -175,21 +217,21 @@ if (get_value_from_array($_GET, 'action') == 'removestudent') {
 	} else {
 		$students_id = intval($_GET['removestudent']);
 		// first make sure this is one belonging to this registration id
-		$q = $pdo->prepare("SELECT id FROM students WHERE id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "'");
-		$q->execute();
+		$q = $pdo->prepare('SELECT id FROM students WHERE id=? AND registrations_id=?');
+		$q->execute([$students_id, $_SESSION['registration_id']]);
 		if ($q->rowCount() == 1) {
-			$stmt = $pdo->prepare("DELETE FROM students WHERE id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "'");
-			$stmt->execute();
+			$stmt = $pdo->prepare('DELETE FROM students WHERE id=? AND registrations_id=?');
+			$stmt->execute([$students_id, $_SESSION['registration_id']]);
 			// now see if they have an emergency contact that also needs to be removed
 
-			$q = $pdo->prepare("SELECT id FROM emergencycontact WHERE students_id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-			$q->execute();
+			$q = $pdo->prepare('SELECT id FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?');
+			$q->execute([$students_id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
 			// no need to error message if this doesnt exist
 			if ($q->rowCount() == 1)
-				$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE students_id='$students_id' AND registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-			$stmt->execute();
-			$stmt = $pdo->prepare("DELETE FROM regfee_items_link WHERE students_id='$students_id'");
-			$stmt->execute();
+				$stmt = $pdo->prepare('DELETE FROM emergencycontact WHERE students_id=? AND registrations_id=? AND year=?');
+			$stmt->execute([$students_id, $_SESSION['registration_id'], $config['FAIRYEAR']]);
+			$stmt = $pdo->prepare('DELETE FROM regfee_items_link WHERE students_id=?');
+			$stmt->execute([$students_id]);
 			echo notice(i18n('Student successfully removed'));
 		} else {
 			echo error(i18n('Invalid student to remove'));
@@ -207,14 +249,14 @@ if ($newstatus != 'complete') {
 
 // now query and display
 
-$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 if ($q->rowCount() == 0) {
 	// uhh oh, we didnt find any, this isnt possible! lets insert one using the logged in persons email address
 	// although... this can never really happen, since the above queries only allow the page to view if the student
 	// is found in the students table... soo... well, lets leave it here as a fallback anyways, just incase
-	$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,year) VALUES ('" . $_SESSION['registration_id'] . "','" . $_SESSION['email'] . "','" . $config['FAIRYEAR'] . "')");
-	$stmt->execute();
+	$stmt = $pdo->prepare('INSERT INTO students (registrations_id,email,year) VALUES (?,?,?)');
+	$stmt->execute([$_SESSION['registration_id'], $_SESSION['email'], $config['FAIRYEAR']]);
 	// if we just inserted it, then we will obviously find 1
 	$numfound = 1;
 } else {
@@ -437,8 +479,8 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 	echo "<tr>\n";
 	echo ' <td>' . i18n('School') . '</td><td colspan="3">';
 	if ($config['participant_registration_type'] == 'open' || $config['participant_registration_type'] == 'singlepassword' || $config['participant_registration_type'] == 'openorinvite' || ($studentinfo && !$studentinfo->schools_id)) {
-		$schoolq = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER by city,school");
-		$schoolq->execute();
+		$schoolq = $pdo->prepare('SELECT id,school,city FROM schools WHERE year=? ORDER by city,school');
+		$schoolq->execute([$config['FAIRYEAR']]);
 		echo "<select name=\"schools_id[$x]\">\n";
 		echo '<option value="">' . i18n('Choose School') . "</option>\n";
 		while ($r = $schoolq->fetch(PDO::FETCH_OBJ)) {
@@ -450,8 +492,8 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 		}
 		echo '</select>' . REQUIREDFIELD;
 	} else {
-		$schoolq = $pdo->prepare("SELECT id,school FROM schools WHERE year='" . $config['FAIRYEAR'] . "' AND id='$studentinfo->schools_id'");
-		$schoolq->execute();
+		$schoolq = $pdo->prepare('SELECT id,school FROM schools WHERE year=? AND id=?');
+		$schoolq->execute([$config['FAIRYEAR'], $studentinfo->schools_id]);
 		$r = $schoolq->fetch(PDO::FETCH_OBJ);
 		echo $r->school;
 	}
@@ -465,9 +507,9 @@ for ($x = 1; $x <= $numtoshow; $x++) {
 	echo "</tr>\n";
 
 	if ($config['participant_regfee_items_enable'] == 'yes') {
-		$sel_q = $pdo->prepare("SELECT * FROM regfee_items_link 
-					WHERE students_id=$id");
-		$sel_q->execute();
+		$sel_q = $pdo->prepare('SELECT * FROM regfee_items_link 
+					WHERE students_id=?');
+		$sel_q->execute([$id]);
 		$sel = array();
 		while ($info_q = $sel_q->fetch(PDO::FETCH_ASSOC)) {
 			$sel[$info_q['regfee_items_id']] = $info_q['id'];
diff --git a/register_participants_tours.php b/register_participants_tours.php
index 67ad6f05..1ff643b0 100644
--- a/register_participants_tours.php
+++ b/register_participants_tours.php
@@ -38,14 +38,23 @@ if (!$_SESSION['registration_number']) {
 	exit;
 }
 
-$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname FROM registrations,students '
-	. "WHERE students.email='" . $_SESSION['email'] . "' "
-	. "AND registrations.num='" . $_SESSION['registration_number'] . "' "
-	. "AND registrations.id='" . $_SESSION['registration_id'] . "' "
-	. 'AND students.registrations_id=registrations.id '
-	. 'AND registrations.year=' . $config['FAIRYEAR'] . ' '
-	. 'AND students.year=' . $config['FAIRYEAR']);
-$q->execute();
+$q = $pdo->prepare('SELECT registrations.id AS regid, students.id AS studentid, students.firstname 
+    FROM registrations 
+    JOIN students ON students.registrations_id = registrations.id 
+    WHERE students.email = ? 
+    AND registrations.num = ? 
+    AND registrations.id = ? 
+    AND registrations.year = ? 
+    AND students.year = ?');
+
+$q->execute([
+	$_SESSION['email'],
+	$_SESSION['registration_number'],
+	$_SESSION['registration_id'],
+	$config['FAIRYEAR'],
+	$config['FAIRYEAR']
+]);
+
 show_pdo_errors_if_any($pdo);
 
 if ($q->rowCount() == 0) {
@@ -71,10 +80,10 @@ if ($_POST['action'] == 'save') {
 	} else {
 		// first we will delete all their old answer, its easier to delete and re-insert in this case then it would be to find the corresponding answers and update them
 		$stmt = $pdo->prepare("DELETE FROM tours_choice 
-				WHERE registrations_id='{$_SESSION['registration_id']}' 
-				AND year='{$config['FAIRYEAR']}' 
+				WHERE registrations_id=? 
+				AND year=? 
 				AND rank!='0'");
-		$stmt->execute();
+		$stmt->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 		if (is_array($_POST['toursel'])) {
 			foreach ($_POST['toursel'] AS $students_id => $ts) {
 				$selarray = array();
@@ -94,13 +103,18 @@ if ($_POST['action'] == 'save') {
 					/* Remember this choice in a format that is easily searchable */
 					$selarray[] = $x;
 
-					$stmt = $pdo->prepare('INSERT INTO tours_choice (registrations_id,students_id,tour_id,year,rank) VALUES ('
-						. "'" . $_SESSION['registration_id'] . "', "
-						. "'" . intval($students_id) . "', "
-						. "'" . intval($tid) . "', "
-						. "'" . $config['FAIRYEAR'] . "', "
-						. "'$rank')");
-					$stmt->execute();
+					$stmt = $pdo->prepare('INSERT INTO tours_choice 
+    (registrations_id, students_id, tour_id, year, rank) 
+    VALUES (?, ?, ?, ?, ?)');
+
+					$stmt->execute([
+						$_SESSION['registration_id'],
+						intval($students_id),
+						intval($tid),
+						$config['FAIRYEAR'],
+						$rank
+					]);
+
 					show_pdo_errors_if_any($pdo);
 				}
 			}
@@ -131,8 +145,8 @@ if ($newstatus != 'complete') {
 }
 
 $assigned_tour = array();
-$q = $pdo->prepare("SELECT * FROM tours_choice WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM tours_choice WHERE registrations_id=? AND year=?');
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	if ($r->rank == 0)
 		$assigned_tour[$r->students_id] = $r->tour_id;
@@ -140,8 +154,8 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 }
 
 $tours = array();
-$q = $pdo->prepare("SELECT * FROM tours WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM tours WHERE year=? ORDER BY id');
+$q->execute([$config['FAIRYEAR']]);
 if ($q->rowCount() == 0) {
 	echo notice(i18n('There is not tour information'));
 	send_footer();
@@ -163,8 +177,8 @@ $max = $config['tours_choices_max'];
 echo "<form method=\"post\" action=\"register_participants_tours.php\">\n";
 echo "<input type=\"hidden\" name=\"action\" value=\"save\">\n";
 
