Program O uses several methods to prevent SQL injection. The first line of defense is in not using $_GET or $_POST to obtain form variables. Instead, the script uses filter_input_array() for both GET and POST, and then combining them into a common variable called $form_vars. This single array holds all form inputs.
Secondly, since Program O now uses PDO, rather than MySQL, all queries are run through PDO::prepare() using named placeholders in the query, with variables passed to the query via either PDOStatement::bindValue() or PDOStatement::bindParam(). This serves to properly escape non-standard characters before the query is executed, thus reducing the risk of injection.
Security is something we take very seriously, so we try to take any necessary precautions with the script. I hope this answers your questions.