diff --git a/html/inc/util_ops.inc b/html/inc/util_ops.inc
index 7ac4e17a6e..ff10678c52 100644
--- a/html/inc/util_ops.inc
+++ b/html/inc/util_ops.inc
@@ -331,6 +331,9 @@ function app_version_desc($avid) {
////// badge-related stuff
function get_badge($name, $title, $image_url) {
+ $name = BoincDb::escape_string($name);
+ $title = BoincDb::escape_string($title);
+ $image_url = BoincDb::escape_string($image_url);
$b = BoincBadge::lookup("name='$name'");
if ($b) return $b;
$now = time();
diff --git a/html/user/tree_threader.php b/html/user/tree_threader.php
index c9b827f5e7..b03c623261 100644
--- a/html/user/tree_threader.php
+++ b/html/user/tree_threader.php
@@ -1,5 +1,7 @@
auth;
+$auth = BoincDb::escape_string((string)$r->auth);
$user = BoincUser::lookup("authenticator='$auth'");
if (!$user) error("invalid authenticator");
$user_submit = BoincUserSubmit::lookup_userid($user->id);