-$q = $pdo->prepare("SELECT * FROM students WHERE registrations_id='" . $_SESSION['registration_id'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM students WHERE registrations_id=? AND year=?');
+$q->execute([$_SESSION['registration_id'], $config['FAIRYEAR']]);
 $num_found = $q->rowCount();
 
 $print_submit = false;
diff --git a/remote.php b/remote.php
index 71310813..c4eb89bd 100644
--- a/remote.php
+++ b/remote.php
@@ -39,9 +39,9 @@ function handle_getstats(&$u, $fair, &$data, &$response)
 	$response['statconfig'] = explode(',', $fair['gather_stats']);
 
 	/* Send back the stats we currently have */
-	$q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}'
-				AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fairs_stats WHERE fairs_id=?
+				AND year=?");
+	$q->execute([$u['fairs_id'],$year]);
 	$response['stats'] = $q->fetch(PDO::FETCH_ASSOC);
 	unset($response['stats']['id']);
 	$response['error'] = 0;
@@ -59,12 +59,12 @@ function handle_stats(&$u, $fair, &$data, &$response)
 	//	$str = join(',',$stats);
 	$keys = '`fairs_id`,`' . join('`,`', array_keys($stats)) . '`';
 	$vals = "'{$u['fairs_id']}','" . join("','", array_values($stats)) . "'";
-	$stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id='{$u['fairs_id']}'
-		AND year='{$stats['year']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM fairs_stats WHERE fairs_id=?
+		AND year=?");
+	$stmt->execute([$u['fairs_id'],$stats['year']]);
 	show_pdo_errors_if_any($pdo);
-	$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',$vals)");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO fairs_stats (`id`,$keys) VALUES ('',?)");
+	$stmt->execute([$vals]);
 	show_pdo_errors_if_any($pdo);
 
 	$response['message'] = 'Stats saved';
@@ -80,8 +80,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
 
 	$ids = array();
 	/* Load a list of awards linked to the fair id */
-	$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE fairs_id='{$fair['id']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM fairs_awards_link WHERE fairs_id=?");
+	$q->execute([$fair['id']]);
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
 		$aaid = $r['award_awards_id'];
 		if ($r['download_award'] == 'yes')
@@ -91,8 +91,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
 
 	/* Load the awards this fair is allowed to download */
 	$where = "(id='" . join("' OR id='", $ids) . "')";
-	$q = $pdo->prepare("SELECT * FROM award_awards WHERE $where AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM award_awards WHERE $where AND year=?");
+	$q->execute([$year]);
 
 	while ($a = $q->fetch(PDO::FETCH_ASSOC)) {
 		$award = array();
@@ -107,8 +107,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
 		$award['schedule_judges'] = $a['schedule_judges'];
 
 		if ($a['sponsors_id']) {
-			$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$a['sponsors_id']}'");
-			$sq->execute();
+			$sq = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+			$sq->execute([$a['sponsors_id']]);
 			if ($sq->rowCount()) {
 				$s = $sq->fetch(PDO::FETCH_ASSOC);
 				$award['sponsor'] = $s['organization'];
@@ -116,8 +116,8 @@ function handle_getawards(&$u, $fair, &$data, &$response)
 		}
 
 		$award['prizes'] = array();
-		$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='{$a['id']}'");
-		$pq->execute();
+		$pq = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
+		$pq->execute([$a['id']]);
 		while ($p = $pq->fetch(PDO::FETCH_ASSOC)) {
 			/* Map array keys -> local database field */
 			$map = array('cash' => 'cash', 'scholarship' => 'scholarship',
@@ -176,8 +176,8 @@ function award_upload_update_school(&$mysql_query, &$school, $school_id = -1)
 			$set .= ',';
 		$set .= "`$m`='" . $school[$t] . "'";
 	}
-	$stmt = $pdo->prepare("UPDATE schools SET $set WHERE id='$sid'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE schools SET ? WHERE id=?");
+	$stmt->execute([$set,$sid]);
 	return $sid;
 }
 
@@ -192,33 +192,33 @@ function award_upload_school(&$student, &$school, $year, &$response)
 	$student_city = $student['city'];
 
 	/* Find school by matching name, city, phone, year */
-	$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND phone='$school_phone' AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND phone=? AND year=?");
+	$q->execute([$school_name,$school_city,$school_phone,$year]);
 	if ($q->rowCount() == 1)
 		return award_upload_update_school($q, $school);
 
 	/* Find school by matching name, city, address, year */
-	$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND address='$school_addr' AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND address=? AND year=?");
+	$q->execute([$school_name,$school_city,$school_addr,$year]);
 	if ($q->rowCount() == 1)
 		return award_upload_update_school($q, $school);
 
 	/* Find school by matching name, city, year */
-	$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$school_city' AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND year=?");
+	$q->execute([$school_name,$school_city,$year]);
 	if ($q->rowCount() == 1)
 		return award_upload_update_school($q, $school);
 
 	/* Find school by matching name, student city, year */
-	$q = $pdo->prepare("SELECT * FROM schools WHERE school='$school_name' AND city='$student_city' AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE school=? AND city=? AND year=?");
+	$q->execute([$school_name,$student_city,$year]);
 	if ($q->rowCount() == 1)
 		return award_upload_update_school($q, $school);
 
 	$response['notice'][] = "      - Creating new school: $school_name";
 	/* No? ok, make a new school */
-	$stmt = $pdo->prepare("INSERT INTO schools(`school`,`year`) VALUES ('" . $school['schoolname'] . "','$year')");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO schools(`school`,`year`) VALUES (?,?)");
+	$stmt->execute([$school['schoolname'], $year]);
 	$school_id = $pdo->lastInsertId();
 	return award_upload_update_school($q, $school, $school_id);
 }
@@ -251,8 +251,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 
 	/* See if this project already exists */
 	$pn = $project['projectnumber'];
-	$q = $pdo->prepare("SELECT * FROM projects WHERE projectnumber='$pn' AND fairs_id='{$fair['id']}' AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projects WHERE projectnumber=? AND fairs_id=? AND year=?");
+	$q->execute([$pn,$fair['id'],$year]);
 	show_pdo_errors_if_any($pdo);
 	if ($q->rowCount() == 1) {
 		$our_project = $q->fetch(PDO::FETCH_ASSOC);
@@ -268,47 +268,48 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 			// random number between
 			// 100000 and 999999  (six digit integer)
 			$regnum = rand(100000, 999999);
-			$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=$year");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM registrations WHERE num=? AND year=?");
+			$q->execute([$regnum,$year]);
 			show_pdo_errors_if_any($pdo);
 		} while ($q->rowCount() > 0);
 
 		// actually insert it
-		$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES ('
-			. "'$regnum','$regnum',NOW(),'open',NULL,'$year')");
-		$stmt->execute();
+		$stmt = $pdo->prepare('INSERT INTO registrations (num,email,start,status,schools_id,year) VALUES (
+			?,?,NOW(),open,NULL,?)');
+		$stmt->execute([$regnum,$regnum,$year]);
 		$registrations_id = $pdo->lastInsertId();
 		/* We'll fill in the email address later */
 
 		/* Add the project */
 		$stmt = $pdo->prepare("INSERT INTO projects (`registrations_id`,`projectnumber`,`year`,`fairs_id`)
-				VALUES('$registrations_id',
-					'" . $project['projectnumber'] . "',
-					'$year', '{$fair['id']}');");
-		$stmt->execute();
+				VALUES(?,
+					?,
+					?,?);");
+		$stmt->execute([$registrations_id,$project['projectnumber'],$year,$fair['id']]);
 		$pid = $pdo->lastInsertId();
 		$reg_email_needs_update = true;
 		$new_reg = true;
 	}
-	$q = $pdo->prepare("SELECT * FROM registrations WHERE id='$registrations_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM registrations WHERE id=?");
+	$q->execute([$registrations_id]);
 	$registration = $q->fetch(PDO::FETCH_ASSOC);
 
 	/* Update the project in case anythign changed */
-	$stmt = $pdo->prepare("UPDATE projects SET title='" . $project['title'] . "',
+	$stmt = $pdo->prepare("UPDATE projects SET title=?,
 					summary='" . $project['abstract'] . "',
-					projectcategories_id='" . intval($project['projectcategories_id']) . "',
-					projectdivisions_id='" . intval($project['projectdivisions_id']) . "'
-				WHERE id='$pid'");
-	$stmt->execute();
+					projectcategories_id=?,
+					projectdivisions_id=?
+				WHERE id=?");
+	$stmt->execute([$project['title'],intval($project['projectcategories_id']),
+	intval($project['projectdivisions_id']),$pid]);
 
 	/* Record the winner */
 	$stmt = $pdo->prepare("INSERT INTO winners(`awards_prizes_id`,`projects_id`,`year`,`fairs_id`)
-			VALUES('{$prize['id']}','$pid','$year','{$fair['id']}')");
-	$stmt->execute();
+			VALUES(?,?,?,?)");
+	$stmt->execute([$prize['id'],$pid,$year,$fair['id']]);
 	/* Delete the students attached to this project */
-	$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$registrations_id'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id=?");
+	$stmt->execute([$registrations_id]);
 
