diff --git a/application/controllers/Backup.php b/application/controllers/Backup.php
index ddd78b15e..44bf3bace 100644
--- a/application/controllers/Backup.php
+++ b/application/controllers/Backup.php
@@ -26,13 +26,15 @@ class Backup extends CI_Controller {
 			if(!$this->user_model->authorize(99)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
 		}
 
+		$clean_key = $this->security->xss_clean($key);
+
 		$this->load->helper('file');
 		// Set memory limit to unlimited to allow heavy usage
 		ini_set('memory_limit', '-1');
 		
 		$this->load->model('adif_data');
 
-		$data['qsos'] = $this->adif_data->export_all($key);
+		$data['qsos'] = $this->adif_data->export_all($clean_key);
 
 		$data['filename'] = 'backup/logbook'. date('_Y_m_d_H_i_s') .'.adi';
 		
@@ -61,10 +63,12 @@ class Backup extends CI_Controller {
 			if(!$this->user_model->authorize(99)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
 		}
 
+		$clean_key = $this->security->xss_clean($key);
+
 		$this->load->helper('file');
 		$this->load->model('note');
 
-		$data['list_note'] = $this->note->list_all($key);
+		$data['list_note'] = $this->note->list_all($clean_key);
 
 		$data['filename'] = 'backup/notes'. date('_Y_m_d_H_i_s') .'.xml';
 
diff --git a/application/controllers/Notes.php b/application/controllers/Notes.php
index 580515390..b411a3fc9 100644
--- a/application/controllers/Notes.php
+++ b/application/controllers/Notes.php
@@ -12,8 +12,7 @@ class Notes extends CI_Controller {
 
 
 	/* Displays all notes in a list */
-	public function index()
-	{
+	public function index() {
 		$this->load->model('note');
 		$data['notes'] = $this->note->list_all();
 		$data['page_title'] = __("Notes");
@@ -50,9 +49,16 @@ class Notes extends CI_Controller {
 	
 	/* View Notes */
 	function view($id) {
+
+		$clean_id = $this->security->xss_clean($id);
+
+		if (! is_numeric($clean_id)) {
+			show_404();
+		}
+
 		$this->load->model('note');
 		
-		$data['note'] = $this->note->view($id);
+		$data['note'] = $this->note->view($clean_id);
 		
 		// Display
 		$data['page_title'] = __("Note");
@@ -63,10 +69,17 @@ class Notes extends CI_Controller {
 	
 	/* Edit Notes */
 	function edit($id) {
+
+		$clean_id = $this->security->xss_clean($id);
+
+		if (! is_numeric($clean_id)) {
+			show_404();
+		}
+
 		$this->load->model('note');
-		$data['id'] = $id;
+		$data['id'] = $clean_id;
 		
-		$data['note'] = $this->note->view($id);
+		$data['note'] = $this->note->view($clean_id);
 			
 		$this->load->library('form_validation');
 
@@ -91,8 +104,15 @@ class Notes extends CI_Controller {
 	
 	/* Delete Note */
 	function delete($id) {
+
+		$clean_id = $this->security->xss_clean($id);
+
+		if (! is_numeric($clean_id)) {
+			show_404();
+		}	
+
 		$this->load->model('note');
-		$this->note->delete($id);
+		$this->note->delete($clean_id);
 		
 		redirect('notes');
 	}
diff --git a/application/models/Note.php b/application/models/Note.php
index 95c11d7f3..8027ab0d5 100644
--- a/application/models/Note.php
+++ b/application/models/Note.php
@@ -6,8 +6,7 @@ class Note extends CI_Model {
         if ($api_key == null) {
 			$user_id = $this->session->userdata('user_id');
 		} else {
-			$CI =& get_instance();
-			$CI->load->model('api_model');
+			$this->load->model('api_model');
 			if (strpos($this->api_model->access($api_key), 'r') !== false) {
 				$this->api_model->update_last_used($api_key);
 				$user_id = $this->api_model->key_userid($api_key);
@@ -20,9 +19,9 @@ class Note extends CI_Model {
 
 	function add() {
 		$data = array(
-			'cat' => xss_clean($this->input->post('category')),
-			'title' => xss_clean($this->input->post('title')),
-			'note' => xss_clean($this->input->post('content')),
+			'cat' => $this->input->post('category', TRUE),
+			'title' => $this->input->post('title', TRUE),
+			'note' => $this->input->post('content', TRUE),
 			'user_id' => $this->session->userdata('user_id')
 		);
 
@@ -31,23 +30,37 @@ class Note extends CI_Model {
 
 	function edit() {
 		$data = array(
-			'cat' => xss_clean($this->input->post('category')),
-			'title' => xss_clean($this->input->post('title')),
-			'note' => xss_clean($this->input->post('content'))
+			'cat' => $this->input->post('category', TRUE),
+			'title' => $this->input->post('title', TRUE),
+			'note' => $this->input->post('content', TRUE)
 		);
 
-		$this->db->where('id', xss_clean($this->input->post('id')));
+		$this->db->where('id', $this->input->post('id', TRUE));
 		$this->db->where('user_id', $this->session->userdata('user_id'));
 		$this->db->update('notes', $data);
 	}
 
 	function delete($id) {
-		$this->db->delete('notes', array('id' => xss_clean($id), 'user_id' =>$this->session->userdata('user_id')));
+
+		$clean_id = $this->security->xss_clean($id);
+
+		if (! is_numeric($clean_id)) {
+			show_404();
+		}
+
+		$this->db->delete('notes', array('id' => $clean_id, 'user_id' => $this->session->userdata('user_id')));
 	}
 
 	function view($id) {
+
+		$clean_id = $this->security->xss_clean($id);
+
+		if (! is_numeric($clean_id)) {
+			show_404();
+		}
+
 		// Get Note
-		$this->db->where('id', xss_clean($id));
+		$this->db->where('id', $clean_id);
 		$this->db->where('user_id', $this->session->userdata('user_id'));
 		return $this->db->get('notes');
 	}