diff --git a/MassScheduleModal.php b/MassScheduleModal.php
index f791ce32..39f87831 100644
--- a/MassScheduleModal.php
+++ b/MassScheduleModal.php
@@ -30,9 +30,11 @@
 include'ConfigInc.php';
 include 'Warehouse.php';
 
+$id = sqlSecurityFilter($_REQUEST['id']);
+
 if ($_REQUEST['table_name'] != '' && $_REQUEST['table_name'] == 'course_periods') {
 
-    $sql = "SELECT * FROM course_periods WHERE COURSE_ID='$_REQUEST[id]'AND (marking_period_id IS NOT NULL AND marking_period_id IN(" . GetAllMP(GetMPTable(GetMP(UserMP(), 'TABLE')), UserMP()) . ") OR marking_period_id IS NULL AND '" . date('Y-m-d') . "' <= end_date) ORDER BY TITLE";
+    $sql = "SELECT * FROM course_periods WHERE COURSE_ID='" . $id .  "' AND (marking_period_id IS NOT NULL AND marking_period_id IN(" . GetAllMP(GetMPTable(GetMP(UserMP(), 'TABLE')), UserMP()) . ") OR marking_period_id IS NULL AND '" . date('Y-m-d') . "' <= end_date) ORDER BY TITLE";
     $QI = DBQuery($sql);
 
     $coursePeriods_RET = DBGet($QI);
@@ -55,7 +57,7 @@
 
 if ($_REQUEST['table_name'] != '' && $_REQUEST['table_name'] == 'courses') {
 
-    $sql = "SELECT COURSE_ID,c.TITLE, CONCAT_WS(' - ',c.short_name,c.title) AS GRADE_COURSE FROM courses c LEFT JOIN school_gradelevels sg ON c.grade_level=sg.id WHERE SUBJECT_ID='$_REQUEST[id]' ORDER BY c.TITLE";
+    $sql = "SELECT COURSE_ID,c.TITLE, CONCAT_WS(' - ',c.short_name,c.title) AS GRADE_COURSE FROM courses c LEFT JOIN school_gradelevels sg ON c.grade_level=sg.id WHERE SUBJECT_ID='" . $id . "' ORDER BY c.TITLE";
     $QI = DBQuery($sql);
     $courses_RET = DBGet($QI);
     $html = 'course_modal||';