 	/* Add new */
 	foreach ($project['students'] as &$student) {
@@ -321,15 +322,15 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 		foreach ($student_fields as $k => $v)
 			$values .= ",'" . $student[$k] . "'";
 		/* Note lack of comma before $keys, we added it above for both keys and values */
-		$stmt = $pdo->prepare("INSERT INTO students (`registrations_id`,`fairs_id`, `schools_id`,`year` $keys)
-				VALUES('$registrations_id','{$fair['id']}','$schools_id','$year' $values )");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO students (`registrations_id`,`fairs_id`, `schools_id`,`year` ?)
+				VALUES(?,?,?,? ? )");
+		$stmt->execute([$keys,$registrations_id,$fair['id'],$schools_id,$year,$values]);
 
 		/* Update the registration email */
 		if ($reg_email_needs_update) {
-			$stmt = $pdo->prepare("UPDATE registrations SET email='" . $student['email'] . "'
-					WHERE id='$registrations_id'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE registrations SET email=?
+					WHERE id=?");
+			$stmt->execute([$student['email'],$registrations_id]);
 			$reg_email_needs_update = false;
 		}
 
@@ -350,8 +351,8 @@ function award_upload_assign(&$fair, &$award, &$prize, &$project, $year, &$respo
 		 * or antyhing, we probably want to include it in reports, so set
 		 * it to complete
 		 */
-		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE id='$registrations_id'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE registrations SET status='complete' WHERE id=?");
+		$stmt->execute([$registrations_id]);
 	}
 }
 
@@ -374,8 +375,8 @@ function handle_awards_upload(&$u, &$fair, &$data, &$response)
 		/* Find the award */
 		$eid = $external_identifier;
 
-		$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier='$eid' AND year='$year'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier=? AND year=?");
+		$q->execute([$eid,$year]);
 		if ($q->rowCount() != 1) {
 			$response['message'] = "Unknown award identifier '$eid' for year $year";
 			$response['error'] = 1;
@@ -391,16 +392,16 @@ function handle_awards_upload(&$u, &$fair, &$data, &$response)
 		 * check the year as long as we query by aaid
 		 */
 		$prizes = array();
-		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id='$aaid'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM award_prizes WHERE award_awards_id=?");
+		$q->execute([$aaid]);
 		while ($prize = $q->fetch(PDO::FETCH_ASSOC)) {
 			$response['notice'][] = " - Prize: {$prize['prize']}";
 
 			/* Clean out existing winners for this prize */
 			$stmt = $pdo->prepare("DELETE FROM winners WHERE 
-					award_prize_id='{$prize['id']}' 
-					AND fairs_id='{$fair['id']}'");
-			$stmt->execute();
+					award_prize_id=? 
+					AND fairs_id=?");
+			$stmt->execute([$prize['id'],$fair['id']]);
 
 			/* Assign projects to this prize */
 			$ul_p = &$award_data['prizes'][$prize['prize']];
@@ -421,8 +422,8 @@ function handle_get_categories(&$u, &$fair, &$data, &$response)
 	global $pdo;
 	$year = intval($data['get_categories']['year']);
 	$cat = array();
-	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year='$year' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectcategories WHERE year=? ORDER BY id");
+	$q->execute([$year]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$cat[$r->id] = array('id' => $r->id,
 			'category' => $r->category,
@@ -438,8 +439,8 @@ function handle_get_divisions(&$u, &$fair, &$data, &$response)
 	global $pdo;
 	$year = intval($data['get_divisions']['year']);
 	$div = array();
-	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year='$year' ORDER BY id");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM projectdivisions WHERE year=? ORDER BY id");
+	$q->execute([$year]);
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		$div[$r->id] = array('id' => $r->id,
 			'division' => $r->division);
@@ -455,8 +456,8 @@ function handle_award_additional_materials(&$u, &$fair, &$data, &$response)
 	$external_identifier = $data['award_additional_materials']['identifier'];
 
 	$eid = $external_identifier;
-	$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier='$eid' AND year='$year'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM award_awards WHERE external_identifier=? AND year=?");
+	$q->execute([$eid,$year]);
 	if ($q->rowCount() != 1) {
 		$response['message'] = "Unknown award identifier '$eid'";
 		$response['error'] = 1;
diff --git a/schoolaccess.php b/schoolaccess.php
index 19da60e4..0ea700cf 100644
--- a/schoolaccess.php
+++ b/schoolaccess.php
@@ -8,13 +8,13 @@ $happymsg = null;
 $errormsg = null;
 
 if (get_value_from_array($_POST, 'schoolid') && get_value_from_array($_POST, 'accesscode')) {
-	$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_POST['schoolid'] . "' AND accesscode='" . $_POST['accesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
+	$q->execute([$_POST['schoolid'], $_POST['accesscode'], $config['FAIRYEAR']]);
 	if ($q->rowCount() == 1) {
 		$_SESSION['schoolid'] = $_POST['schoolid'];
 		$_SESSION['schoolaccesscode'] = $_POST['accesscode'];
-		$stmt = $pdo->prepare("UPDATE schools SET lastlogin=NOW() WHERE id='" . $_POST['schoolid'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE schools SET lastlogin=NOW() WHERE id=?");
+		$stmt->execute([$_POST['schoolid']]);
 	} else
 		$errormsg = 'Invalid School ID or Access Code';
 }
@@ -27,8 +27,8 @@ if (get_value_from_array($_GET, 'action') == 'logout') {
 send_header('School Access');
 
 if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']) {
-	$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
+	$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$school = $q->fetch(PDO::FETCH_OBJ);
 	if ($school) {
@@ -68,16 +68,16 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
 			}
 
 			$stmt = $pdo->prepare("UPDATE schools SET
-				school='" . stripslashes($_POST['school']) . "',
-				address='" . stripslashes($_POST['address']) . "',
-				city='" . stripslashes($_POST['city']) . "',
-				province_code='" . stripslashes($_POST['province_code']) . "',
-				postalcode='" . stripslashes($_POST['postalcode']) . "',
-				phone='" . stripslashes($_POST['phone']) . "',
-				$sciencehead_update
-				fax='" . stripslashes($_POST['fax']) . "'
-				WHERE id='$school->id'");
-			$stmt->execute();
+				school=?,
+				address=?,
+				city=?,
+				province_code=?,
+				postalcode=?,
+				phone=?,
+				?
+				fax=?
+				WHERE id=?");
+			$stmt->execute([stripslashes($_POST['school']),stripslashes($_POST['address']),stripslashes($_POST['city']), stripslashes($_POST['province_code']),stripslashes($_POST['postalcode']),stripslashes($_POST['phone']),stripslashes($_POST['fax']),$sciencehead_update,$school->id]);
 
 			show_pdo_errors_if_any($pdo);
 			if (check_for_pdo_errors($pdo))
@@ -86,8 +86,8 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
 				echo happy(i18n('School information successfully updated'));
 
 			// and reselect it
-			$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-			$q->execute();
+			$q = $pdo->prepare("SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?");
+			$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
 			show_pdo_errors_if_any($pdo);
 			$school = $q->fetch(PDO::FETCH_OBJ);
 		}
@@ -220,8 +220,8 @@ if (get_value_from_array($_SESSION, 'schoolid') && $_SESSION['schoolaccesscode']
 	<select name="schoolid">
 	<option value=""><?= i18n('Choose your school') ?></option>
 	<?
-	$q = $pdo->prepare("SELECT id,school,city FROM schools WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY school");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id,school,city FROM schools WHERE year=? ORDER BY school");
+	$q->execute([$config['FAIRYEAR']]);
 	$prev = 'somethingthatdoesnotexist';
 	while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 		if ($r->school == $prev)
diff --git a/schoolinvite.php b/schoolinvite.php
index 47deed22..9e0013c8 100644
--- a/schoolinvite.php
+++ b/schoolinvite.php
@@ -8,8 +8,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 
 	echo '<a href="schoolaccess.php">&lt;&lt; ' . i18n('Return to school access main page') . '</a><br />';
 	echo '<br />';
-	$q = $pdo->prepare("SELECT * FROM schools WHERE id='" . $_SESSION['schoolid'] . "' AND accesscode='" . $_SESSION['schoolaccesscode'] . "' AND year='" . $config['FAIRYEAR'] . "'");
-	$q->execute();
+	$q = $pdo->prepare('SELECT * FROM schools WHERE id=? AND accesscode=? AND year=?');
+	$q->execute([$_SESSION['schoolid'], $_SESSION['schoolaccesscode'], $config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 	$school = $q->fetch(PDO::FETCH_OBJ);
 	if ($school) {
@@ -17,8 +17,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 			if ($_POST['action'] == 'invite') {
 				if ($_POST['firstname'] && $_POST['lastname'] && $_POST['email'] && $_POST['grade']) {
 					// make sure they arent already invited!
-					$q = $pdo->prepare("SELECT firstname, lastname FROM students WHERE year='" . $config['FAIRYEAR'] . "' AND email='" . $_POST['email'] . "'");
-					$q->execute();
+					$q = $pdo->prepare('SELECT firstname, lastname FROM students WHERE year=? AND email=?');
+					$q->execute([$config['FAIRYEAR'], $_POST['email']]);
 					if ($q->rowCount()) {
 						echo error(i18n('That students email address has already been invited'));
 					} else {
@@ -28,31 +28,37 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 							// random number between
 							// 100000 and 999999  (six digit integer)
 							$regnum = rand(100000, 999999);
-							$q = $pdo->prepare("SELECT * FROM registrations WHERE num='$regnum' AND year=" . $config['FAIRYEAR']);
-							$q->execute();
+							$q = $pdo->prepare('SELECT * FROM registrations WHERE num? AND year=?');
+							$q->execute([$regnum, $config['FAIRYEAR']]);
 						} while ($q->rowCount() > 0);
 
