diff -ruBbd cacti-0.8.6j/auth_login.php cacti-0.8.6j-patched/auth_login.php
--- cacti-0.8.6j/auth_login.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/auth_login.php	2008-02-11 20:28:31.000000000 -0500
@@ -29,20 +27,23 @@
 
 switch ($_REQUEST["action"]) {
 case 'login':
+
+	$username = sanitize_search_string(get_request_var_post('login_username'));
+
 	/* --- start ldap section --- */
 	$ldap_auth = false;
-	if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($_POST["login_password"])) && (strlen($_POST["login_username"]))){
+	if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($username)) && (strlen($username))){
 		$ldap_conn = ldap_connect(read_config_option("ldap_server"));
 
 		if ($ldap_conn) {
-			$ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
+			$ldap_dn = str_replace("<username>",$username,read_config_option("ldap_dn"));
 			$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,stripslashes($_POST["login_password"]));
 
 			if ($ldap_response) {
 				$ldap_auth = true;
-				if (sizeof(db_fetch_assoc("select * from user_auth where username='" . $_POST["login_username"] . "' and realm = 1")) == 0) {
+				if (sizeof(db_fetch_assoc("select * from user_auth where username='$username' and realm = 1")) == 0) {
 					/* copy template user's settings */
-					user_copy(read_config_option("ldap_template"), $_POST["login_username"], 1);
+					user_copy(read_config_option("ldap_template"), $username, 1);
 				}
 			}
 		}
@@ -50,14 +51,14 @@
 	/* --- end ldap section --- */
 
 	if ($ldap_auth) {
-		$user = db_fetch_row("select * from user_auth where username='" . $_POST["login_username"] . "' and realm = 1");
+		$user = db_fetch_row("select * from user_auth where username='$username' and realm = 1");
 	} else {
-		$user = db_fetch_row("select * from user_auth where username='" . $_POST["login_username"] . "' and password = '" . md5($_POST["login_password"]) . "' and realm = 0");
+		$user = db_fetch_row("select * from user_auth where username='$username' and password = '" . md5($_POST["login_password"]) . "' and realm = 0");
 	}
 
 	if (sizeof($user)) {
 		/* make entry in the transactions log */
-		db_execute("insert into user_log (username,user_id,result,ip,time) values('" . $_POST["login_username"] ."'," . $user["id"] . ",1,'" . $_SERVER["REMOTE_ADDR"] . "',NOW())");
+		db_execute("insert into user_log (username,user_id,result,ip,time) values('$username'," . $user["id"] . ",1,'" . $_SERVER["REMOTE_ADDR"] . "',NOW())");
 
 		/* set the php session */
 		$_SESSION["sess_user_id"] = $user["id"];
@@ -86,7 +87,7 @@
 		exit;
 	}else{
 		/* --- BAD username/password --- */
-		db_execute("insert into user_log (username,user_id,result,ip,time) values('" . $_POST["login_username"] . "',0,0,'" . $_SERVER["REMOTE_ADDR"] . "',NOW())");
+		db_execute("insert into user_log (username,user_id,result,ip,time) values('$username',0,0,'" . $_SERVER["REMOTE_ADDR"] . "',NOW())");
 	}
 }
 
diff -ruBbd cacti-0.8.6j/graph.php cacti-0.8.6j-patched/graph.php
--- cacti-0.8.6j/graph.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/graph.php	2008-02-11 20:28:31.000000000 -0500
@@ -35,10 +33,15 @@
 include("./include/top_graph_header.php");
 
 /* ================= input validation ================= */
-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
+input_validate_input_regex(get_request_var_request("rra_id"), "^([0-9]+|all)$");
 input_validate_input_number(get_request_var("local_graph_id"));
+input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
 /* ==================================================== */
 
+if (!isset($_GET['rra_id'])) {
+	$_GET['rra_id'] = 'all';
+}
+
 if ($_GET["rra_id"] == "all") {
 	$sql_where = " where id is not null";
 }else{
diff -ruBbd cacti-0.8.6j/graph_view.php cacti-0.8.6j-patched/graph_view.php
--- cacti-0.8.6j/graph_view.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/graph_view.php	2008-02-11 20:28:31.000000000 -0500
@@ -36,6 +34,9 @@
 input_validate_input_number(get_request_var("tree_id"));
 input_validate_input_number(get_request_var("leaf_id"));
 input_validate_input_number(get_request_var("rra_id"));
+input_validate_input_regex(get_request_var_request('graph_list'), "^([\,0-9]+)$");
+input_validate_input_regex(get_request_var_request('graph_add'), "^([\,0-9]+)$");
+input_validate_input_regex(get_request_var_request('graph_remove'), "^([\,0-9]+)$");
 /* ==================================================== */
 
 if (isset($_GET["hide"])) {
@@ -387,7 +388,7 @@
 					</td>
 					<td width="1">
 						<select name="host_id" onChange="applyFilterChange(document.form_graph_id)">
-							<option value="0"<?php print $_REQUEST["filter"];?><?php if ($_REQUEST["host_id"] == "0") {?> selected<?php }?>>Any</option>
+							<option value="0"<?php if ($_REQUEST["host_id"] == "0") {?> selected<?php }?>>Any</option>
 							<?php
 							$hosts = get_host_array();
 
