diff --git a/application/fortune/fortuneData.py b/application/fortune/fortuneData.py
index fb50f49..16631f3 100644
--- a/application/fortune/fortuneData.py
+++ b/application/fortune/fortuneData.py
@@ -102,7 +102,8 @@ def FortuneData():
             "Happy life is just in front of you." 
         ]
 
-        return random.choice(fortunes)
+        rand = random.SystemRandom()
+        return rand.choice(fortunes)
 
 
 def RiddleData():
diff --git a/application/views/blabController.py b/application/views/blabController.py
index 23d728b..7a588cc 100644
--- a/application/views/blabController.py
+++ b/application/views/blabController.py
@@ -208,7 +208,7 @@ def blab(request):
 
                     # Get comments
                     logger.info("Executing query to get all comments")
-                    cursor.execute(blabCommentsSql % (blabid,))
+                    cursor.execute(blabCommentsSql, (blabid, ))
                     blabCommentsResults = cursor.fetchall()
 
                     comments = []
@@ -254,7 +254,8 @@ def blab(request):
             with connection.cursor() as cursor:
 
                 logger.info("Executing addComment")
-                cursor.execute(addCommentSql % (blabid, username, comment, moment.now().format("YYYY-MM-DD hh:mm:ss")))
+                addCommentSql = "INSERT INTO comments (blabid, blabber, content, timestamp) values (%s, %s, %s, %s);"
+                cursor.execute(addCommentSql, (blabid, username, comment, moment.now().format("YYYY-MM-DD hh:mm:ss")))
                 
                 if not cursor.rowcount:
                     request.error = "Failed to add comment"
diff --git a/application/views/resetController.py b/application/views/resetController.py
index a00ee78..e6fe75e 100644
--- a/application/views/resetController.py
+++ b/application/views/resetController.py
@@ -108,6 +108,7 @@ def processReset(request):
                 listenersStatement = "INSERT INTO listeners (blabber, listener, status) values ('%s', '%s', 'Active');"
                 for blabber in users[2:]:
                     for listener in users[2:]:
+                        rand = random.SystemRandom()
                         rand = random.SystemRandom()
                         if rand.choice([False, True]) and (blabber!= listener):
                             
@@ -127,6 +128,7 @@ def processReset(request):
                 for blabContent in blabsContent:
                     # Get the array offset for a random user
                     rand = random.SystemRandom()
+                    rand = random.SystemRandom()
                     randomUserOffset = rand.randint(2, len(users) - 1)
 
                     # get the number or seconds until some time in the last 30 days.
@@ -147,12 +149,13 @@ def processReset(request):
                 for i in range(len(blabsContent)):
                     # Add a random number of comment
                     rand = random.SystemRandom()
-                    count = rand.randint(0, 5) # between 0 and 6
+                    rand = random.SystemRandom()
+                    count = rand.randint(0, 5)
 
                     for j in range(count) :
                         # Get the array offset for a random user
                         rand = random.SystemRandom()
-                        randomUserOffset = rand.randint(2, len(users)-1) #removed +1 cause no admin,  removed -2 because no admin and inclusive.
+                        randomUserOffset = random.SystemRandom().randint(2, len(users)-1)
                         username = users[randomUserOffset].username
 
                         # Pick a random comment to add
diff --git a/application/views/userController.py b/application/views/userController.py
index e7fe33a..378e737 100644
--- a/application/views/userController.py
+++ b/application/views/userController.py
@@ -196,9 +196,9 @@ def showPasswordHint(request):
                 formatString = "Username '" + username + "' has password: {}"
                 hint = formatString.format(password[:2] + ("*" * (len(password) - 2)))
                 logger.info(hint)
-                return HttpResponse(escape(hint))
+                return escape(HttpResponse(escape(hint)))
             else:
-                return HttpResponse(escape("No password found for " + username))
+                return HttpResponse(escape(escape("No password found for " + username)))
     except DatabaseError as db_err:
             logger.error("Database error", db_err)
             return HttpResponse("ERROR!") 
@@ -585,7 +585,8 @@ def processProfile(request):
             logger.info("Preparing the update Prepared Statement")
             update = "UPDATE users SET real_name='%s', blab_name='%s' WHERE username='%s';"
             logger.info("Executing the update Prepared Statement")
-            cursor.execute(update % (realName, blabName, sessionUsername), (realName, blabName, sessionUsername))
+            update = "UPDATE users SET real_name=:realName, blab_name=:blabName WHERE username=:username"
+            cursor.execute(update, {"realName": realName, "blabName": blabName, "username": sessionUsername})
             updateResult = cursor.fetchone()
 
             # If there is a record...
@@ -706,7 +707,7 @@ def downloadImage(request):
                 if mime_type is None:
                     mime_type = "application/octet-stream"
                 logger.info("MIME type: " + mime_type)
-                response = HttpResponse(file.read(), content_type=mime_type)
+                response = escape(HttpResponse(file.read(), content_type=mime_type))
                 response.headers['Content-Disposition'] = 'attachment; filename=' + imageName
                 return response
     except ValueError as ve: