diff --git a/fair_info.php b/fair_info.php
index 30486d52..90284a63 100644
--- a/fair_info.php
+++ b/fair_info.php
@@ -72,13 +72,13 @@ switch (get_value_from_array($_GET, 'action')) {
 		$enable_awards = ($_POST['enable_awards'] == 'yes') ? 'yes' : 'no';
 		$enable_winners = ($_POST['enable_winners'] == 'yes') ? 'yes' : 'no';
 
-		$q = $pdo->prepare("UPDATE contacts SET name = $name, abbrv = '$abbrv', url = '$url', website='$website',
-				type='$type' , username='$username',
-				password='$password',
-				enable_stats='$enable_stats',
-				enable_awards='$enable_awards',
-				enable_winners='$enable_winners' WHERE id = $id");
-		$q->execute([$name, $age, $email, $id]);
+		$q = $pdo->prepare("UPDATE contacts SET name =?, abbrv =?, url =?, website=?,
+				type=? , username=?,
+				password=?,
+				enable_stats=?,
+				enable_awards=?,
+				enable_winners=? WHERE id =?");
+		$q->execute([$name, $abbrv, $url, $website, $type, $username, $password, $enable_stats, $enable_awards, $enable_winners, $age, $email, $id]);
 
 		$u['fairs_id'] = $id;
 		user_save($u);
@@ -130,8 +130,8 @@ function fairinfo_save()
 
 <?
 /* Load the fair info */
-$q = $pdo->prepare('SELECT * FROM fairs WHERE id=' . $u['fairs_id'] . '');
-$q->execute();
+$q = $pdo->prepare('SELECT * FROM fairs WHERE id=?');
+$q->execute([$u['fairs_id']]);
 
 if ($q->rowCount() != 0) {
 	$f = $q->fetch();