diff -Nru acidlab-0.9.6b20-12/base_ag_main.php acidlab-0.9.6b20/base_ag_main.php
--- acidlab-0.9.6b20-12/base_ag_main.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_ag_main.php	2005-10-31 01:06:43.000000000 +0100
@@ -31,12 +31,11 @@
   
 
   $qs = new QueryState();
-  $submit = ImportHTTPVar("submit");
-  $ag_action = ImportHTTPVar("ag_action");
-  $ag_id = ImportHTTPVar("ag_id");
-  $ag_name = ImportHTTPVar("ag_name");
-  $ag_desc = ImportHTTPVar("ag_desc");  
-
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+  $ag_action = ImportHTTPVar("ag_action"), VAR_ALPHA);
+  $ag_id = ImportHTTPVar("ag_id", VAR_DIGIT);
+  $ag_name = filterSql(ImportHTTPVar("ag_name"));
+  $ag_desc = filterSql(ImportHTTPVar("ag_desc"));  
 
   //$qs->MoveView($submit);             /* increment the view if neccessary */
 
diff -Nru acidlab-0.9.6b20-12/base_common.php acidlab-0.9.6b20/base_common.php
--- acidlab-0.9.6b20-12/base_common.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_common.php	2005-10-31 01:06:43.000000000 +0100
@@ -564,9 +564,10 @@
   $submit = str_replace("(", "", $submit);
   $submit = str_replace(")", "", $submit);
   $tmp = explode("-", $submit);
-  $seq = $tmp[0];
-  $sid = $tmp[1];
-  $cid = $tmp[2];
+  /* Since the submit variable is not cleaned do so here: */
+  $seq = CleanVariable($tmp[0], VAR_DIGIT);
+  $sid = CleanVariable($tmp[1], VAR_DIGIT);
+  $cid = CleanVariable($tmp[2], VAR_DIGIT);
 }
 
 function ExportPacket($sid, $cid, $db)
diff -Nru acidlab-0.9.6b20-12/base_db_setup.php acidlab-0.9.6b20/base_db_setup.php
--- acidlab-0.9.6b20-12/base_db_setup.php	2005-10-31 01:06:18.000000000 +0100
+++ acidlab-0.9.6b20/base_db_setup.php	2005-10-31 01:06:43.000000000 +0100
@@ -31,7 +31,7 @@
       ACTION="base_db_setup.php">
 
 <?php
-  $submit = ImportHTTPVar("submit");
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
 
   /* Connect to the Alert database */
   $db = NewACIDDBConnection($DBlib_path, $DBtype);
diff -Nru acidlab-0.9.6b20-12/base_graph_main.php acidlab-0.9.6b20/base_graph_main.php
--- acidlab-0.9.6b20-12/base_graph_main.php	2002-02-05 20:55:56.000000000 +0100
+++ acidlab-0.9.6b20/base_graph_main.php	2005-10-31 01:06:43.000000000 +0100
@@ -29,23 +29,23 @@
   session_start();
   session_register('xdata');
 
-  $submit = ImportHTTPVar("submit");
-  $data_source = ImportHTTPVar("data_source");
-  $chart_type = ImportHTTPVar("chart_type");
-  $chart_interval = ImportHTTPVar("chart_interval");
-
-  $chart_begin_hour = ImportHTTPVar("chart_begin_hour");
-  $chart_begin_month = ImportHTTPVar("chart_begin_month");
-  $chart_begin_day = ImportHTTPVar("chart_begin_day");
-  $chart_begin_year = ImportHTTPVar("chart_begin_year");
-
-  $chart_end_hour = ImportHTTPVar("chart_end_hour");
-  $chart_end_month = ImportHTTPVar("chart_end_month");
-  $chart_end_day = ImportHTTPVar("chart_end_day");
-  $chart_end_year = ImportHTTPVar("chart_end_year");
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+  $data_source = ImportHTTPVar("data_source", VAR_DIGIT);
+  $chart_type = ImportHTTPVar("chart_type", VAR_DIGIT);
+  $chart_interval = ImportHTTPVar("chart_interval", VAR_DIGIT);
+
+  $chart_begin_hour = ImportHTTPVar("chart_begin_hour", VAR_DIGIT);
+  $chart_begin_month = ImportHTTPVar("chart_begin_month", VAR_DIGIT);
+  $chart_begin_day = ImportHTTPVar("chart_begin_day", VAR_DIGIT);
+  $chart_begin_year = ImportHTTPVar("chart_begin_year", VAR_DIGIT);
+
+  $chart_end_hour = ImportHTTPVar("chart_end_hour", VAR_DIGIT);
+  $chart_end_month = ImportHTTPVar("chart_end_month", VAR_DIGIT);
+  $chart_end_day = ImportHTTPVar("chart_end_day", VAR_DIGIT);
+  $chart_end_year = ImportHTTPVar("chart_end_year", VAR_DIGIT);
 
-  $chart_style = ImportHTTPVar("chart_style");
-  $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
+  $chart_style = ImportHTTPVar("chart_style", VAR_ALPHA);
+  $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl", VAR_DIGIT);
 
   $page_title = "Graph Alert Data";
   PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
diff -Nru acidlab-0.9.6b20-12/base_maintenance.php acidlab-0.9.6b20/base_maintenance.php
--- acidlab-0.9.6b20-12/base_maintenance.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_maintenance.php	2005-10-31 01:06:43.000000000 +0100
@@ -25,7 +25,7 @@
   $page_title = "Maintenance";
   PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
 
-  $submit = ImportHTTPVar("submit");
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
 
 ?>
 <P><P>
diff -Nru acidlab-0.9.6b20-12/base_qry_alert.php acidlab-0.9.6b20/base_qry_alert.php
--- acidlab-0.9.6b20-12/base_qry_alert.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_qry_alert.php	2005-10-31 01:06:43.000000000 +0100
@@ -100,7 +100,7 @@
    * get the (sid,cid) back from $caller 
    */ 
   if ( $submit == "Selected" )
-     $submit = ImportHTTPVar("caller");
+     $submit = ImportHTTPVar("caller"); /* Do not filter this call, will get filtered in GetQueryResultID */
   else
      $caller = $submit;
 
diff -Nru acidlab-0.9.6b20-12/base_qry_main.php acidlab-0.9.6b20/base_qry_main.php
--- acidlab-0.9.6b20-12/base_qry_main.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_qry_main.php	2005-10-31 01:06:43.000000000 +0100
@@ -71,7 +71,7 @@
   $cs = new CriteriaState("base_qry_main.php", "&new=1&submit=Query+DB");
 
   $new = ImportHTTPVar("new", VAR_DIGIT);
-  $submit = ImportHTTPVar("submit");
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
 
 /* Code to correct 'interesting' (read: unexplained) browser behavior */
 
diff -Nru acidlab-0.9.6b20-12/base_state_common.inc acidlab-0.9.6b20/base_state_common.inc
--- acidlab-0.9.6b20-12/base_state_common.inc	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_state_common.inc	2005-10-31 01:06:43.000000000 +0100
@@ -102,8 +102,6 @@
  ************************************************************************/
 function CleanVariable($item, $valid_data, $exception = "")
 {
-   return $item;
-
    /* Check the exception value list first */
    if ( $exception != "" )
    {
@@ -279,4 +277,73 @@
   echo "<INPUT TYPE=\"hidden\" NAME=\"$var_name\" VALUE=\"$var_value\">\n";
 }
 
+/* ***********************************************************************
+ * Function: checkAlpha()
+ *
+ * @doc Checks that all characteres are alphanumeric. Returns ERROR if they
+ *      are not and the values themselves if they are.
+ *
+ * @param $var_value   value of the variable to test
+ *
+ *
+ ************************************************************************/
+function checkAlpha ($var_value) 
+{
+     if (ereg('[^a-zA-z0-9]', $var_value)) {
+     	return "ERROR";
+     }
+     return $var_value;
+}
+
+/* ***********************************************************************
+ * Function: checkNum()
+ *
+ * @doc Checks that all characteres are numeric. Returns ERROR if they
+ *      are not and the values themselves if they are.
+ *
+ * @param $var_value   value of the variable to test
+ *
+ *
+ ************************************************************************/
+function checkNum ($var_value) 
+{
+     if (ereg('[^0-9]', $var_value)) {
+     	return "ERROR";
+     }
+     return $var_value;
+}
+
+/* ***********************************************************************
+ * Function: filterSql()
+ *
+ * @doc Filters the input string so that it can be safely used in SQL queries.
+ *
+ * @param $var_value   value of the variable to filter
+ *
+ *
+ ************************************************************************/
+function filterSql ($var_value) 
+{
+     /* This is the default, so strip slashes in case the server is configured with this 
+        to prevent double quoting */ 
+     if (get_magic_quotes_gpc()) {
+          $var_value = stripslashes($var_value);
+     }
+     if (!is_numeric($var_value)) {
+	     if ($db->DB_type == "mysql") {
+	        if(version_compare(phpversion(),"4.3.0")=="-1") {
+			$var_value = mysql_escape_string($var_value);
+		} else {
+			$var_value = mysql_real_escape_string($var_value);
+		}
+             } else {
+	     /* In other databases, strip the following: _ % ' %0a %00 ( ) { } - " \ */
+	     	$var_value = addslashes ($var_value);
+		$var_value = ereg_replace ("[\"\\_%\(\){}-]", "", $var_value);
+	     }
+     }
+     return $var_value;
+}
+
+
 ?>
diff -Nru acidlab-0.9.6b20-12/base_stat_ipaddr.php acidlab-0.9.6b20/base_stat_ipaddr.php
--- acidlab-0.9.6b20-12/base_stat_ipaddr.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_stat_ipaddr.php	2005-10-31 01:06:43.000000000 +0100
@@ -28,10 +28,10 @@
   $cs = new CriteriaState("acid_stat_ipaddr.php");
   $cs->ReadState();
 
-  $ip = ImportHTTPVar("ip");
-  $netmask = ImportHTTPVar("netmask");
-  $action = ImportHTTPVar("action");
-  $submit = ImportHTTPVar("submit");
+  $ip = ImportHTTPVar("ip", VAR_DIGIT | VAR_PERIOD);
+  $netmask = ImportHTTPVar("netmask", VAR_DIGIT);
+  $action = ImportHTTPVar("action", VAR_ALPHA);
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
 
   $page_title = $ip.'/'.$netmask;
   PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
diff -Nru acidlab-0.9.6b20-12/base_stat_iplink.php acidlab-0.9.6b20/base_stat_iplink.php
--- acidlab-0.9.6b20-12/base_stat_iplink.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_stat_iplink.php	2005-10-31 01:06:43.000000000 +0100
@@ -30,7 +30,7 @@
   $qs->AddCannedQuery("most_frequent", $freq_num_alerts, "Most Frequent Alerts", "occur_d"); 
   $qs->AddCannedQuery("last_alerts", $last_num_ualerts, "Last Alerts", "last_d");
 
-  $submit = ImportHTTPVar("submit");
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
   $qs->MoveView($submit);             /* increment the view if necessary */
 
   $page_title = "IP Links";
diff -Nru acidlab-0.9.6b20-12/base_stat_ports.php acidlab-0.9.6b20/base_stat_ports.php
--- acidlab-0.9.6b20-12/base_stat_ports.php	2002-02-05 20:55:56.000000000 +0100
+++ acidlab-0.9.6b20/base_stat_ports.php	2005-10-31 01:06:43.000000000 +0100
@@ -39,9 +39,9 @@
   $qs->AddCannedQuery("most_frequent", $freq_num_uports, "Most Frequent Ports", "occur_d");
   $qs->AddCannedQuery("last_ports", $last_num_uports, "Last Ports", "last_d");
 
-  $submit = ImportHTTPVar("submit");
-  $port_type = ImportHTTPVar("port_type");
-  $proto = ImportHTTPVar("proto");
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+  $port_type = ImportHTTPVar("port_type", VAR_DIGIT);
+  $proto = ImportHTTPVar("proto", VAR_DIGIT);
 
   $qs->MoveView($submit);             /* increment the view if necessary */
 
diff -Nru acidlab-0.9.6b20-12/base_stat_time.php acidlab-0.9.6b20/base_stat_time.php
--- acidlab-0.9.6b20-12/base_stat_time.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_stat_time.php	2005-10-31 01:06:43.000000000 +0100
@@ -114,9 +114,9 @@
   include_once ("base_stat_common.php");
   include_once ("base_qry_common.php");
 
-  $time_sep = ImportHTTPVar("time_sep");
-  $time = ImportHTTPVar("time");
-  $submit = ImportHTTPVar("submit");
+  $time_sep = ImportHTTPVar("time_sep", VAR_ALPHA);
+  $time = ImportHTTPVar("time", VAR_DIGIT);
+  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
 
   $cs = new CriteriaState("base_stat_alerts.php");
   $cs->ReadState();
diff -Nru acidlab-0.9.6b20-12/base_stat_uaddr.php acidlab-0.9.6b20/base_stat_uaddr.php
--- acidlab-0.9.6b20-12/base_stat_uaddr.php	2005-10-31 00:29:57.000000000 +0100
+++ acidlab-0.9.6b20/base_stat_uaddr.php	2005-10-31 01:06:43.000000000 +0100
@@ -28,8 +28,8 @@
  include_once("base_common.php"); 
  include_once("base_qry_common.php");
 
- $addr_type = ImportHTTPVar("addr_type");
- $submit = ImportHTTPVar("submit");
+ $addr_type = ImportHTTPVar("addr_type", VAR_DIGIT);
+ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
 
  $et = new EventTiming($debug_time_mode);
  $cs = new CriteriaState("base_stat_uaddr.php", "&addr_type=$addr_type");