diff --git a/post/invoice_model.php b/post/invoice_model.php
index b124a486..2319db50 100644
--- a/post/invoice_model.php
+++ b/post/invoice_model.php
@@ -3,4 +3,6 @@ $date = sanitizeInput($_POST['date']);
 $category = intval($_POST['category']);
 $scope = sanitizeInput($_POST['scope']);
 $invoice_discount = floatval($_POST['invoice_discount']);
-$recurring_discount = floatval($_POST['recurring_discount']);
\ No newline at end of file
+$recurring_discount = floatval($_POST['recurring_discount']);
+
+$config_invoice_prefix = sanitizeInput($config_invoice_prefix);
\ No newline at end of file
diff --git a/post/profile.php b/post/profile.php
index 38410fbf..93222dd1 100644
--- a/post/profile.php
+++ b/post/profile.php
@@ -23,6 +23,11 @@ if (isset($_POST['edit_your_user_details'])) {
     $user_old_email_sql = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT user_email FROM users WHERE user_id = $session_user_id"));
     $user_old_email = sanitizeInput($user_old_email_sql['user_email']);
 
+    // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
+    $config_mail_from_name = sanitizeInput($config_mail_from_name);
+    $config_mail_from_email = sanitizeInput($config_mail_from_email);
+    $config_app_name = sanitizeInput($config_app_name);
+
     if (!empty($config_smtp_host) && ($user_old_email !== $email)) {
 
         $details = "Your email address was changed. New email: $email.";
@@ -39,7 +44,7 @@ if (isset($_POST['edit_your_user_details'])) {
                 'subject' => $subject,
                 'body' => $body
             ]
-            ];
+        ];
         $mail = addToMailQueue($mysqli, $data);
     }
 
@@ -102,12 +107,17 @@ if (isset($_POST['edit_your_user_password'])) {
     $name = sanitizeInput($user_sql['user_name']);
     $user_email = sanitizeInput($user_sql['user_email']);
 
+    // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
+    $config_mail_from_name = sanitizeInput($config_mail_from_name);
+    $config_mail_from_email = sanitizeInput($config_mail_from_email);
+    $config_app_name = sanitizeInput($config_app_name);
+
     if (!empty($config_smtp_host)){
 
         $details = "Your password was changed.";
 
         $subject = "$config_app_name account update confirmation for $name";
-        $body = "Hi $name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>$details</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>ITFlow<br>$session_company_name";
+        $body = "Hi $name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>$details</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>$config_app_name";
 
         $data = [
             [
@@ -210,6 +220,11 @@ if(isset($_POST['disable_2fa'])){
     //Logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name disabled 2FA on their account', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
 
+    // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
+    $config_mail_from_name = sanitizeInput($config_mail_from_name);
+    $config_mail_from_email = sanitizeInput($config_mail_from_email);
+    $config_app_name = sanitizeInput($config_app_name);
+
     // Email notification
     if (!empty($config_smtp_host)) {
         $subject = "$config_app_name account update confirmation for $session_name";
diff --git a/post/quote.php b/post/quote.php
index 89cc7459..158c2c83 100644
--- a/post/quote.php
+++ b/post/quote.php
@@ -8,7 +8,6 @@ if (isset($_POST['add_quote'])) {
 
     require_once 'post/quote_model.php';
 
-
     $client = intval($_POST['client']);
 
     //Get the last Quote Number and add 1 for the new Quote number
@@ -356,51 +355,49 @@ if (isset($_GET['email_quote'])) {
     );
 
     $row = mysqli_fetch_array($sql);
-    $quote_prefix = $row['quote_prefix'];
+    $quote_prefix = sanitizeInput($row['quote_prefix']);
     $quote_number = intval($row['quote_number']);
-    $quote_scope = $row['quote_scope'];
-    $quote_status = $row['quote_status'];
-    $quote_date = $row['quote_date'];
-    $quote_expire = $row['quote_expire'];
+    $quote_scope = sanitizeInput($row['quote_scope']);
+    $quote_status = sanitizeInput($row['quote_status']);
+    $quote_date = sanitizeInput($row['quote_date']);
+    $quote_expire = sanitizeInput($row['quote_expire']);
     $quote_amount = floatval($row['quote_amount']);
-    $quote_url_key = $row['quote_url_key'];
-    $quote_currency_code = $row['quote_currency_code'];
+    $quote_url_key = sanitizeInput($row['quote_url_key']);
+    $quote_currency_code = sanitizeInput($row['quote_currency_code']);
     $client_id = intval($row['client_id']);
-    $client_name = $row['client_name'];
-    $contact_name = $row['contact_name'];
-    $contact_email = $row['contact_email'];
-    $quote_prefix_escaped = sanitizeInput($row['quote_prefix']);
-    $contact_name_escaped = sanitizeInput($row['contact_name']);
-    $contact_email_escaped = sanitizeInput($row['contact_email']);
+    $client_name = sanitizeInput($row['client_name']);
+    $contact_name = sanitizeInput($row['contact_name']);
+    $contact_email = sanitizeInput($row['contact_email']);
 