diff -ruBbd cacti-0.8.6j/include/config.php cacti-0.8.6j-patched/include/config.php
--- cacti-0.8.6j/include/config.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/include/config.php	2008-02-11 20:28:31.000000000 -0500
@@ -85,6 +83,16 @@
 $colors["form_alternate2"] = "E5E5E5";
 
 if ((!in_array(basename($_SERVER["PHP_SELF"]), $no_http_header_files, true)) && ($_SERVER["PHP_SELF"] != "")) {
+	/* Sanity Check on "Corrupt" PHP_SELF */
+	if ((!is_file($_SERVER["PHP_SELF"])) && (!is_file($config["base_path"] . '/' . $_SERVER["PHP_SELF"]))) {
+		if (!is_file($_SERVER["DOCUMENT_ROOT"] . $_SERVER["PHP_SELF"])) {
+			if (!((is_file($_SERVER["SCRIPT_FILENAME"])) && (substr_count($_SERVER["SCRIPT_FILENAME"], $_SERVER["PHP_SELF"])))) {
+				echo "\nInvalid PHP_SELF Path\n";
+				exit;
+			}
+		}
+	}
+
 	/* we don't want these pages cached */
 	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
 	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
diff -ruBbd cacti-0.8.6j/lib/api_tree.php cacti-0.8.6j-patched/lib/api_tree.php
--- cacti-0.8.6j/lib/api_tree.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/lib/api_tree.php	2008-02-11 20:28:31.000000000 -0500
@@ -28,6 +26,9 @@
 	$host_id, $host_grouping_type, $sort_children_type, $propagate_changes) {
 	global $config;
 
+	input_validate_input_number($tree_id);
+	input_validate_input_number($parent_tree_item_id);
+
 	include_once($config["library_path"] . "/tree.php");
 
 	$parent_order_key = db_fetch_cell("select order_key from graph_tree_items where id=$parent_tree_item_id");
diff -ruBbd cacti-0.8.6j/lib/functions.php cacti-0.8.6j-patched/lib/functions.php
--- cacti-0.8.6j/lib/functions.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/lib/functions.php	2008-02-11 20:28:31.000000000 -0500
@@ -1411,6 +1409,9 @@
 		);
 
 	$current_page = basename($_SERVER["PHP_SELF"]);
+
+	input_validate_input_regex(get_request_var_request("action"), "^([a-zA-Z0-9_-]+)$");
+
 	$current_action = (isset($_REQUEST["action"]) ? $_REQUEST["action"] : "");
 
 	/* find the current page in the big array */
@@ -1701,8 +1702,8 @@
    @arg $string - the original raw search string
    @returns - the sanitized search string */
 function sanitize_search_string($string) {
-	static $drop_char_match =   array('^', '$', '&', '(', ')', '<', '>', '`', '\'', '"', '|', ',', '@', '?', '~', '+', '[', ']', '{', '}', '#', ';', '!');
-	static $drop_char_replace = array(' ', ' ', ' ', ' ', ' ', ' ', ' ',  '',   '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
+	static $drop_char_match =   array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '~', '+', '[', ']', '{', '}', '#', ';', '!', '=');
+	static $drop_char_replace = array(' ', ' ', ' ', ' ',  '',   '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
 
 	/* Replace line endings by a space */
 	$string = preg_replace('/[\n\r]/is', ' ', $string);
diff -ruBbd cacti-0.8.6j/lib/html_utility.php cacti-0.8.6j-patched/lib/html_utility.php
--- cacti-0.8.6j/lib/html_utility.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/lib/html_utility.php	2008-02-11 20:28:31.000000000 -0500
@@ -137,6 +135,10 @@
 {
 	if (isset($_GET[$name]))
 	{
+		if (isset($_POST[$name])) {
+			unset($_POST[$name]);
+			$_REQUEST[$name] = $_GET[$name];
+		}
 		return $_GET[$name];
 	} else
 	{
@@ -155,6 +157,10 @@
 {
 	if (isset($_POST[$name]))
 	{
+		if (isset($_GET[$name])) {
+			unset($_GET[$name]);
+			$_REQUEST[$name] = $_POST[$name];
+		}
 		return $_POST[$name];
 	} else
 	{
diff -ruBbd cacti-0.8.6j/tree.php cacti-0.8.6j-patched/tree.php
--- cacti-0.8.6j/tree.php	2007-01-17 19:23:10.000000000 -0500
+++ cacti-0.8.6j-patched/tree.php	2008-02-11 20:28:31.000000000 -0500
@@ -29,6 +27,11 @@
 include_once('./lib/tree.php');
 include_once('./lib/html_tree.php');
 
+input_validate_input_number(get_request_var('tree_id'));
+input_validate_input_number(get_request_var('leaf_id'));
+input_validate_input_number(get_request_var_post('graph_tree_id'));
+input_validate_input_number(get_request_var_post('parent_item_id'));
+
 /* set default action */
 if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }