diff --git a/classes/calendarview.class.php b/classes/calendarview.class.php
index a3536869..ecce5a4b 100644
--- a/classes/calendarview.class.php
+++ b/classes/calendarview.class.php
@@ -6,6 +6,10 @@ class CalendarView {
 	private static $Events;
 
 	public static function render_title($Month, $Year) {
+		if (!is_numeric($Month) || !is_numeric($Year)) {
+			error(404);
+		}
+
 		$NextMonth = $Month % 12 == 0 ? 1 : $Month + 1;
 		$PreviousMonth = $Month == 1 ? 12 : $Month - 1;
 		$NextYear = $Year;
diff --git a/classes/sitehistory.class.php b/classes/sitehistory.class.php
index f696d360..e55b39c4 100644
--- a/classes/sitehistory.class.php
+++ b/classes/sitehistory.class.php
@@ -244,7 +244,7 @@ public static function update_event($ID, $Date, $Title, $Link, $Category, $SubCa
 	}
 
 	public static function delete_event($ID) {
-		if (empty($ID)) {
+		if (!is_numeric($ID)) {
 			error(404);
 		}
 		$QueryID = G::$DB->get_query_id();
diff --git a/docs/CHANGES.txt b/docs/CHANGES.txt
index e03fd119..90e8ed8c 100644
--- a/docs/CHANGES.txt
+++ b/docs/CHANGES.txt
@@ -1,5 +1,8 @@
 CHANGE LOG
 
+2015-12-24 by newman
+Fix several XSS, SQLi, and misc vulnerabilities
+
 2015-12-20 by newman
 Add password age to user profiles
 
diff --git a/sections/tools/data/ocelot_info.php b/sections/tools/data/ocelot_info.php
index f3b1c666..93852670 100644
--- a/sections/tools/data/ocelot_info.php
+++ b/sections/tools/data/ocelot_info.php
@@ -30,7 +30,7 @@
 		<h2>Tracker info</h2>
 	</div>
 	<div class="linkbox">
-		<a href="?action=<?=$_GET['action']?>" class="brackets" />Main stats</a>
+		<a href="?action=<?=$_REQUEST['action']?>" class="brackets" />Main stats</a>
 	</div>
 	<div class="sidebar">
 		<div class="box box2">
@@ -76,7 +76,7 @@
 <?
 } elseif (isset($_GET['userid'])) {
 ?>
-				User <?=$_GET['userid']?> doesn't exist
+				User <?=display_str($_GET['userid'])?> doesn't exist
 <?
 } else {
 ?>
diff --git a/sections/tools/development/service_stats.php b/sections/tools/development/service_stats.php
index 52254b61..e0bda9ac 100644
--- a/sections/tools/development/service_stats.php
+++ b/sections/tools/development/service_stats.php
@@ -1,5 +1,5 @@
 <?
-if (!check_perms('site_debug')) {
+if (!check_perms('site_debug') || !check_perms('admin_clear_cache')) {
 	error(403);
 }
 if (isset($_POST['global_flush'])) {
diff --git a/sections/tools/finances/bitcoin_balance.php b/sections/tools/finances/bitcoin_balance.php
index b14a6cc6..b63fe0bb 100644
--- a/sections/tools/finances/bitcoin_balance.php
+++ b/sections/tools/finances/bitcoin_balance.php
@@ -17,7 +17,7 @@
 <?
 if (empty($_GET['list'])) {
 ?>
-	<a href="?action=<?=$_GET['action']?>&amp;list=1" class="brackets">Show donor list</a>
+	<a href="?action=<?=$_REQUEST['action']?>&amp;list=1" class="brackets">Show donor list</a>
 <?
 } else {
 	$BitcoinAddresses = DonationsBitcoin::get_received();
diff --git a/sections/tools/managers/dnu_alter.php b/sections/tools/managers/dnu_alter.php
index 5fbfd5bc..90b142c5 100644
--- a/sections/tools/managers/dnu_alter.php
+++ b/sections/tools/managers/dnu_alter.php
@@ -9,10 +9,10 @@
 	foreach ($_POST['item'] as $Position => $Item) {
 		$Position = db_string($Position);
 		$Item = db_string($Item);
-		$DB->query('
+		$DB->query("
 			UPDATE `do_not_upload`
-			SET `Sequence` = ' . $Position . '
-			WHERE `id` = '. $Item);
+			SET `Sequence` = '" . $Position . "'
+			WHERE `id` = '" . $Item . "'");
 	}
 
 } elseif ($_POST['submit'] == 'Delete') { //Delete
diff --git a/sections/torrents/download.php b/sections/torrents/download.php
index 225537f2..c87774f0 100644
--- a/sections/torrents/download.php
+++ b/sections/torrents/download.php
@@ -6,6 +6,10 @@
 	$UserID		 = $LoggedUser['ID'];
 	$AuthKey	 = $LoggedUser['AuthKey'];
 } else {
+	if (strpos($_REQUEST['torrent_pass'], '_') !== false) {
+		error(404);
+	}
+	
 	$UserInfo = $Cache->get_value('user_'.$_REQUEST['torrent_pass']);
 	if (!is_array($UserInfo)) {
 		$DB->query("