 						// actually insert it
-						$stmt = $pdo->prepare('INSERT INTO registrations (num,email,emailcontact,start,status,year) VALUES ('
-							. "'$regnum',"
-							. "'" . $_POST['email'] . "',"
-							. "'" . $_POST['emailcontact'] . "',"
-							. 'NOW(),'
-							. "'open',"
-							. $config['FAIRYEAR']
-							. ')');
-						$stmt->execute();
+						$stmt = $pdo->prepare('INSERT INTO registrations (num, email, emailcontact, start, status, year) 
+    					VALUES (?, ?, ?, NOW(), ?, ?)');
+
+						$stmt->execute([
+							$regnum,
+							$_POST['email'],
+							$_POST['emailcontact'],
+							'open',
+							$config['FAIRYEAR']
+						]);
+
 						$regid = $pdo->lastInsertId();
 
-						$stmt = $pdo->prepare("INSERT INTO students (registrations_id,email,firstname,lastname,schools_id,grade,year) VALUES (
-								'$regid',
-								'" . $_POST['email'] . "',
-								'" . $_POST['firstname'] . "',
-								'" . $_POST['lastname'] . "',
-								'" . $_SESSION['schoolid'] . "',
-								'" . $_POST['grade'] . "',
-								'" . $config['FAIRYEAR'] . "')");
-						$stmt->execute();
+						$stmt = $pdo->prepare("INSERT INTO students (registrations_id, email, firstname, lastname, schools_id, grade, year) 
+							VALUES (?, ?, ?, ?, ?, ?, ?)");
+
+						$stmt->execute([
+							$regid,
+							$_POST['email'],
+							$_POST['firstname'],
+							$_POST['lastname'],
+							$_SESSION['schoolid'],
+							$_POST['grade'],
+							$config['FAIRYEAR']
+						]);
+
 
 						email_send('new_participant', $_POST['email'], array(), array('REGNUM' => $regnum, 'EMAIL' => $_POST['email']));
 						if ($_POST['emailcontact'])
@@ -65,25 +71,25 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 
 			if ($_GET['action'] == 'uninvite') {
 				// first, make sure that this is really their student, and it sfor this year.
-				$q = $pdo->prepare("SELECT * FROM students WHERE id='" . $_GET['uninvite'] . "' AND year='" . $config['FAIRYEAR'] . "' AND schools_id='" . $_SESSION['schoolid'] . "'");
-				$q->execute();
+				$q = $pdo->prepare('SELECT * FROM students WHERE id=? AND year=? AND schools_id=?');
+				$q->execute([$_GET['uninvite'], $config['FAIRYEAR'], $_SESSION['schoolid']]);
 				if ($q->rowCount()) {
 					$r = $q->fetch(PDO::FETCH_OBJ);
 					$registrations_id = $r->registrations_id;
 					if ($registrations_id)  // just to be safe!
 					{
-						$stmt = $pdo->prepare("DELETE FROM students WHERE registrations_id='$registrations_id'");
-						$stmt->execute();
-						$stmt = $pdo->prepare("DELETE FROM projects WHERE registrations_id='$registrations_id'");
-						$stmt->execute();
-						$stmt = $pdo->prepare("DELETE FROM mentors WHERE registrations_id='$registrations_id'");
-						$stmt->execute();
-						$stmt = $pdo->prepare("DELETE FROM safety WHERE registrations_id='$registrations_id'");
-						$stmt->execute();
-						$stmt = $pdo->prepare("DELETE FROM emergencycontact WHERE registrations_id='$registrations_id'");
-						$stmt->execute();
-						$stmt = $pdo->prepare("DELETE FROM registrations WHERE id='$registrations_id'");
-						$stmt->execute();
+						$stmt = $pdo->prepare('DELETE FROM students WHERE registrations_id=?');
+						$stmt->execute([$registrations_id]);
+						$stmt = $pdo->prepare('DELETE FROM projects WHERE registrations_id=?');
+						$stmt->execute([$registrations_id]);
+						$stmt = $pdo->prepare('DELETE FROM mentors WHERE registrations_id=?');
+						$stmt->execute([$registrations_id]);
+						$stmt = $pdo->prepare('DELETE FROM safety WHERE registrations_id=?');
+						$stmt->execute([$registrations_id]);
+						$stmt = $pdo->prepare('DELETE FROM emergencycontact WHERE registrations_id=?');
+						$stmt->execute([$registrations_id]);
+						$stmt = $pdo->prepare('DELETE FROM registrations WHERE id=?');
+						$stmt->execute([$registrations_id]);
 
 						echo happy(i18n('Student successfully uninvited'));
 					}
@@ -91,8 +97,8 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 					echo error(i18n('Invalid student to uninvite'));
 			}
 
-			$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['regopen'] . "' AND NOW()<'" . $config['dates']['regclose'] . "') AS datecheck");
-			$q->execute();
+			$q = $pdo->prepare('SELECT (NOW()>? AND NOW()<?) AS datecheck');
+			$q->execute([$config['dates']['regopen'], $config['dates']['regclose']]);
 			$datecheck = $q->fetch(PDO::FETCH_OBJ);
 
 			$q = $pdo->prepare("SELECT \t
@@ -103,14 +109,14 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 						students,
 						registrations 
 					WHERE 
-						students.schools_id='" . $school->id . "' 
-						AND students.year='" . $config['FAIRYEAR'] . "' 
+						students.schools_id=? 
+						AND students.year=? 
 						AND students.registrations_id=registrations.id 
 					GROUP BY registrations.num
 					ORDER BY 
 						lastname,
 						firstname");
-			$q->execute();
+			$q->execute([$school->id, $config['FAIRYEAR']]);
 			$currentinvited = $q->rowCount();
 
 			if ($datecheck != 0) {
@@ -135,22 +141,22 @@ if ($_SESSION['schoolid'] && $_SESSION['schoolaccesscode']) {
 						}
 					} else if ($school->projectlimitper == 'agecategory') {
 						echo '<br />';
-						$catq = $pdo->prepare("SELECT * FROM projectcategories WHERE year='" . $config['FAIRYEAR'] . "' ORDER BY id");
-						$catq->execute();
+						$catq = $pdo->prepare('SELECT * FROM projectcategories WHERE year=? ORDER BY id');
+						$catq->execute([$config['FAIRYEAR']]);
 						while ($catr = $catq->fetch(PDO::FETCH_OBJ)) {
-							$q2 = $pdo->prepare("SELECT COUNT(students.id) AS num
+							$q2 = $pdo->prepare('SELECT COUNT(students.id) AS num
 									FROM 
 										students,
 										registrations 
 									WHERE 
-										students.schools_id='" . $school->id . "' 
-										AND students.grade>='$catr->mingrade'
-										AND students.grade<='$catr->maxgrade'
-										AND students.year='" . $config['FAIRYEAR'] . "' 
+										students.schools_id=? 
+										AND students.grade>=?
+										AND students.grade<=?
+										AND students.year=? 
 										AND students.registrations_id=registrations.id 
 										GROUP BY registrations.num
-									");
-							$q2->execute();
+									');
+							$q2->execute([$school->id, $catr->mingrade, $catr->maxgrade, $config['FAIRYEAR']]);
 							show_pdo_errors_if_any($pdo);
 							$r2 = $q2->fetch(PDO::FETCH_OBJ);
 							$currentinvited = $r2->num;
diff --git a/scripts/assignprojectnumbers.php b/scripts/assignprojectnumbers.php
index 014810ee..a7f4276c 100644
--- a/scripts/assignprojectnumbers.php
+++ b/scripts/assignprojectnumbers.php
@@ -36,8 +36,8 @@ $projq = $pdo->prepare("SELECT id FROM registrations WHERE status='complete' OR
 $projq->execute();
 while ($projr = $projq->fetch(PDO::FETCH_OBJ)) {
 	$reg_id = $projr->id;
-	$q = $pdo->prepare("SELECT projects.projectcategories_id, projects.projectdivisions_id FROM projects WHERE registrations_id='$reg_id'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT projects.projectcategories_id, projects.projectdivisions_id FROM projects WHERE registrations_id=?");
+	$q->execute([$reg_id]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 
 	$projectnumber = $config['project_num_format'];
@@ -47,8 +47,8 @@ while ($projr = $projq->fetch(PDO::FETCH_OBJ)) {
 
 	// now change the N to a % so we can use it as a wildcard
 	$querynum = str_replace('N', '%', $projectnumber);
-	$searchq = $pdo->prepare("SELECT projectnumber FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber LIKE '$querynum'");
-	$searchq->execute();
+	$searchq = $pdo->prepare("SELECT projectnumber FROM projects WHERE year=? AND projectnumber LIKE ?");
+	$searchq->execute([$config['FAIRYEAR'],$querynum]);
 	print ("SELECT projectnumber FROM projects WHERE year='" . $config['FAIRYEAR'] . "' AND projectnumber LIKE '$querynum'\n");
 	$searchnum = $searchq->rowCount();
 	echo "searchnum=$searchnum \n";
@@ -77,8 +77,8 @@ while ($projr = $projq->fetch(PDO::FETCH_OBJ)) {
 	}
 
 	$projectnumber = str_replace('N', $Nnum, $projectnumber);
-	$stmt = $pdo->prepare("UPDATE projects SET projectnumber='$projectnumber' WHERE registrations_id='$reg_id' AND year='" . $config['FAIRYEAR'] . "'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("UPDATE projects SET projectnumber=? WHERE registrations_id=? AND year=?");
+	$stmt->execute([$projectnumber,$reg_id,$config['FAIRYEAR']]);
 	if ($projectnumber) {
 		echo "Assigned new project number $projectnumber\n";
 	} else {
diff --git a/scripts/assigntourrankings.php b/scripts/assigntourrankings.php
index 994708d8..1741557b 100644
--- a/scripts/assigntourrankings.php
+++ b/scripts/assigntourrankings.php
@@ -50,9 +50,9 @@ while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$rank = 1;
 	while ($tr = $tq->fetch(PDO::FETCH_OBJ)) {
 		$stmt = $pdo->prepare("INSERT INTO tours_choice (students_id,registrations_id,tour_id,year,rank) VALUES (
-				'$r->students_id','$r->registrations_id','$tr->id','2008','$rank'
+				?,?,?,'2008',?
 			)");
-		$stmt->execute();
+		$stmt->execute([$r->students_id,$r->registrations_id,$tr->id,$rank]);
 		$rank++;
 	}
 	echo "Assigned student $r->students_id\n";
diff --git a/scripts/judges_fake.php b/scripts/judges_fake.php
index 9d97c7e1..bf0e3294 100644
--- a/scripts/judges_fake.php
+++ b/scripts/judges_fake.php
@@ -127,8 +127,8 @@ for ($x = 0; $x < $numjudges; $x++) {
 	else
 		$complete = 'yes';
 
-	$q = $pdo->prepare("INSERT INTO judges (firstname,lastname,email,years_school,years_regional,years_national,willing_chair,complete) VALUES ('$firstname','$lastname','$email','$years_school','$years_regional','$years_national','$willing_chair','$complete')");
-	$q->execute();
+	$q = $pdo->prepare("INSERT INTO judges (firstname,lastname,email,years_school,years_regional,years_national,willing_chair,complete) VALUES (?,?,?,?,?,?,?,?)");
+	$q->execute([$firstname,$lastname,$email,$years_school,$years_regional,$years_national,$willing_chair,$complete]);
 	$id = $pdo->lastInsertId();
 
 	// for both these, the annealer expects -2 to 2 , but since expertise was done waaaaaay before as 1-5 we'll add it as 1-5 and the annealer will subtract 3
@@ -137,36 +137,36 @@ for ($x = 0; $x < $numjudges; $x++) {
 	// preference is ranked -2 to 2
 	for ($a = 1; $a <= 3; $a++) {
 		$catrank = rand(-2, 2);
-		$stmt = $pdo->prepare("INSERT INTO judges_catpref (judges_id,projectcategories_id,rank,year) VALUES ('$id','$a','$catrank','2007')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO judges_catpref (judges_id,projectcategories_id,rank,year) VALUES (?,?,?,'2007')");
+		$stmt->execute([$id,$a,$catrank]);
 	}
 
 	// expertise is ranked 1-5
 	for ($a = 1; $a <= 6; $a++) {
 		$divrank = rand(1, 5);
-		$stmt = $pdo->prepare("INSERT INTO judges_expertise (judges_id,projectdivisions_id,val,year) VALUES ('$id','$a','$divrank','2007')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO judges_expertise (judges_id,projectdivisions_id,val,year) VALUES (?,?,?,'2007')");
+		$stmt->execute([$id,$a,$divrank]);
 	}
 
 	// and add the record to the judges_years table so they will be 'active' for this year
-	$stmt = $pdo->prepare("INSERT INTO judges_years (judges_id,year) VALUES ('$id','2007')");
-	$stmt->execute();
+	$stmt = $pdo->prepare("INSERT INTO judges_years (judges_id,year) VALUES (?,'2007')");
+	$stmt->execute([$id]);
 
 	// 60% chance they only speak english
 	// 20% chance they only speak french
 	// 20% chance they are bilingual
 	$num = rand(0, 100);
 	if ($num < 60) {
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','en')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'en')");
+		$stmt->execute([$id]);
 	} else if ($num < 80) {
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','fr')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'fr')");
+		$stmt->execute([$id]);
 	} else {
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','en')");
-		$stmt->execute();
-		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES ('$id','fr')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'en')");
+		$stmt->execute([$id]);
+		$stmt = $pdo->prepare("INSERT INTO judges_languages (judges_id,languages_lang) VALUES (?,'fr')");
+		$stmt->execute([$id]);
 	}
 }
 
diff --git a/scripts/populate_fake.php b/scripts/populate_fake.php
index fe410f24..94f3dfb7 100644
--- a/scripts/populate_fake.php
+++ b/scripts/populate_fake.php
@@ -72,8 +72,8 @@ for ($x = 0; $x < $numprojects; $x++) {
 	else
 		$status = 'complete';
 
-	$q = $pdo->prepare("INSERT INTO registrations (num,email,start,status,year) VALUES ('$regnum','$email',NOW(),'$status',2011)");
-	$q->execute();
+	$q = $pdo->prepare("INSERT INTO registrations (num,email,start,status,year) VALUES (?,?,NOW(),?,2011)");
+	$q->execute([$regnum,$email,$status]);
 	if ($id = $pdo->lastInsertId()) {
 		$peeps = rand(1, $prob_dual);
 		if ($peeps == 1)
@@ -104,8 +104,8 @@ for ($x = 0; $x < $numprojects; $x++) {
 
 			$firstname = getrand($firstnames);
 			$email = strtolower($firstname) . '@' . getrand($domains);
-			$stmt = $pdo->prepare("INSERT INTO students (registrations_id,firstname,lastname,email,sex,grade,year,schools_id) VALUES ('$id','$firstname','" . getrand($lastnames) . "','$email','$sex','$grade','2011','$schools_id')");
-			$stmt->execute();
+			$stmt = $pdo->prepare("INSERT INTO students (registrations_id,firstname,lastname,email,sex,grade,year,schools_id) VALUES (?,?,?,?,?,?,'2011',?)");
+			$stmt->execute([$id,$firstname,getrand($lastnames),$email,$sex,$grade,$schools_id]);
 		}
 
 		$div = rand(1, 6);
@@ -129,8 +129,8 @@ for ($x = 0; $x < $numprojects; $x++) {
 		else
 			$lang = 'en';
 
-		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,projectdivisions_id,title,year,req_electricity,req_table,language) VALUES ('$id','$cat','$div','$title $lang',2011,'$req_e','$req_t','$lang')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO projects (registrations_id,projectcategories_id,projectdivisions_id,title,year,req_electricity,req_table,language) VALUES (?,?,?,? ?,2011,?,?,?)");
+		$stmt->execute([$id,$cat,$div,$title,$lang,$req_e,$req_t,$lang]);
 	}
 }
 
diff --git a/scripts/rolloverschools.php b/scripts/rolloverschools.php
index 7537e296..c3af3fbb 100644
--- a/scripts/rolloverschools.php
+++ b/scripts/rolloverschools.php
@@ -34,8 +34,8 @@ require_once ('../config_editor.inc.php');
 function roll($currentfairyear, $newfairyear, $table, $fields)
 {
 	global $pdo;
-	$q = $pdo->prepare("SELECT * FROM $table WHERE year='$currentfairyear'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT * FROM $table WHERE year=?");
+	$q->execute([$currentfairyear]);
 	show_pdo_errors_if_any($pdo);
 	$names = '`' . join('`,`', $fields) . '`';
 	while ($r = $q->fetch(PDO::FETCH_ASSOC)) {
@@ -44,8 +44,8 @@ function roll($currentfairyear, $newfairyear, $table, $fields)
 			$vals .= ",'" . $r[$f] . "'";
 		}
 
