diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index c0bf0366ab..209fde642e 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,19 @@
+2008-09-03  Evi Vanoost  <vanooste@rcbi.rochester.edu>
+
+	* reporting/fgraph.php: Fixed bug where a graph wouldn't return
+	when free search was specified. Also made SQL safer against
+	attacks since fgraph can be accessed by anyone. This should be
+	fixed in later versions so there has to be no SQL query passed
+
+	* operation/events/events_rss.php: Made RSS feed better. Now you can
+	also pass a filter from events.php. Fixed direction of the links
+
+	* operation/events/events.php: Added a filter on agent name. Updated
+	for RSS feeds. Added filter on event id
+
+	* install.php: A little bit of automatic field filling. Corrected some
+	text for more correct English and update to the new URL specification
+
 2008-09-03  Esteban Sanchez  <estebans@artica.es>
 
 	* include/functions_html.php: Fixed a typo error in print_textarea
diff --git a/pandora_console/install.php b/pandora_console/install.php
index ff524eac2f..200d3663d2 100644
--- a/pandora_console/install.php
+++ b/pandora_console/install.php
@@ -317,13 +317,13 @@ function install_step3() {
 					</span>
 				</div>
 				<input class='login' type='text' name='path' style='width: 190px;' 
-				value='/var/www/pandora_console/'>
+				value='".dirname (__FILE__)."'>
 
-				<div>Full local URL to Pandora FMS Console<br>
+				<div>URL path to Pandora FMS Console<br>
 				<span class='f9b'>For example '/pandora_console'</span>
 				</div>
 				<input class='login' type='text' name='url' style='width: 250px;' 
-				value='/pandora_console'>
+				value='".dirname ($_SERVER['PHP_SELF'])."'>
 				
 				<div align='right'>
 				<input type='image' src='images/arrow_next.png' value='Step #4' id='step4'>
@@ -474,7 +474,7 @@ function install_step5() {
 			<h2>Installation complete</h2>
 			<p>You now must delete manually this installer ('<i>install.php</i>') 
 			file for security before trying to access to your Pandora FMS console.
-			<p>Now you need to install Pandora FMS server before trying to monitor anything, 
+			<p>You should also install the Pandora FMS Servers before trying to monitor anything, 
 			please read documentation on how to install it.</p>
 			<p>Don't forget to check <a href='http://pandorafms.com'>http://pandorafms.com</a> 
 			for updates.
diff --git a/pandora_console/operation/events/events.php b/pandora_console/operation/events/events.php
index 30105418e3..13358f88ed 100644
--- a/pandora_console/operation/events/events.php
+++ b/pandora_console/operation/events/events.php
@@ -164,13 +164,14 @@ if (isset ($_POST["updatebt"])) {
 
 // Get data
 
-$offset = get_parameter ( "offset",0);
-$ev_group = get_parameter ("ev_group", 0); // group
+$offset = (int) get_parameter ( "offset",0);
+$ev_group = (int) get_parameter ("ev_group", 0); // group
 $search = get_parameter ("search", ""); // free search
 $event_type = get_parameter ("event_type", ''); // 0 all
-$severity = get_parameter ("severity", -1); // -1 all
-$status = get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
-$id_agent = get_parameter ("id_agent", -1);
+$severity = (int) get_parameter ("severity", -1); // -1 all
+$status = (int) get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
+$id_agent = (int) get_parameter ("id_agent", -1);
+$id_event = (int) get_parameter ("id_event", -1);
 
 $sql_post = "";
 if ($ev_group > 1)
@@ -184,10 +185,13 @@ if ($search != "")
 if ($event_type != "")
 	$sql_post .= " AND event_type = '$event_type'";
 if ($severity != -1)
-	$sql_post .= " AND criticity >= $severity";
+	$sql_post .= " AND criticity >= ".$severity;
 if ($id_agent != -1)
-	$sql_post .= " AND id_agente = $id_agent";
-$url = "index.php?sec=eventos&sec2=operation/events/events&search=$search&event_type=$event_type&severity=$severity&status=$status&ev_group=$ev_group&refr=60&id_agent=$id_agent";
+	$sql_post .= " AND id_agente = ".$id_agent;
+if ($id_event != -1)
+	$sql_post .= " AND id_evento = ".$id_event;
+
+$url = "index.php?sec=eventos&sec2=operation/events/events&search=$search&event_type=$event_type&severity=$severity&status=$status&ev_group=$ev_group&refr=60&id_agent=$id_agent&id_event=$id_event";
 
 echo "<h2>".__('Events')." &gt; ".__('Main event view'). "&nbsp";
 
