diff --git a/admin/post/payment_method.php b/admin/post/payment_method.php
index 3de1f4f7..6e453cc8 100644
--- a/admin/post/payment_method.php
+++ b/admin/post/payment_method.php
@@ -10,10 +10,17 @@ if (isset($_POST['add_payment_method'])) {
 
     validateCSRFToken($_POST['csrf_token']);
 
-    $name = sanitizeInput($_POST['name']);
-    $description = sanitizeInput($_POST['description']);
+    $name = cleanInput($_POST['name']);
+    $description = cleanInput($_POST['description']);
 
-    mysqli_query($mysqli,"INSERT INTO payment_methods SET payment_method_name = '$name', payment_method_description = '$description'");
+    $query = mysqli_prepare(
+        $mysqli, "INSERT INTO payment_methods
+        SET payment_method_name = ?, payment_method_description = ?"
+    );
+
+    mysqli_stmt_bind_param($query, "ss", $name, $description);
+    
+    mysqli_stmt_execute($query);
 
     logAction("Payment Method", "Create", "$session_name created Payment Method $name");
 
@@ -26,12 +33,21 @@ if (isset($_POST['add_payment_method'])) {
 if (isset($_POST['edit_payment_method'])) {
 
     validateCSRFToken($_POST['csrf_token']);
-
+    
     $payment_method_id = intval($_POST['payment_method_id']);
-    $name = sanitizeInput($_POST['name']);
-    $description = sanitizeInput($_POST['description']);
+    $name = cleanInput($_POST['name']);
+    $description = cleanInput($_POST['description']);
 
-    mysqli_query($mysqli,"UPDATE payment_methods SET payment_method_name = '$name', payment_method_description = '$description' WHERE payment_method_id = $payment_method_id");
+    $query = mysqli_prepare(
+        $mysqli,
+        "UPDATE payment_methods 
+         SET payment_method_name = ?, payment_method_description = ? 
+         WHERE payment_method_id = ?"
+    );
+
+    mysqli_stmt_bind_param($query, "ssi", $name, $description, $payment_method_id);
+
+    mysqli_stmt_execute($query);
 
     logAction("Payment Method", "Edit", "$session_name edited Payment Method $name");
 
diff --git a/functions.php b/functions.php
index 8dda831e..0cae5ae8 100644
--- a/functions.php
+++ b/functions.php
@@ -802,6 +802,26 @@ function sanitizeInput($input) {
     return $input;
 }
 
+function cleanInput($input) {
+    // Only process non-empty input
+    if (!empty($input)) {
+        // Normalize encoding to UTF-8 if it’s not valid
+        if (!mb_check_encoding($input, 'UTF-8')) {
+            // Convert from Windows-1252 as a safe fallback
+            $input = mb_convert_encoding($input, 'UTF-8', 'Windows-1252');
+        }
+    }
+
+    // Remove HTML and PHP tags
+    $input = strip_tags((string) $input);
+
+    // Trim whitespace
+    $input = trim($input);
+
+    return $input;
+}
+
+
 function sanitizeForEmail($data)
 {
     $sanitized = htmlspecialchars($data);