-		$stmt = $pdo->prepare("INSERT INTO $table(`year`,$names) VALUES ('$newfairyear'$vals)");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO $table(`year`,?) VALUES (?,?)");
+		$stmt->execute([$names,$newfairyear,$vals]);
 		show_pdo_errors_if_any($pdo);
 	}
 }
@@ -55,8 +55,8 @@ $newfairyear = 2010;
 
 echo i18n('Rolling schools') . '<br />';
 // award types
-$q = $pdo->prepare("SELECT * FROM schools WHERE year='$currentfairyear'");
-$q->execute();
+$q = $pdo->prepare("SELECT * FROM schools WHERE year=?");
+$q->execute([$currentfairyear]);
 show_pdo_errors_if_any($pdo);
 while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 	$puid = ($r->principal_uid == null) ? 'NULL' : ("'" . intval($r->principal_uid) . "'");
diff --git a/sponsor_main.php b/sponsor_main.php
index 857cd3ff..5e96be49 100644
--- a/sponsor_main.php
+++ b/sponsor_main.php
@@ -33,8 +33,8 @@
  send_header("Sponsor Main", array());
  $u=user_load($_SESSION['users_id']);
  //print_r($u);
- $q=$pdo->prepare("SELECT * FROM sponsors WHERE id='".$u['sponsors_id']."'");
- $q->execute();
+ $q=$pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+ $q->execute([$u['sponsors_id']]);
  $sponsor=$q->fetch(PDO::FETCH_OBJ);
 
  //only display the named greeting if we have their name
@@ -61,11 +61,11 @@
 		 FROM fundraising_donations
 		 JOIN sponsors ON fundraising_donations.sponsors_id=sponsors.id
 		 JOIN fundraising_goals ON fundraising_donations.fundraising_goal=fundraising_goal.goal
-		  AND fundraising_donations.fiscalyear='{$config['FISCALYEAR']}'
-		  AND fundraising_goals.fiscalyear='{$config['FISCALYEAR']}'
-		  AND sponsors.id='".$u['sponsors_id']."'
+		  AND fundraising_donations.fiscalyear=?
+		  AND fundraising_goals.fiscalyear=?
+		  AND sponsors.id=?
 		  ORDER BY status DESC, probability DESC, organization");
-		$sq->execute();
+		$sq->execute([$config['FISCALYEAR'],$config['FISCALYEAR'],$u['sponsors_id']]);
 	show_pdo_errors_if_any($pdo);
 
 	echo "<table class=\"tableview\">";
@@ -98,8 +98,8 @@
 	echo "<br />\n";
 
 	echo "<h2>Donor Levels</h2>\n";
-	$q=$pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE year='".$config['FISCALYEAR']."' ORDER BY max DESC");
-	$q->execute();
+	$q=$pdo->prepare("SELECT * FROM fundraising_donor_levels WHERE year=? ORDER BY max DESC");
+	$q->execute([$config['FISCALYEAR']]);
 	echo "<table class=\"tableview\">";
 	echo "<th></th><th>".i18n("Level")."</th>";
 	echo "<th>".i18n("Description / Benefits")."</th>\n";
diff --git a/tableeditor.class.php b/tableeditor.class.php
index 3cdacf1e..9bd49714 100644
--- a/tableeditor.class.php
+++ b/tableeditor.class.php
@@ -368,8 +368,8 @@ class TableEditor
 		$inputsize = 0;
 
 		// figure out what kind of input this should be
-		$q = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'");
-		$q->execute();
+		$q = $pdo->prepare("SHOW COLUMNS FROM ? LIKE ?");
+		$q->execute([$this->table,$f]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 
 		if (preg_match('([a-z]*)\(([0-9,]*)\)', $r->Type, $regs)) {
@@ -461,15 +461,15 @@ class TableEditor
 	function defaultLoad()
 	{
 		global $pdo;
-		$query = "SELECT {$this->primaryKey}";
+		$query = "SELECT ?";
 		foreach ($this->editfields AS $f => $n)
-			$query .= ", `$f`";
-		$query .= " FROM `{$this->table}`";
-		$query .= " WHERE {$this->primaryKey}='{$_GET['edit']}'";
+			$query .= ", ?";
+		$query .= " FROM ?";
+		$query .= " WHERE {$this->primaryKey}=?";		
 		if ($this->DEBUG)
 			echo $query;
 		$editquery = $pdo->prepare($query);
-		$editquery->execute();
+		$editquery->execute([$this->primaryKey,$f,$this->table,$_GET['edit']]);
 		$editdata = $editquery->fetch(PDO::FETCH_ASSOC);
 		return $editdata;
 	}
@@ -504,20 +504,20 @@ class TableEditor
 		if ($insert_mode) {
 			$query .= ')';
 		} else {
-			$query .= " WHERE {$this->primaryKey}='{$keyval}'";
-		}
+			
+			$query .= " WHERE {$this->primaryKey}=?";		}
 
 		if ($this->DEBUG)
 			echo $query;
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute($keyval);
 	}
 
 	function defaultDelete($keyval)
 	{
 		global $pdo;
-		$stmt = $pdo->prepare("DELETE FROM {$this->table} WHERE {$this->primaryKey}='{$keyval}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM $this->table WHERE {$this->primaryKey}=?");
+		$stmt->execute([$keyval]);
 		echo happy(i18n('Successfully deleted %1', array($this->recordType)));
 	}
 
@@ -785,8 +785,8 @@ class TableEditor
 					case 'enum':
 						break;
 					case 'select_or_text':
-						$optq = $pdo->prepare("SELECT DISTINCT($f) AS $f FROM `{$this->table}` ORDER BY $f");
-						$optq->execute();
+						$optq = $pdo->prepare("SELECT DISTINCT(?) AS ? FROM ? ORDER BY ?");
+						$optq->execute([$f,$f,$this->table, $f]);
 						if ($this->fieldInputOptions[$f])
 							echo '<select ' . $this->fieldInputOptions[$f] . ' id="' . $f . '_select" name="' . $f . '_select">';
 						else
@@ -991,7 +991,7 @@ class TableEditor
 			// just to make sure nothing funky is goin on.
 			if ($offset < 0)
 				$offset = 0;
-			$query .= " LIMIT $offset,$this->rowsPerPage";
+			$query .= " LIMIT ?,?";
 		}
 
 		if ($this->allowAdding) {
@@ -1003,7 +1003,7 @@ class TableEditor
 
 		echo $query;
 		$q = $pdo->prepare($query);
-		$q->execute();
+		$q->execute([$offset,$this->rowsPerPage]);
 
 		if ($q == false) {
 			echo "Sorry, DB query failed: <pre>$query</pre><br />";
@@ -1103,8 +1103,8 @@ class TableEditor
 				echo '<tr>';
 				foreach ($this->listfields AS $f => $n) {
 					// figure out what kind of input this should be
-					$typeq = $pdo->prepare("SHOW COLUMNS FROM `{$this->table}` LIKE '$f'");
-					$typeq->execute();
+					$typeq = $pdo->prepare("SHOW COLUMNS FROM ? LIKE ?");
+					$typeq->execute([$this->table,$config['FAIRYEAR']]);
 					$typer = $typeq->fetCh(PDO::FETCH_OBJ);
 					if ($typer->Type == 'time')
 						echo '<td valign="top">' . $this->format_time($r->$f) . '</td>';
diff --git a/tours.class.php b/tours.class.php
index 947e3f2b..a333c377 100644
--- a/tours.class.php
+++ b/tours.class.php
@@ -85,8 +85,8 @@ class tours
 
 		$q = $pdo->prepare("SELECT\ttours.*
 			FROM \ttours 
-			WHERE \ttours.id='$id'");
-		$q->execute();
+			WHERE \ttours.id=?");
+		$q->execute([$id]);
 		show_pdo_errors_if_any($pdo);
 
 		/*
@@ -130,11 +130,11 @@ class tours
 		// rip off the last comma
 		$query = substr($query, 0, -1);
 
-		$query .= " WHERE id='{$this->id}'";
+		$query .= " WHERE id=?";
 
 		//	echo $query;
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$this->id]);
 	}
 
 	function tableEditorDelete()
@@ -143,10 +143,10 @@ class tours
 
 		$id = $this->id;
 
-		$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE tour_id='$id' AND year=" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
-		$stmt = $pdo->prepare("DELETE FROM tours WHERE id='$id' AND year='" . $config['FAIRYEAR'] . "'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM tours_choice WHERE tour_id=? AND year=?");
+		$stmt->execute([$id, $config['FAIRYEAR']]);
+		$stmt = $pdo->prepare("DELETE FROM tours WHERE id=? AND year=?");
+		$stmt->execute([$id, $config['FAIRYEAR']]);
 
 		echo happy(i18n("Successfully removed tour from this year's fair"));
 	}
diff --git a/user.inc.php b/user.inc.php
index 968f9562..44c445f4 100644
--- a/user.inc.php
+++ b/user.inc.php
@@ -111,8 +111,8 @@ function user_load_judge(&$u)
 	}
 	$specialawards = array();
 	if ($u['special_award_only'] == 'yes') {
-		$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id='{$u['id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM judges_specialaward_sel WHERE users_id=?");
+		$q->execute([$u['id']]);
 		while ($r = $q->fetch(PDO::FETCH_OBJ)) {
 			$specialawards[] = $r->award_awards_id;
 		}
@@ -149,8 +149,8 @@ function user_load_sponsor(&$u)
 	$u['sponsor_complete'] = ($u['sponsor_complete'] == 'yes') ? 'yes' : 'no';
 	$u['sponsor_active'] = ($u['sponsor_active'] == 'yes') ? 'yes' : 'no';
 	if ($u['sponsors_id']) {
-		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id='{$u['sponsors_id']}'");
-		$q->execute();
+		$q = $pdo->prepare("SELECT * FROM sponsors WHERE id=?");
+		$q->execute([$u['sponsors_id']]);
 		$u['sponsor'] = $q->fetch(PDO::FETCH_ASSOC);
 	}
 	return true;
@@ -317,8 +317,8 @@ function user_load_by_email($email)
 	global $pdo;
 	/* Find the most recent uid for the email, regardless of deleted status */
 	$e = $email;
-	$q = $pdo->prepare("SELECT uid FROM users WHERE email='$e' OR username='$e' ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q = $pdo->prepare("SELECT uid FROM users WHERE email=? OR username=? ORDER BY year DESC LIMIT 1");
+	$q->execute([$e, $e]);
 	if ($q->rowCount() == 1) {
 		$i = $q->fetch(PDO::FETCH_ASSOC);
 		return user_load_by_uid($i['uid']);
@@ -365,9 +365,9 @@ function user_set_password($id, $password = NULL)
 	$set .= "password='" . password_hash($p, PASSWORD_BCRYPT) . "', passwordset=$save_set ";
 