@@ -250,7 +254,24 @@ echo "</td></tr><tr>";
 // Free search
 echo "<td>".__('Free search')."</td><td>";
 print_input_text ('search', $search, '', 15);
-echo "</td><td colspan=2>";
+
+//Agent search
+echo "</td><td>".__('Agent search')."</td><td>";
+$sql = "SELECT DISTINCT(id_agente) FROM tevento WHERE 1=1 ".$sql_post;
+$result = get_db_all_rows_sql ($sql);
+if ($result === false)
+	$result = array();
+$agents = array(-1 => "All");
+
+foreach ($result as $id_row) {
+	$agents[$id_row[0]] = dame_nombre_agente ($id_row[0]);
+}
+
+print_select ($agents, 'id_agent', $id_agent, 'javascript:this.form.submit();', '', '');
+echo "</td></tr>";
+
+//The buttons
+echo '<tr><td colspan="2"><!-- Empty cell --></td><td colspan="2">';
 print_submit_button (__('Update'), '', false, $attributes = 'class="sub upd"');
 
 // CSV
@@ -260,7 +281,7 @@ echo '&nbsp;&nbsp;&nbsp;
 // Marquee
 echo "&nbsp;<a target='_top' href='operation/events/events_marquee.php'><img src='images/heart.png' title='".__('Marquee display')."'></a>";
 // RSS
-echo "&nbsp;<a target='_top' href='operation/events/events_rss.php'><img src='images/transmit.png' title='".__('RSS Events')."'></a>";
+echo '&nbsp;<a target="_top" href="operation/events/events_rss.php?ev_group='.$ev_group.'&event_type='.$event_type.'&search='.$search.'&severity='.$severity.'&status='.$status.'&id_agent='.$id_agent.'"><img src="images/transmit.png" title="'.__('RSS Events').'"></a>';
 
 
 echo "</td></tr></table>";
diff --git a/pandora_console/operation/events/events_rss.php b/pandora_console/operation/events/events_rss.php
index ceca2eb1be..b4acd9dd89 100644
--- a/pandora_console/operation/events/events_rss.php
+++ b/pandora_console/operation/events/events_rss.php
@@ -16,54 +16,82 @@
 // along with this program; if not, write to the Free Software
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
-error_reporting(E_ALL);
-
 require "../../include/config.php";
 require "../../include/functions.php";
 require_once "../../include/functions_db.php";
 
-$constraints = "";
+$ev_group = get_parameter ("ev_group", 0); // group
+$search = get_parameter ("search", ""); // free search
+$event_type = get_parameter ("event_type", ''); // 0 all
+$severity = (int) get_parameter ("severity", -1); // -1 all
+$status = (int) get_parameter ("status", 0); // -1 all, 0 only red, 1 only green
+$id_agent = (int) get_parameter ("id_agent", -1);
+$id_event = (int) get_parameter ("id_event", -1); //This will allow to select only 1 event (eg. RSS)
 
+$sql_post = "";
+if ($ev_group > 1)
+	$sql_post .= " AND `tevento`.`id_grupo` = $ev_group";
+if ($status == 1)
+	$sql_post .= " AND `tevento`.`estado` = 1";
+if ($status == 0)
+	$sql_post .= " AND `tevento`.`estado` = 0";
+if ($search != "")
+        $sql_post .= " AND `tevento`.`evento` LIKE '%$search%'";
+if ($event_type != "")
+        $sql_post .= " AND `tevento`.`event_type` = '$event_type'";
+if ($severity != -1)
+        $sql_post .= " AND `tevento`.`criticity` >= ".$severity;
+if ($id_agent != -1)
+	$sql_post .= " AND `tevento`.`id_agente` = ".$id_agent;
+if ($id_event != -1)
+	$sql_post .= " AND id_evento = ".$id_event;
+													
+$sql="SELECT `tevento`.`id_evento` AS event_id,
+	`tagente`.`nombre` AS agent_name,
+	`tevento`.`id_usuario` AS validated_by,
+	`tevento`.`estado` AS validated,
+	`tevento`.`evento` AS event_descr,
+	`tevento`.`utimestamp` AS unix_timestamp 
+	FROM tevento, tagente
+	WHERE  `tevento`.`id_agente` = `tagente`.`id_agente` ".$sql_post."
+	ORDER BY utimestamp DESC LIMIT 0 , 30";
 
-$sql="SELECT  `tevento`.`id_evento` AS event_id,  `tagente`.`nombre` AS agent_name,  `tevento`.`id_usuario` AS validated_by ,  `tevento`.`estado` AS validated,  `tevento`.`evento` AS event_descr ,  `tevento`.`utimestamp` AS unix_timestamp, `tgrupo`.`nombre` AS group_name, `tgrupo`.`icon` AS group_icon 
-FROM tevento, tagente, tgrupo
-WHERE  `tevento`.`id_agente` =  `tagente`.`id_agente` AND `tevento`.`id_grupo` = `tgrupo`.`id_grupo` $constraints
-ORDER BY utimestamp DESC 
-LIMIT 0 , 30";
-
-$result=mysql_query($sql);
+$result= get_db_all_rows_sql ($sql);
 
 //$url = "https://".$_SERVER['HTTP_HOST']."/pandora_console";
 
