diff --git a/php/settings-config.inc.php b/php/settings-config.inc.php
new file mode 100644
index 0000000..2712039
--- /dev/null
+++ b/php/settings-config.inc.php
@@ -0,0 +1,14 @@
+<?php
+
+$dbhost = 'localhost'; // database host
+$dbuser = '?'; // database user
+$dbpass = '?'; // database password
+$dbname = '?'; // database name
+$avpos_table='avpos';
+
+$email_to="you@yourmail.com"; // your email (for error reporting)
+$email_from="you@yourhost.com"; // your server's sending email (for error reporting)
+
+$allow_install = false; // enable to allow action=install (clear/format database)
+
+$check_ip = false; // enable to check the sim ip submitting the data is in the allowed range
diff --git a/php/settings.php b/php/settings.php
index 63239cd..7c45a3e 100644
--- a/php/settings.php
+++ b/php/settings.php
@@ -29,24 +29,24 @@ header("Content-Type: text/plain; charset=utf-8");
 error_reporting(E_ERROR | E_WARNING | E_PARSE);
 ini_set('display_errors', '1');
 
-$dbhost = 'localhost'; // database host
-$dbuser = '?'; // database user
-$dbpass = '?'; // database password
-$dbname = '?'; // database name
-$avpos_table='avpos';
-
-$email_to="you@yourmail.com"; // your email (for error reporting)
-$email_from="you@yourhost.com"; // your server's sending email (for error reporting)
-
-$allow_install = false; // enable to allow action=install (clear/format database)
-
-$check_ip = false; // enable to check the sim ip submitting the data is in the allowed range
+require_once("settings-config.inc.php");
 
 $link = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname) or die("Error " . mysqli_error($link));
 
 if (mysqli_connect_errno()) {
     die ("Connect failed: " . mysqli_connect_error());
 }
+// Set the character set for communication with the database
+if (!mysqli_set_charset($link, 'utf8mb4')) {
+    die('Invalid charset: utf8mb4');
+}
+
+// Pre-escape $avpos_table for convenience. That's the only variable
+// that should go directly into a query. All others should go through
+// IntSQL or StrSQL as appropriate.
+$avpos_table = IdentSQL($avpos_table);
+
+undo_magic_quotes($_REQUEST);
 
 if($_REQUEST['action']=="install" && $allow_install==true){
     $sql = "DROP TABLE IF EXISTS $avpos_table;";
@@ -56,11 +56,11 @@ if($_REQUEST['action']=="install" && $allow_install==true){
     `webkey` varchar(36) default NULL,
     `owner_uuid` varchar(36) default NULL,
     `owner_name` varchar(63) default NULL,
-    `text` TEXT default NULL,
+    `text` TEXT CHARSET utf8mb4 default NULL,
     `keep` tinyint(1) default 0,
     `count` int(5) default NULL,
     `ip` varbinary(16) default NULL,
-    `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
+    `timestamp` datetime NOT NULL,
     PRIMARY KEY  (`id`),
     UNIQUE (`webkey`)
     ) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;";
@@ -73,40 +73,49 @@ if($_REQUEST['action']=="install" && $allow_install==true){
     }
 }
 else if(isset($_REQUEST['w'])){ // write to a record
-    $given_webkey = mysqli_real_escape_string($link, $_REQUEST['w']);
+    $given_webkey = $_REQUEST['w'];
 
     $ip_address = $_SERVER['REMOTE_ADDR'];
-    $ip_packed = mysqli_real_escape_string($link, inet_pton($ip_address));
+    $ip_packed = inet_pton($ip_address);
 
     if(!isValidGuid($given_webkey)){
         echo "INVALID WEBKEY";
     }
     else{
-        $headers = parse_llHTTPRequest_headers();
-        $owner_key = mysqli_real_escape_string($link, $headers['X-SecondLife-Owner-Key']);
-        $object_name = mysqli_real_escape_string($link, $headers['X-SecondLife-Object-Name']);
-        $owner_name = mysqli_real_escape_string($link, $headers['X-SecondLife-Owner-Name']);
-        $object_key = mysqli_real_escape_string($link, $headers['X-SecondLife-Object-Key']);
-        $region = mysqli_real_escape_string($link, trim(substr($headers['X-SecondLife-Region'],0,strrpos($headers['X-SecondLife-Region'],'('))));
-        $position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
-        $slurl = $region . "/" . round($position_array[0]) . "/" . round($position_array[1]) . "/" . round($position_array[2]);
+        $owner_key = $_SERVER['HTTP_X_SECONDLIFE_OWNER_KEY'];
+        //$object_name = $_SERVER['HTTP_X_SECONDLIFE_OBJECT_NAME'];
+        $owner_name = $_SERVER['HTTP_X_SECONDLIFE_OWNER_NAME'];
+        //$object_key = $_SERVER['HTTP_X_SECONDLIFE_OBJECT_KEY'];
+        //$region = trim(substr($_SERVER['HTTP_X_SECONDLIFE_REGION'],0,strrpos($_SERVER['HTTP_X_SECONDLIFE_REGION'],'(')));
+        //$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
+        //$slurl = rawurlencode($region) . "/" . round($position_array[0]) . "/" . round($position_array[1]) . "/" . round($position_array[2]);
 
         if(!isValidGuid($owner_key)){
             echo "INVALID USER";
         }
         else{
             $given_count = intval($_REQUEST['c']);
-            $given_text = mysqli_real_escape_string($link, $_REQUEST['t']);
+            $given_text = $_REQUEST['t'];
 
