diff --git a/lib/db.php b/lib/db.php
index 9699b216f6f712d71bdebac6baa627045806aa6f..cfa3b6cb9795249f4b27398508b323b08c969188 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -633,18 +633,20 @@ class OC_DB {
 		$type = self::$type;
 
 		$query = '';
+		$inserts = array_values($input);
 		// differences in escaping of table names ('`' for mysql) and getting the current timestamp
 		if( $type == 'sqlite' || $type == 'sqlite3' ) {
 			// NOTE: For SQLite we have to use this clumsy approach
 			// otherwise all fieldnames used must have a unique key.
 			$query = 'SELECT * FROM "' . $table . '" WHERE ';
 			foreach($input as $key => $value) {
-				$query .= $key . " = '" . $value . '\' AND ';
+				$query .= $key . ' = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			try {
 				$stmt = self::prepare($query);
-				$result = $stmt->execute();
+				$result = $stmt->execute($inserts);
+
 			} catch(PDOException $e) {
 				$entry = 'DB Error: "'.$e->getMessage() . '"<br />';
 				$entry .= 'Offending command was: ' . $query . '<br />';
@@ -653,27 +655,28 @@ class OC_DB {
 				OC_Template::printErrorPage( $entry );
 			}
 
-			if($result->numRows() == 0) {
+			if((int)$result->numRows() === 0) {
 				$query = 'INSERT INTO "' . $table . '" ("'
-					. implode('","', array_keys($input)) . '") VALUES("'
-					. implode('","', array_values($input)) . '")';
+					. implode('","', array_keys($input)) . '") VALUES('
+					. str_repeat('?,', count($input)-1).'? ' . ')';
 			} else {
 				return true;
 			}
 		} elseif( $type == 'pgsql' || $type == 'oci' || $type == 'mysql' || $type == 'mssql') {
-			$query = 'INSERT INTO `' .$table . '` ('
-				. implode(',', array_keys($input)) . ') SELECT \''
-				. implode('\',\'', array_values($input)) . '\' FROM ' . $table . ' WHERE ';
+			$query = 'INSERT INTO `' .$table . '` (`'
+				. implode('`,`', array_keys($input)) . '`) SELECT '
+				. str_repeat('?,', count($input)-1).'? ' // Is there a prettier alternative?
+				. 'FROM ' . $table . ' WHERE ';
 
 			foreach($input as $key => $value) {
-				$query .= $key . " = '" . $value . '\' AND ';
+				$query .= '`' . $key . '` = ? AND ';
 			}
 			$query = substr($query, 0, strlen($query) - 5);
 			$query .= ' HAVING COUNT(*) = 0';
+			$inserts = array_merge($inserts, $inserts);
 		}
 
-		// TODO: oci should be use " (quote) instead of ` (backtick).
-		//OC_Log::write('core', __METHOD__ . ', type: ' . $type . ', query: ' . $query, OC_Log::DEBUG);
+		// TODO: oci should be use " (quote) instead of ` (backtick)?
 
 		try {
 			$result = self::prepare($query);
@@ -685,7 +688,7 @@ class OC_DB {
 			OC_Template::printErrorPage( $entry );
 		}
 
-		return $result->execute();
+		return $result->execute($inserts);
 	}
 
 	/**