 	////FIXME This one may be tricky
-	$query = "UPDATE users SET $set WHERE id=$id";
+	$query = "UPDATE users SET $set WHERE id=?";
 	$stmt = $pdo->prepare($query);
-	$stmt->execute();
+	$stmt->execute([$id]);
 	show_pdo_errors_if_any($pdo);
 
 	return $password;
@@ -402,9 +402,9 @@ function user_save_type_list($u, $db, $fields)
 		$set .= "`$f`='$data'";
 	}
 	if ($set != '') {
-		$query = "UPDATE $db SET $set WHERE users_id='{$u['id']}'";
+		$query = "UPDATE ? SET ? WHERE users_id=?";
 		$stmt = $pdo->prepare($query);
-		$stmt->execute();
+		$stmt->execute([$db,$set,$u['id']]);
 		if ($pdo->errorInfo()) {
 			show_pdo_errors_if_any($pdo);
 		}
@@ -539,8 +539,8 @@ function user_save(&$u)
 function user_delete_committee($u)
 {
 	global $pdo;
-	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid='{$u['uid']}'");
-	$stmt->execute();
+	$stmt = $pdo->prepare("DELETE FROM committees_link WHERE users_uid=?");
+	$stmt->execute([$u['uid']]);
 }
 
 function user_delete_volunteer($u) {}
@@ -550,17 +550,17 @@ function user_delete_judge($u)
 	global $config;
 	global $pdo;
 	$ids = array();
-	$q = $pdo->prepare("SELECT id FROM users WHERE uid = '{$u['uid']}'");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM users WHERE uid =?");
+	$q->execute([$u['uid']]);
 	while ($row = $q->fetch(PDO::FETCH_ASSOC))
 		$ids[] = $row['id'];
 	if (count($ids) > 0) {
 		$idlist = implode(',', $ids);
-		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id IN ($idlist)");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_teams_link WHERE users_id IN (?)");
+		$stmt->execute([$idlist]);
 
-		$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id IN($idlist)");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM judges_specialaward_sel WHERE users_id IN(?)");
+		$stmt->execute([$idlist]);
 	}
 }
 
@@ -608,8 +608,8 @@ function user_delete($u, $type = false)
 				$types .= $t;
 			}
 
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE uid='{$u['uid']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE uid=?");
+			$stmt->execute([$u['uid']]);
 		} else {
 			$finish_delete = true;
 		}
@@ -623,8 +623,8 @@ function user_delete($u, $type = false)
 		$finish_delete = true;
 	}
 	if ($finish_delete == true) {
-		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE uid='{$u['uid']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET deleted='yes', deleteddatetime=NOW() WHERE uid=?");
+		$stmt->execute([$u['uid']]);
 	}
 }
 
@@ -660,8 +660,8 @@ function user_purge($u, $type = false)
 					$types .= ',';
 				$types .= $t;
 			}
-			$stmt = $pdo->prepare("UPDATE users SET types='$types' WHERE id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET types=? WHERE id=?");
+			$stmt->execute([$types, $u['id']]);
 		} else {
 			$finish_purge = true;
 		}
@@ -672,21 +672,21 @@ function user_purge($u, $type = false)
 		 */
 		call_user_func("user_delete_$type", $u);
 		//		call_user_func("user_purge_$type", $u);
-		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users_$type WHERE users_id=?");
+		$stmt->execute([$u['id']]);
 	} else {
 		/* Delete the whole user */
 		foreach ($u['types'] as $t) {
 			call_user_func("user_delete_$t", $u);
 			//			call_user_func("user_purge_$t", $u);
-			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id='{$u['id']}'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("DELETE FROM users_$t WHERE users_id=?");
+			$stmt->execute([$u['id']]);
 		}
 		$finish_purge = true;
 	}
 	if ($finish_purge == true) {
-		$stmt = $pdo->prepare("DELETE FROM users WHERE id='{$u['id']}'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("DELETE FROM users WHERE id=?");
+		$stmt->execute([$u['id']]);
 	}
 }
 
@@ -716,9 +716,9 @@ function user_dupe_row($table, $key, $val, $newval)
 	$keys = '`' . join('`,`', array_keys($i)) . '`';
 	$vals = join(',', array_values($i));
 
-	$q = "INSERT INTO $table ($keys) VALUES ($vals)";
+	$q = "INSERT INTO $table (?) VALUES (?)";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$keys,$vals]);
 	show_pdo_errors_if_any($pdo);
 
 	$id = $pdo->lastInsertId();
@@ -740,9 +740,9 @@ function user_dupe($u, $new_year)
 	 */
 
 	/* Find the last entry */
-	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid='{$u['uid']}'
+	$q = $pdo->prepare("SELECT id,uid,year,deleted FROM users WHERE uid=?
 				ORDER BY year DESC LIMIT 1");
-	$q->execute();
+	$q->execute([$u['uid']]);
 	$r = $q->fetch(PDO::FETCH_OBJ);
 
 	if ($r->deleted == 'yes') {
@@ -757,8 +757,8 @@ function user_dupe($u, $new_year)
 
 	$id = user_dupe_row('users', 'id', $u['id'], NULL);
 
-	$q = $pdo->prepare("UPDATE users SET year = $new_year WHERE id = $id");
-	$q->execute();
+	$q = $pdo->prepare("UPDATE users SET year =? WHERE id =?");
+	$q->execute([$new_year, $id]);
 	/* Load the new user */
 	$u2 = user_load($id);
 
@@ -808,26 +808,26 @@ function user_create($type, $username, $u = NULL)
 	global $pdo;
 	if (!is_array($u)) {
 		$stmt = $pdo->prepare("INSERT INTO users (`types`,`username`,`passwordset`,`created`,`year`,`deleted`) 
-			VALUES ('$type','$username','0000-00-00', NOW(), '{$config['FAIRYEAR']}','no')");
-		$stmt->execute();
+			VALUES (?,?,'0000-00-00', NOW(),?,'no')");
+		$stmt->execute([$type,$username,$config['FAIRYEAR']]);
 		show_pdo_errors_if_any($pdo);
 		$uid = $pdo->lastInsertId();
 
 		if (user_valid_email($username)) {
-			$stmt = $pdo->prepare("UPDATE users SET email='$username' WHERE id='$uid'");
-			$stmt->execute();
+			$stmt = $pdo->prepare("UPDATE users SET email=? WHERE id=?");
+			$stmt->execute([$username,$uid]);
 		}
 		
-		$stmt = $pdo->prepare("UPDATE users SET uid='$uid' WHERE id='$uid'");
-		$stmt->execute();
+		$stmt = $pdo->prepare("UPDATE users SET uid=? WHERE id=?");
+		$stmt->execute([$uid,$uid]);
 		show_pdo_errors_if_any($pdo);
 
 		/*
 		 * Since the user already has a type, user_save won't create this
 		 * entry for us, so do it here
 		 */
-		$stmt = $pdo->prepare("INSERT INTO users_$type (users_id) VALUES('$uid')");
-		$stmt->execute();
+		$stmt = $pdo->prepare("INSERT INTO users_? (users_id) VALUES(?)");
+		$stmt->execute([$type, $uid]);
 		show_pdo_errors_if_any($pdo);
 		/* Load the complete user */
 		$u = user_load($uid);
diff --git a/user_invite.php b/user_invite.php
index d4c0c68f..4a33f6db 100644
--- a/user_invite.php
+++ b/user_invite.php
@@ -47,8 +47,8 @@ if (intval(get_value_from_array($_GET, 'ajax')) == 1) {
 		exit;
 	}
 
-	$q = $pdo->prepare("SELECT id FROM users WHERE email='$email' ORDER BY year DESC");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM users WHERE email=? ORDER BY year DESC");
+	$q->execute([$email]);
 	if ($q->rowCount() == 0) {
 		/* User doesn't exist */
 		echo "notexist\n";
@@ -182,8 +182,8 @@ if (get_value_from_array($_POST, 'action', '') && get_value_from_array($_POST, '
 	if (!in_array($action, $allowed_actions))
 		exit;
 