-            $sql = "SELECT * FROM $avpos_table WHERE webkey = '$given_webkey'";
+            $sql = "SELECT * FROM $avpos_table"
+                . ' WHERE webkey = ' . StrSQL($given_webkey);
 
             $result = mysqli_query($link,$sql) or email_death("ERR01: " . mysqli_error($link));
             if(mysqli_num_rows($result) == 0){ // a new webkey
                 if($given_count == 1){
                     if(!isAllowedIP($ip_address)){
                         $response = "BAD IP";
-                        $sql = "INSERT INTO $avpos_table (owner_uuid,owner_name,webkey,text,count,ip,timestamp)
-                        VALUES ('$owner_key','$owner_name','$given_webkey','The IP address of the sim ($ip_address) was not in the allowed range. Please report the problem if you think this is in error.','10001','$ip_packed',NOW())";
+                        $sql = "INSERT INTO $avpos_table"
+                            . ' (owner_uuid,owner_name,webkey,text,count,ip,timestamp)'
+                            . ' VALUES '
+                            . '(' . StrSQL($owner_key)
+                            . ',' . StrSQL($owner_name)
+                            . ',' . StrSQL($given_webkey)
+                            . ',' . StrSQL("The IP address of the sim ($ip_address) was not in the allowed range. Please report the problem if you think this is in error")
+                            . ',10001'
+                            . ',' . StrSQL($ip_packed)
+                            . ',NOW()'
+                            . ')';
                     }
                     else{
                         $response = "ADDED NEW";
@@ -114,8 +123,17 @@ else if(isset($_REQUEST['w'])){ // write to a record
                             $given_count+=10000;
                             $response = "FINISHING";
                         }
-                        $sql = "INSERT INTO $avpos_table (owner_uuid,owner_name,webkey,text,count,ip,timestamp)
-                        VALUES ('$owner_key','$owner_name','$given_webkey','$given_text','$given_count','$ip_packed',NOW())";
+                        $sql = "INSERT INTO $avpos_table"
+                            . ' (owner_uuid,owner_name,webkey,text,count,ip,timestamp)'
+                            . ' VALUES '
+                            . '(' . StrSQL($owner_key)
+                            . ',' . StrSQL($owner_name)
+                            . ',' . StrSQL($given_webkey)
+                            . ',' . StrSQL($given_text)
+                            . ',' . IntSQL($given_count)
+                            . ',' . StrSQL($ip_packed)
+                            . ',NOW()'
+                            . ')';
                     }
                     $result = mysqli_query($link,$sql) or email_death("ERR02: " . mysqli_error($link));
                 }
@@ -129,7 +147,7 @@ else if(isset($_REQUEST['w'])){ // write to a record
                 }
                 else{
                     $row = mysqli_fetch_assoc($result);
-                    $newtext = mysqli_real_escape_string($link,$row['text']) . $given_text;
+                    $newtext = $row['text'] . $given_text;
                     if($row['count']+1 == $given_count){
                         $response = "ADDING";
 
@@ -138,11 +156,11 @@ else if(isset($_REQUEST['w'])){ // write to a record
                             $response = "FINISHING";
                         }
 
-                        $sql = "UPDATE $avpos_table SET
-                        text = '$newtext',
-                        count = '$given_count',
-                        timestamp = NOW()
-                        WHERE webkey = '$given_webkey'";
+                        $sql = "UPDATE $avpos_table"
+                        . ' SET text = ' . StrSQL($newtext)
+                        .    ', count = ' . IntSQL($given_count)
+                        .    ', timestamp = NOW()'
+                        . ' WHERE webkey = ' . StrSQL($given_webkey);
                         $result = mysqli_query($link,$sql) or email_death("ERR03: " . mysqli_error($link));
 
                     }
@@ -157,8 +175,9 @@ else if(isset($_REQUEST['w'])){ // write to a record
 }
 else if(isset($_REQUEST['q'])){ // read a record
 
-    $given_webkey = mysqli_real_escape_string($link, $_REQUEST['q']);
-    $sql = "SELECT * FROM $avpos_table WHERE webkey = '$given_webkey'";
+    $given_webkey = $_REQUEST['q'];
+    $sql = "SELECT * FROM $avpos_table"
+        . ' WHERE webkey = ' . StrSQL($given_webkey);
 
     $result = mysqli_query($link,$sql) or email_death("ERR04: " . mysqli_error($link));
     if(mysqli_num_rows($result) == 0){
@@ -170,14 +189,16 @@ else if(isset($_REQUEST['q'])){ // read a record
             $out.= $row['text'];
 
             if(1==2){ // switch on to 'keep' any record that ever was accessed
-                $sql = "UPDATE $avpos_table SET
-                keep = '1'
-                WHERE webkey = '$given_webkey'";
+                $sql = "UPDATE $avpos_table"
+                    . ' SET keep = 1'
+                    . ' WHERE webkey = ' . StrSQL($given_webkey);
                 $result = mysqli_query($link,$sql) or email_death("ERR05: " . mysqli_error($link));
             }
 
