diff --git a/content/konto/refdetails.php b/content/konto/refdetails.php
index 7dd634da11347ce8370b90ff0a23f2f06edda7e4..fd63c23614daf0a1ee1b1dd00d09a84682eda34d 100644
--- a/content/konto/refdetails.php
+++ b/content/konto/refdetails.php
@@ -23,11 +23,14 @@ $sql = sql::$db->prepare("UPDATE "._VMS_."_werberdaten SET
 $sql->execute(array( $_POST['refback'], $_GET['ruid'], $_SESSION['uid'] ));
 }
 
-$ref_check = sql::$db->query("SELECT w.uid,w.umsatz,w.reset,w.resetzeit,w.gesamt,w.refback,w.aktivzeit,w.zuordnungszeit,k.loginzeit,u.nickname FROM
+$ref_check = sql::$db->prepare("SELECT w.uid,w.umsatz,w.reset,w.resetzeit,w.gesamt,w.refback,w.aktivzeit,w.zuordnungszeit,k.loginzeit,u.nickname FROM
                               "._VMS_."_werberdaten w
                               LEFT JOIN "._VMS_."_kontodaten k ON k.uid = w.uid
                               LEFT JOIN "._VMS_."_userdaten u ON u.uid = k.uid
-WHERE w.uid=".$_GET['ruid']." and w.werber=".$_SESSION['uid']." LIMIT 1");
+WHERE w.uid=:ruid and w.werber=:session_uid LIMIT 1");
+$ref_check -> bindParam(':ruid', $_GET['ruid'], PDO::PARAM_INT);
+$ref_check -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+$ref_check -> execute();
 
 if (!$ref_check->rowCount() ) {
 @include_once('content/error/kein_ref.php');
@@ -42,15 +45,21 @@ if ($refuser['aktivzeit'] < (time()-(86400*7))) $refstatus = '<img src="./images
 if ($refuser['aktivzeit'] <= (time()-(86400*30))) $refstatus = '<img src="./images/rot.gif" width="15" height="15" border="0" alt="'.date("d.m.y - H:i",$refuser['aktivzeit']).'" align="absmiddle"> &raquo; User seit 30 tagen inaktiv';
 
 
-$refebene_1 = sql::$db->query("SELECT uid FROM "._VMS_."_werberdaten WHERE werber='".$_GET['ruid']."'");
+$refebene_1 = sql::$db->prepare("SELECT uid FROM "._VMS_."_werberdaten WHERE werber=:ruid");
+$refebene_1 -> bindParam(':ruid', $_GET['ruid'], PDO::PARAM_INT);
+$refebene_1 -> execute();
 while ($anzeigen_1 = $refebene_1->fetch() ) {
 $ebene2++;
 }
 
 if ($ebene2 > 0){
-   $refebene_1 = sql::$db->query ("SELECT uid FROM "._VMS_."_werberdaten WHERE werber='".$_GET['ruid']."'");
-   while ($anzeigen_1 = $refebene_1->fetch() ) {
-   	$refebene_2 = sql::$db->query ("SELECT * FROM "._VMS_."_werberdaten WHERE werber='".$anzeigen_1['uid']."' ORDER BY uid ASC");
+    $refebene_1 = sql::$db->prepare("SELECT uid FROM "._VMS_."_werberdaten WHERE werber=:ruid");
+    $refebene_1 -> bindParam(':ruid', $_GET['ruid'], PDO::PARAM_INT);
+    $refebene_1 -> execute();
+    while ($anzeigen_1 = $refebene_1->fetch() ) {
+   	$refebene_2 = sql::$db->prepare ("SELECT * FROM "._VMS_."_werberdaten WHERE werber=:uid ORDER BY uid ASC");
+   	$refebene_2 -> bindParam(':uid', $anzeigen_1['uid'], PDO::PARAM_INT);
+   	$refebene_2 -> execute();
 	while ($anzeigen_2 = $refebene_2->fetch() ) {
 	$ebene3++;
 	}