diff --git a/modules/PriceBooks/PriceBooks.php b/modules/PriceBooks/PriceBooks.php
index 725c35611df5760e7ef36ca88ae772e5cb3361b4..916a3dc2e84dc4c7ca91e7ae0961201627033dd9 100755
--- a/modules/PriceBooks/PriceBooks.php
+++ b/modules/PriceBooks/PriceBooks.php
@@ -346,14 +346,16 @@ class PriceBooks extends CRMEntity {
 		$focus = CRMEntity::getInstance($moduleName);
         $moduleSubject = 'bookname';
 
-		$tableName = Import_Utils_Helper::getDbTableName($obj->user);
-		$sql = 'SELECT * FROM ' . $tableName . ' WHERE status = '. Import_Data_Action::$IMPORT_RECORD_NONE .' GROUP BY '. $moduleSubject;
-
+        $params = array();
+		$tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($obj->user));
+		$sql = 'SELECT * FROM ' . $tableName . ' WHERE status = ? GROUP BY ?';
+        array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE);
+        array_push($params, $moduleSubject);
 		if($obj->batchImport) {
 			$importBatchLimit = getImportBatchLimit();
 			$sql .= ' LIMIT '. $importBatchLimit;
 		}
-		$result = $adb->query($sql);
+		$result = $adb->pquery($sql, $params);
 		$numberOfRecords = $adb->num_rows($result);
 
 		if ($numberOfRecords <= 0) {
@@ -370,8 +372,11 @@ class PriceBooks extends CRMEntity {
 			$fieldData = array();
 			$subject = str_replace("\\", "\\\\", $subject);
 			$subject = str_replace('"', '""', $subject);
-			$sql = 'SELECT * FROM ' . $tableName . ' WHERE status = '. Import_Data_Action::$IMPORT_RECORD_NONE .' AND '. $moduleSubject . ' = "'. $subject .'"';
-			$subjectResult = $adb->query($sql);
+            $params = array();
+			$sql = 'SELECT * FROM ' . $tableName . ' WHERE status = ? AND '. $moduleSubject . ' = ? ';
+            array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE);
+            array_push($params, $subject);
+			$subjectResult = $adb->pquery($sql, $params);
 			$count = $adb->num_rows($subjectResult);
 			$subjectRowIDs = $fieldArray = $productList = array();
 			for ($j = 0; $j < $count; ++$j) {
diff --git a/modules/Reports/ReportRun.php b/modules/Reports/ReportRun.php
index 617ec6ba55daa40109d76f160164342ef131f4cf..bd5a37bd9be7bcd627fed3c0d90b7ea1ac1952c8 100644
--- a/modules/Reports/ReportRun.php
+++ b/modules/Reports/ReportRun.php
@@ -4173,7 +4173,7 @@ class ReportRun extends CRMEntity {
 				$mulsel = "select distinct $fieldname from vtiger_$fieldname inner join vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$fieldname.picklist_valueid where roleid ='" . $roleid . "' and picklistid in (select picklistid from vtiger_$fieldname)"; // order by sortid asc - not requried
 			}
 			if ($fieldname != 'firstname')
-				$mulselresult = $adb->query($mulsel);
+				$mulselresult = $adb->pquery($mulsel, array());
 			for ($j = 0; $j < $adb->num_rows($mulselresult); $j++) {
 				$fldvalue = $adb->query_result($mulselresult, $j, $fieldname);
 				if (in_array($fldvalue, $fieldvalues))
diff --git a/modules/Reports/models/Folder.php b/modules/Reports/models/Folder.php
index 6c3c4c5a47ee2633f2501a52dd060c72c8e33e0c..f153789b262ecd202e9cbe57945e8beb9e715ba7 100644
--- a/modules/Reports/models/Folder.php
+++ b/modules/Reports/models/Folder.php
@@ -299,7 +299,8 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
 		//End
 		$sql = "SELECT count(*) AS count FROM vtiger_report
 				INNER JOIN vtiger_reportfolder ON vtiger_reportfolder.folderid = vtiger_report.folderid AND 
-				vtiger_report.reportid in (".implode(',',$allowedReportIds).")";
+				vtiger_report.reportid in (". generateQuestionMarks($allowedReportIds).")";
+        array_push($params, $allowedReportIds);
 		$fldrId = $this->getId();
 		if($fldrId == 'All') {
 			$fldrId = false;
diff --git a/modules/Rss/models/Module.php b/modules/Rss/models/Module.php
index 83d8717160b2d8dbb1f8fdbc4bfb5bfb1287ba90..9d96b95ec56fbb4ac2f30eef76d5e9a9ee68586a 100644
--- a/modules/Rss/models/Module.php
+++ b/modules/Rss/models/Module.php
@@ -51,7 +51,7 @@ class Rss_Module_Model extends Vtiger_Module_Model {
     public function getRssSources() { 
         $db = PearDatabase::getInstance();
         