             // delete all entries older than 10 minutes that are not flagged keep
-            $sql = "DELETE FROM $avpos_table WHERE timestamp < DATE_SUB(NOW(), INTERVAL 10 MINUTE) AND keep = '0'";
+            $sql = "DELETE FROM $avpos_table"
+                . ' WHERE timestamp < DATE_SUB(NOW(), INTERVAL 10 MINUTE)'
+                .   ' AND keep = 0';
             $result = mysqli_query($link,$sql) or email_death("ERR06: " . mysqli_error($link));
 
         }
@@ -187,43 +208,47 @@ else if(isset($_REQUEST['q'])){ // read a record
     }
     echo $out;
 }
+else{
+    header('HTTP/1.0 400 Bad Request');
+    die("400 Bad Request: No valid action specified.");
+}
 
-function parse_llHTTPRequest_headers(){
-    $position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
-    $rotation_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_ROTATION'],1,-1));
-    $velocity_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_VELOCITY'],1,-1));
-    list($global_x,$global_y) = explode(',',trim(substr($_SERVER['HTTP_X_SECONDLIFE_REGION'],$position_of_left_bracket + 1,-1)));
-    $region_array = array($region_name,(integer)$global_x,(integer)$global_y);
-    $headers = array('Accept'=>$_SERVER['HTTP_ACCEPT'],
-            'User-Agent'=>$_SERVER['HTTP_USER_AGENT'],
-            'X-SecondLife-Shard'=>$_SERVER['HTTP_X_SECONDLIFE_SHARD'],
-            'X-SecondLife-Object-Name'=>$_SERVER['HTTP_X_SECONDLIFE_OBJECT_NAME'],
-            'X-SecondLife-Object-Key'=>$_SERVER['HTTP_X_SECONDLIFE_OBJECT_KEY'],
-            'X-SecondLife-Region'=>$_SERVER['HTTP_X_SECONDLIFE_REGION'],
-            'X-SecondLife-Region-Array'=> $region_array,
-            'X-SecondLife-Local-Position'=>array(   'x'=>(float)$position_array[0],'y'=>(float)$position_array[1],'z'=>(float)$position_array[2]),
-            'X-SecondLife-Local-Rotation'=>array(   'x'=>(float)$rotation_array[0],'y'=>(float)$rotation_array[1],'z'=>(float)$rotation_array[2],'w'=>(float)$rotation_array[3]),
-            'X-SecondLife-Local-Velocity'=>array(   'x'=>(float)$velocity_array[0],'y'=>(float)$velocity_array[1],'z'=>(float)$velocity_array[2]),
-            'X-SecondLife-Owner-Name'=>$_SERVER['HTTP_X_SECONDLIFE_OWNER_NAME'],
-            'X-SecondLife-Owner-Key'=>$_SERVER['HTTP_X_SECONDLIFE_OWNER_KEY']
-    );
-    if(!strstr($headers['X-SecondLife-Owner-Name'],' ') && $_POST['X-SecondLife-Owner-Name']){
-        $headers['X-SecondLife-Owner-Name'] == $_POST['X-SecondLife-Owner-Name'];
-    }
-    if(is_array($headers)){
-        return $headers;
-    }
-    else{
-        return FALSE;
+function undo_magic_quotes(&$var)
+{
+    // Does anyone still use these? Probably not but just in case.
+    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
+    {
+        // This doesn't remove the slashes in the keys, but that doesn't matter for us.
+        foreach ($var as $k => &$v)
+        {
+            if (is_array($v))
+                undo_magic_quotes($v);
+            else
+                $v = stripslashes($v);
+        }
     }
 }
 
+function IdentSQL($str){
+    return '`' . str_replace('`', '``', $str) . '`';
+}
+
+function StrSQL($str){
+    if ($str === null)
+        return "NULL";
+    return "'" . mysqli_real_escape_string($GLOBALS['link'], strval($str)) . "'";
+}
+
+function IntSQL($int){
+    return strval(intval($int));
+}
+
 function isValidGuid($guid){
-    return !empty($guid) && preg_match('/^\{?[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}\}?$/', $guid);
+    return !empty($guid) && preg_match('/^\{?[a-zA-Z0-9]{8}(?:-[a-zA-Z0-9]{4}){4}[a-zA-Z0-9]{8}\}?$/', $guid);
 }
 
 function email_death($error){
-    $body.="\n";
+    $body="\n";
     $body.="\n\$_SERVER\n";
     foreach($_SERVER as $key_name => $key_value) {
         $body.= $key_name . " = " . $key_value . "\n";
@@ -281,5 +306,3 @@ function ip_in_range( $ip, $range ) {
     $netmask_decimal = ~ $wildcard_decimal;
     return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) );
 }
-
-?>