 $url = 'http://'.$_SERVER['HTTP_HOST'].$config["homeurl"];
+$selfurl = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];
+$rss_feed = '<?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">';
+$rss_feed .= '<channel><title>Pandora RSS Feed</title><description>Latest events on Pandora</description>';
+$rss_feed .= '<lastBuildDate>'.date(DATE_RFC822, $result[0]['unix_timestamp']).'</lastBuildDate>';
+$rss_feed .= '<link>'.$url.'</link>';
+$rss_feed .= '<atom:link href="'.htmlentities ($selfurl).'" rel="self" type="application/rss+xml" />';
 
-$rss_feed = '<?xml version="1.0" ?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel>
-<title>Pandora RSS Feed</title>
-<description>Latest events on Pandora</description>
-<link>' . $url . '</link>
-<atom:link href="' . $url . '/operation/events/events_rss.php" rel="self" type="application/rss+xml" />';
+if ($result === false) {
+	$result = array();
+	$rss_feed .= '<item><guid>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</guid><title>No results</title>';
+	$rss_feed .= '<description>There are no results. Click on the link to see all Pending events</description>';
+	$rss_feed .= '<link>'.$url.'/index.php?sec=eventos&sec2=operation/events/events</link></item>';
+}
 
-while($row=mysql_fetch_array($result,MYSQL_ASSOC)) {
+foreach ($result as $row) {
 //This is mandatory
 	$rss_feed .= '<item><guid>';
-		$rss_feed .= $url . "/operation/events/view_event?id=" . $row['event_id'];
+	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row['event_id']);
 	$rss_feed .= '</guid><title>';
-		$rss_feed .= htmlentities($row['agent_name']);
+	$rss_feed .= htmlentities ($row['agent_name']);
 	$rss_feed .= '</title><description>';
-		$rss_feed .= htmlentities($row['event_descr']);
-		if($row['validated'] == 1) {
-			$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
-		}
+	$rss_feed .= htmlentities ($row['event_descr']);
+	if($row['validated'] == 1) {
+		$rss_feed .= '<br /><br />Validated by ' . $row['validated_by'];
+	}
 	$rss_feed .= '</description><link>';
-		$rss_feed .= $url . "/operation/events/view_event?id=" . $row["event_id"];
+	$rss_feed .= htmlentities ($url . "/index.php?sec=eventos&sec2=operation/events/events&id_event=" . $row["event_id"]);
 	$rss_feed .= '</link>';
+
 //The rest is optional
 	$rss_feed .= '<pubDate>' . date(DATE_RFC822, $row['unix_timestamp']) . '</pubDate>';
- 	$rss_feed .= '<image>';
-		$rss_feed .= '<link>' . $url .  '</link>';
-		$rss_feed .= '<title>' . $row['group_name'] . '</title>';
-		$rss_feed .= '<url>' . $url . '/images/groups_small/' . $row['group_icon'] . '.png</url>';
-	$rss_feed .= '</image>';	
 	
 //This is mandatory again
 	$rss_feed .= '</item>';
diff --git a/pandora_console/reporting/fgraph.php b/pandora_console/reporting/fgraph.php
index 9bd68c3cf4..3b8d3b5caf 100644
--- a/pandora_console/reporting/fgraph.php
+++ b/pandora_console/reporting/fgraph.php
@@ -1325,7 +1325,7 @@ function graph_event_module ($width = 300, $height = 200, $id_agent) {
         $data = array();
         $legend = array();
 
-        $sql = "SELECT DISTINCT(id_agentmodule) AS id_agentmodule, id_grupo, COUNT(id_agentmodule) AS count FROM tevento WHERE id_agente = ".$id_agent." GROUP BY id_agentmodule";
+        $sql = sprintf ("SELECT DISTINCT(id_agentmodule) AS id_agentmodule, id_grupo, COUNT(id_agentmodule) AS count FROM tevento WHERE id_agente = %d GROUP BY id_agentmodule",$id_agent);
         $result = get_db_all_rows_sql ($sql);
         if ($result === false)
                 $result = array();
@@ -1359,10 +1359,13 @@ function graph_event_module ($width = 300, $height = 200, $id_agent) {
 function grafico_eventos_grupo ($width = 300, $height = 200, $url = "") {
 	global $config;
 	
-	$url = rawurldecode ($url); //It was urlencoded, so we urldecode it
+	$url = html_entity_decode (rawurldecode ($url),ENT_QUOTES); //It was urlencoded, so we urldecode it
 	$data = array();
 	$legend = array();
-	
+
+	$badstrings = array (";", "SELECT ", "DELETE ", "UPDATE ", "INSERT ");	
+	$url = str_ireplace ($badstrings,"",$url); //remove bad strings from the query so queries like ; DELETE FROM  don't pass
+		
 	//This will give the distinct id_agente, give the id_grupo that goes
 	//with it and then the number of times it occured. GROUP BY statement
 	//is required if both DISTINCT() and COUNT() are in the statement