--- a/displayContract.php
+++ b/displayContract.php
@@ -2,41 +2,46 @@
 
 include_once("./lib/common.inc.php");
 include_header("Contract");
-$query = sprintf("SELECT *
-FROM `contractnotice`
-WHERE  CNID = '%d'", mysql_real_escape_string($_REQUEST['CNID']));
+$query = 'SELECT *
+FROM contractnotice
+WHERE  "CNID" = :CNID LIMIT 1';
 
-$result = mysql_query($query);
-while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
-setlocale(LC_MONETARY, 'en_US');
-foreach (array_filter($row) as $key => $value) {
-	echo "<b>$key</b>&nbsp;";
-switch ($key) {
-case "supplierName":
-case "supplierABN":
-	echo '<a href="displaySupplier.php?supplier='.$row['supplierABN'].'-'.urlencode($row['supplierName']).'">'.$value."</a>";
-	break;
-case "agencyName":
-	echo '<a href="displayAgency.php?agency='.urlencode($value).'">'.$value."</a>";
-	break;
-case "value":
-	echo "$".number_format(doubleval($value),2);
-	break;
-default:
-	echo str_replace("  ","<br>",$value);
+$query = $conn->prepare($query);
+$query->bindParam(":CNID", $_REQUEST['CNID']);
+$query->execute();
+databaseError($conn->errorInfo());
+foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
+    setlocale(LC_MONETARY, 'en_US');
+    foreach (array_filter($row) as $key => $value) {
+        echo "<b>$key</b>&nbsp;";
+        switch ($key) {
+            case "supplierName":
+            case "supplierABN":
+                echo '<a href="displaySupplier.php?supplier=' . $row['supplierABN'] . '-' . urlencode($row['supplierName']) . '">' . $value . "</a>";
+                break;
+            case "agencyName":
+                echo '<a href="displayAgency.php?agency=' . urlencode($value) . '">' . $value . "</a>";
+                break;
+            case "value":
+                echo "$" . number_format(doubleval($value), 2);
+                break;
+            default:
+                echo str_replace("  ", "<br>", $value);
+        }
+        echo "<br>";
+    }
 }
-echo "<br>";
-}
-}
-echo '<br><a href="https://www.tenders.gov.au/?event=public.advancedsearch.keyword&keyword=CN'.$_REQUEST['CNID'].'"> View original record @ tenders.gov.au</a><br>';
+echo '<br><a href="https://www.tenders.gov.au/?event=public.advancedsearch.keyword&keyword=CN' . $_REQUEST['CNID'] . '"> View original record @ tenders.gov.au</a><br>';
 
-mysql_free_result($result);
 
-$query = "SELECT * FROM `heuristic_results` where CNID = ".$_REQUEST['CNID'];
-$result = mysql_query($query);
-if (!$result) echo mysql_error().$query;
-while ($r = mysql_fetch_array($result, MYSQL_ASSOC)) {
-	echo "<b>{$r['heuristic_name']}</b>: {$r['heuristic_value']} (raw value: {$r['raw_value']}, mean: {$r['mean']}, stddev: {$r['stddev']})<br>";
+$query = 'SELECT * FROM heuristic_results where "CNID" = :CNID';
+$query = $conn->prepare($query);
+$agencyName = $input . '%';
+$query->bindParam(":CNID", $_REQUEST['CNID']);
+$query->execute();
+databaseError($conn->errorInfo());
+foreach ($query->fetchAll() as $r) {
+    echo "<b>{$r['heuristic_name']}</b>: {$r['heuristic_value']} (raw value: {$r['raw_value']}, mean: {$r['mean']}, stddev: {$r['stddev']})<br>";
 }
 
 include_footer();