diff --git a/database.php b/database.php
index a3d1d3a..dac7148 100644
--- a/database.php
+++ b/database.php
@@ -72,6 +72,18 @@ function syslog_db_fetch_cell($sql, $col_name = '', $log = TRUE) {
 	return db_fetch_cell($sql, $col_name, $log, $syslog_cnn);
 }
 
+/* syslog_db_fetch_assoc_prepared - run a 'select' sql query and return the first column of the
+   first row found
+   @arg $sql - the sql query to run
+   @arg $params - the parameters to bind to the query
+   @arg $log - whether or not to log the query to the cacti log
+   @returns - the result of the query */
+function syslog_db_fetch_assoc_prepared($sql, $params = array(), $log = TRUE) {
+	global $syslog_cnn;
+
+	return db_fetch_assoc_prepared($sql, $params, $log, $syslog_cnn);
+}
+
 /* syslog_db_fetch_cell_prepared - run a 'select' sql query and return the first column of the
      first row found
    @param $sql - the sql query to execute
diff --git a/syslog.php b/syslog.php
index 00fac51..a9288b8 100644
--- a/syslog.php
+++ b/syslog.php
@@ -291,10 +291,10 @@ function syslog_statistics() {
 			$time = date($date_format, strtotime($r['insert_time']));
 
 			form_alternate_row();
-			echo '<td>' . (get_request_var('host') != '-2' ? $r['host']:'-') . '</td>';
+			echo '<td>' . (get_request_var('host') != '-2' ? htmle($r['host']):'-') . '</td>';
 			echo '<td>' . (get_request_var('facility') != '-2' ? ucfirst($r['facility']):'-') . '</td>';
 			echo '<td>' . (get_request_var('priority') != '-2' ? ucfirst($r['priority']):'-') . '</td>';
-			echo '<td>' . (get_request_var('program') != '-2' ? ucfirst($r['program']):'-') . '</td>';
+			echo '<td>' . (get_request_var('program') != '-2' ? htmle(ucfirst($r['program'])):'-') . '</td>';
 			//echo '<td class="right">' . $r['insert_time'] . '</td>';
 			echo '<td class="right">' . $time . '</td>';
 			echo '<td class="right">' . number_format_i18n($r['records'], -1)     . '</td>';
diff --git a/syslog_process.php b/syslog_process.php
index 681632b..7d53c8b 100644
--- a/syslog_process.php
+++ b/syslog_process.php
@@ -272,43 +272,56 @@
 		$smsalert = '';
 		$th_sql   = '';
 
+		$params = array();
 		if ($alert['type'] == 'facility') {
 			$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
-				WHERE ' . $syslog_incoming_config['facilityField'] . "='" . $alert['message'] . "'
-				AND status=" . $uniqueID;
+				WHERE ' . $syslog_incoming_config['facilityField'] . '=?
+				AND status=?';
+			$params[] = $alert['message'];
+			$params[] = $uniqueID;
 		} else if ($alert['type'] == 'messageb') {
 			$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
-				WHERE ' . $syslog_incoming_config['textField'] . "
-				LIKE '" . $alert['message'] . "%'
-				AND status=" . $uniqueID;
+				WHERE ' . $syslog_incoming_config['textField'] . '
+				LIKE ?
+				AND status=?';
+			$params[] = $alert['message'] . '%';
+			$params[] = $uniqueID;
 		} else if ($alert['type'] == 'messagec') {
 			$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
-				WHERE ' . $syslog_incoming_config['textField'] . "
-				LIKE '%" . $alert['message'] . "%'
-				AND status=" . $uniqueID;
+				WHERE ' . $syslog_incoming_config['textField'] . '
+				LIKE ?
+				AND status=?';
+			$params[] = '%' . $alert['message'] . '%';
+			$params[] = $uniqueID;
 		} else if ($alert['type'] == 'messagee') {
 			$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
-				WHERE ' . $syslog_incoming_config['textField'] . "
-				LIKE '%" . $alert['message'] . "'
-				AND status=" . $uniqueID;
+				WHERE ' . $syslog_incoming_config['textField'] . '
+				LIKE ?
+				AND status=?';
+			$params[] = '%' . $alert['message'];
+			$params[] = $uniqueID;
 		} else if ($alert['type'] == 'host') {
 			$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
-				WHERE ' . $syslog_incoming_config['hostField'] . "='" . $alert['message'] . "'
-				AND status=" . $uniqueID;
+				WHERE ' . $syslog_incoming_config['hostField'] . '=?
+				AND status=?';
+			$params[] = $alert['message'];
+			$params[] = $uniqueID;
 		} else if ($alert['type'] == 'sql') {
 			$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
-				WHERE (' . $alert['message'] . ')
-				AND status=' . $uniqueID;
+				WHERE (?)
+				AND status=?';
+			$params[] = $alert['message'];
+			$params[] = $uniqueID;
 		}
 
 		if ($sql != '') {
 			if ($alert['method'] == '1') {
 				$th_sql = str_replace('*', 'count(*)', $sql);
-				$count = syslog_db_fetch_cell($th_sql);
+				$count = syslog_db_fetch_cell_prepared($th_sql, $params);
 			}
 
 			if (($alert['method'] == '1' && $count >= $alert['num']) || ($alert['method'] == '0')) {
-				$at = syslog_db_fetch_assoc($sql);
+				$at = syslog_db_fetch_assoc_prepared($sql, $params);
 
 				/* get a date for the repeat alert */
 				if ($alert['repeat_alert']) {