-	$q = $pdo->prepare("SELECT id FROM users WHERE email='$email' ORDER BY year DESC");
-	$q->execute();
+	$q = $pdo->prepare("SELECT id FROM users WHERE email=? ORDER BY year DESC");
+	$q->execute([$email]);
 	if ($q->rowCount() > 0) {
 		$u = $q->fetch(PDO::FETCH_ASSOC);
 		$u = user_load($u['id']);
diff --git a/user_new.php b/user_new.php
index 4617c18e..07a9e979 100644
--- a/user_new.php
+++ b/user_new.php
@@ -136,8 +136,8 @@ switch ($action) {
 			$types = explode(',', $r->types);
 
 			if ($r->year == $config['FAIRYEAR'] && $r->deleted == 'yes') {
-				$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id='$r->id'");
-				$stmt->execute();
+				$stmt = $pdo->prepare("UPDATE users SET deleted='no' WHERE id=?");
+				$stmt->execute([$r->id]);
 				message_push(happy(i18n('Your account has been undeleted')));
 				message_push(notice(i18n("Use the 'recover password' option on the %1 {$user_what[$type]} login page %2 if you have forgotten your password",
 					array("<a href=\"user_login.php?type=$type\">", '</a>'))));
diff --git a/user_personal.php b/user_personal.php
index 86491ded..7f219546 100644
--- a/user_personal.php
+++ b/user_personal.php
@@ -147,8 +147,8 @@ switch (get_value_from_array($_GET, 'action')) {
 
 		/* Check for an email collision */
 		$em = stripslashes($_POST['email']);
-		$q = $pdo->prepare("SELECT *,max(year) FROM users WHERE email='$em' HAVING uid!='{$u['uid']}' AND deleted='no' ");
-		$q->execute();
+		$q = $pdo->prepare("SELECT *,max(year) FROM users WHERE email=? HAVING uid!=? AND deleted='no' ");
+		$q->execute([$em,$u['uid']]);
 		if ($q->rowCount() > 0) {
 			error_('That email address is in use by another user');
 			echo 'email error';
diff --git a/volunteer.inc.php b/volunteer.inc.php
index 28406591..fdddf303 100644
--- a/volunteer.inc.php
+++ b/volunteer.inc.php
@@ -29,10 +29,10 @@ function volunteer_status_position($u)
 {
 	global $config, $pdo;
 	/* See if they have selected something */
-	$q = "SELECT * FROM volunteer_positions_signup WHERE users_id='{$u['id']}' 
-			AND year='{$config['FAIRYEAR']}'";
+	$q = "SELECT * FROM volunteer_positions_signup WHERE users_id=? 
+			AND year=?";
 	$r = $pdo->prepare($q);
-	$r->execute();
+	$r->execute([$u['id'],$config['FAIRYEAR']]);
 	if ($r->rowCount() >= 1) {
 		return 'complete';
 	}
diff --git a/volunteer_position.php b/volunteer_position.php
index fc5576a4..6e2354a3 100644
--- a/volunteer_position.php
+++ b/volunteer_position.php
@@ -42,9 +42,9 @@ if ($_POST['action'] == 'save') {
 	if (is_array($_POST['posn'])) {
 		/* Load available IDs */
 		$posns = array();
-		$q = "SELECT * FROM volunteer_positions WHERE year='{$config['FAIRYEAR']}'";
+		$q = "SELECT * FROM volunteer_positions WHERE year=?";
 		$r = $pdo->prepare($q);
-		$r->execute();
+		$r->execute([$config['FAIRYEAR']]);
 		while ($p = $r->fetch(PDO::FETCH_OBJ)) {
 			$posns[] = $p->id;
 		}
@@ -63,17 +63,17 @@ if ($_POST['action'] == 'save') {
 	/* Delete existing selections */
 	$stmt = $pdo->prepare("DELETE FROM volunteer_positions_signup 
 			WHERE 
-				users_id='{$u['id']}' 
-				AND year='{$config['FAIRYEAR']}' ");
-	$stmt->execute();
+				users_id=? 
+				AND year=?");
+	$stmt->execute([$u['id'],$config['FAIRYEAR']]);
 	show_pdo_errors_if_any($pdo);
 
 	/* Add new selections if there are any */
 	if ($vals != '') {
 		$q = "INSERT INTO volunteer_positions_signup (users_id, volunteer_positions_id,year) 
-				VALUES $vals";
+				VALUES ?";
 		$r = $po->prepare($q);
-		$r->execute();
+		$r->execute([$vals]);
 		show_pdo_errors_if_any($pdo);
 	}
 
@@ -109,11 +109,9 @@ echo "<input type=\"hidden\" name=\"action\" value=\"save\" />\n";
 echo "<table>\n";
 
 /* Read current selections */
-$q = "SELECT * FROM volunteer_positions_signup WHERE
- \t\tusers_id = '{$u['id']}' 
- \t\tAND year='{$config['FAIRYEAR']}'";
+$q = "SELECT * FROM volunteer_positions_signup WHERE users_id =? AND year=?";
 $r = $pdo->prepare($q);
-$r->execute();
+$r->execute([$u['id'],$config['FAIRYEAR']]);
 $checked_positions = array();
 while ($p = $r->fetch(PDO::FETCH_OBJ)) {
 	$checked_positions[] = $p->volunteer_positions_id;
@@ -121,9 +119,9 @@ while ($p = $r->fetch(PDO::FETCH_OBJ)) {
 
 /* Load available volunteer positions */
 $q = "SELECT *,UNIX_TIMESTAMP(start) as ustart, UNIX_TIMESTAMP(end) as uend
- \t\t\tFROM volunteer_positions WHERE year='{$config['FAIRYEAR']}'";
+ \t\t\tFROM volunteer_positions WHERE year=?";
 $r = $pdo->prepare($q);
-$r->execute();
+$r->execute([$config['FAIRYEAR']]);
 while ($p = $r->fetch(PDO::FETCH_OBJ)) {
 	echo '<tr><td>';
 
diff --git a/winners.php b/winners.php
index 2bb737f2..54695193 100644
--- a/winners.php
+++ b/winners.php
@@ -53,8 +53,8 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
 	// first, lets make sure someone isnt tryint to see something that they arent allowed to!
 	// but only if the year they want is the FAIRYEAR.  If they want a past year, thats cool
 	if ($_GET['year'] >= $config['FAIRYEAR']) {
-		$q = $pdo->prepare("SELECT (NOW()>'" . $config['dates']['postwinners'] . "') AS test");
-		$q->execute();
+		$q = $pdo->prepare("SELECT (NOW()>?) AS test");
+		$q->execute([$config['dates']['postwinners']]);
 		$r = $q->fetch(PDO::FETCH_OBJ);
 		if ($r->test != 1) {
 			echo error(i18n('Crystal ball says future is very hard to see!'));
@@ -72,14 +72,14 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
 					award_awards,
 					award_types
 				WHERE 
-						award_awards.year='$year'
+						award_awards.year=?
 					AND\taward_awards.award_types_id=award_types.id
-					AND\taward_types.type='$type'
-					AND\taward_types.year='$year'
+					AND\taward_types.type=?
+					AND\taward_types.year=?
 				ORDER BY 
 					awards_order");
 
-		$q->execute();
+		$q->execute([$year,$type,$year]);
 		show_pdo_errors_if_any($pdo);
 
 		if ($q->rowCount()) {
@@ -101,11 +101,11 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
 							LEFT JOIN winners ON winners.awards_prizes_id=award_prizes.id
 							LEFT JOIN projects ON projects.id=winners.projects_id
 						WHERE 
-							award_awards_id='$r->id' 
-							AND award_prizes.year='$year'
+							award_awards_id=? 
+							AND award_prizes.year=?
 						ORDER BY 
 							`order`");
-				$pq->execute();
+				$pq->execute([$r->id,$year]);
 				show_pdo_errors_if_any($pdo);
 				$awarded_count = 0;
 				if ($show_unawarded_awards == 'no') {
@@ -161,10 +161,10 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
 									students,
 									schools
 								WHERE
-									students.registrations_id='$pr->reg_id'
+									students.registrations_id=?
 									AND students.schools_id=schools.id
 								");
-						$sq->execute();
+						$sq->execute([$pr->reg_id]);
 
 						$studnum = 0;
 						$students = '';
@@ -262,11 +262,11 @@ if (get_value_from_array($_GET, 'year') && get_value_from_array($_GET, 'type'))
 						award_awards.award_types_id=award_types.id
 						AND winners.awards_prizes_id=award_prizes.id
 						AND award_prizes.award_awards_id=award_awards.id
-						AND winners.year='$r->year'
+						AND winners.year=?
 					ORDER BY
 						award_types.order
 					");
-			$tq->execute();
+			$tq->execute([$r->year]);
 			$errorInfo = $pdo->errorInfo();
 			if ($errorInfo[0] != '00000') {
 				// If there's an error (the SQLSTATE isn't '00000', which means no error)