-        $sql = 'Select *from vtiger_rss';
+        $sql = 'Select * from vtiger_rss';
         $result = $db->pquery($sql, array());
         $noOfRows = $db->num_rows($result);
 
diff --git a/modules/Users/Users.php b/modules/Users/Users.php
index b8c183aa402ddfa8125627c5a15aa6afb7898c19..7488c9d125aeec9675d9fdaccd06ad2d35220d22 100755
--- a/modules/Users/Users.php
+++ b/modules/Users/Users.php
@@ -1316,13 +1316,13 @@ class Users extends CRMEntity {
 				 if($_REQUEST[$this->homeorder_array[$i]] != '')
 				 {
 					$save_array[] = $this->homeorder_array[$i];
-					$qry=" update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=0 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=".$id." and vtiger_homedefault.hometype='".$this->homeorder_array[$i]."'";//To show the default Homestuff on the the Home Page
-					$result=$adb->pquery($qry, array());
+					$qry=" update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=0 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=? and vtiger_homedefault.hometype=?";//To show the default Homestuff on the the Home Page
+					$result=$adb->pquery($qry, array($id, $this->homeorder_array[$i]));
 				}
 				 else
 				 {
-					$qry="update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=1 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=".$id." and vtiger_homedefault.hometype='".$this->homeorder_array[$i]."'";//To hide the default Homestuff on the the Home Page
-					$result=$adb->pquery($qry, array());
+					$qry="update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=1 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=? and vtiger_homedefault.hometype=?";//To hide the default Homestuff on the the Home Page
+					$result=$adb->pquery($qry, array($id, $this->homeorder_array[$i]));
 				}
 			}
 			if($save_array !="")
@@ -1690,9 +1690,9 @@ class Users extends CRMEntity {
 		$moduleName = $obj->module;
 		$createdRecords = array();
 
-		$tableName = Import_Utils_Helper::getDbTableName($obj->user);
-		$sql = 'SELECT * FROM '.$tableName.' WHERE status = '.Import_Data_Action::$IMPORT_RECORD_NONE;
-		$result = $adb->query($sql);
+		$tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($obj->user));
+		$sql = 'SELECT * FROM '.$tableName.' WHERE status = ?';
+		$result = $adb->pquery($sql, array(Import_Data_Action::$IMPORT_RECORD_NONE));
 		$numberOfRecords = $adb->num_rows($result);
 		if($numberOfRecords <= 0) {
 			return;
diff --git a/modules/Users/views/Import.php b/modules/Users/views/Import.php
index 55a715cdcafb9a12b2bb1b18efc3a79fdfbd94f3..8da395dd48ece8b8ef692e897d92d43acdb4fdf5 100644
--- a/modules/Users/views/Import.php
+++ b/modules/Users/views/Import.php
@@ -44,7 +44,7 @@ class Users_Import_View extends Vtiger_Import_View {
             $moduleName = $request->getModule();
 
             $user = Users_Record_Model::getCurrentUserModel();
-            $dbTableName = Import_Utils_Helper::getDbTableName($user);
+            $dbTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));
 
             $query = "SELECT recordid FROM $dbTableName WHERE status = ? AND recordid IS NOT NULL";
             $result = $db->pquery($query, array(Import_Data_Action::$IMPORT_RECORD_CREATED));