     $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
     $row = mysqli_fetch_array($sql);
 
-    $company_name = $row['company_name'];
-    $company_country = $row['company_country'];
-    $company_address = $row['company_address'];
-    $company_city = $row['company_city'];
-    $company_state = $row['company_state'];
-    $company_zip = $row['company_zip'];
-    $company_phone = formatPhoneNumber($row['company_phone']);
-    $company_email = $row['company_email'];
-    $company_website = $row['company_website'];
-    $company_logo = $row['company_logo'];
+    $company_name = sanitizeInput($row['company_name']);
+    $company_country = sanitizeInput($row['company_country']);
+    $company_address = sanitizeInput($row['company_address']);
+    $company_city = sanitizeInput($row['company_city']);
+    $company_state = sanitizeInput($row['company_state']);
+    $company_zip = sanitizeInput($row['company_zip']);
+    $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+    $company_email = sanitizeInput($row['company_email']);
+    $company_website = sanitizeInput($row['company_website']);
+    $company_logo = sanitizeInput($row['company_logo']);
 
     // Sanitize Config vars from get_settings.php
-    $config_quote_from_name_escaped = sanitizeInput($config_quote_from_name);
-    $config_quote_from_email_escaped = sanitizeInput($config_quote_from_email);
+    $config_quote_from_name = sanitizeInput($config_quote_from_name);
+    $config_quote_from_email = sanitizeInput($config_quote_from_email);
+    $config_base_url = sanitizeInput($config_base_url);
 
-    $subject = sanitizeInput("Quote [$quote_scope]");
-    $body    = mysqli_escape_string($mysqli, "Hello $contact_name,<br><br>Thank you for your inquiry, we are pleased to provide you with the following estimate.<br><br><br>$quote_scope<br>Total Cost: " . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . "<br><br><br>View and accept your estimate online <a href='https://$config_base_url/guest_view_quote.php?quote_id=$quote_id&url_key=$quote_url_key'>here</a><br><br><br>~<br>$company_name<br>Sales<br>$config_quote_from_email<br>$company_phone");
+    $subject = "Quote [$quote_scope]";
+    $body = "Hello $contact_name,<br><br>Thank you for your inquiry, we are pleased to provide you with the following estimate.<br><br><br>$quote_scope<br>Total Cost: " . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . "<br><br><br>View and accept your estimate online <a href=\'https://$config_base_url/guest_view_quote.php?quote_id=$quote_id&url_key=$quote_url_key\'>here</a><br><br><br>--<br>$company_name - Sales<br>$config_quote_from_email<br>$company_phone";
 
     // Queue Mail
     $data = [
         [
             'from' => $config_quote_from_email,
             'from_name' => $config_quote_from_name,
-            'recipient' => $contact_email_escaped,
-            'recipient_name' => $contact_name_escaped,
+            'recipient' => $contact_email,
+            'recipient_name' => $contact_name,
             'subject' => $subject,
             'body' => $body,
         ]
@@ -409,7 +406,7 @@ if (isset($_GET['email_quote'])) {
 
     // Logging
     mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Emailed Quote!', history_quote_id = $quote_id");
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Email', log_description = '$session_name emailed Quote $quote_prefix_escaped$quote_number to $contact_email_escaped Email ID: ', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $quote_id");
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Email', log_description = '$session_name emailed Quote $quote_prefix$quote_number to $contact_email Email ID: ', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $quote_id");
 
     $_SESSION['alert_message'] = "Quote has been sent";
 
diff --git a/post/quote_model.php b/post/quote_model.php
index 061d685a..1243a155 100644
--- a/post/quote_model.php
+++ b/post/quote_model.php
@@ -4,3 +4,5 @@ $expire = sanitizeInput($_POST['expire']);
 $category = intval($_POST['category']);
 $scope = sanitizeInput($_POST['scope']);
 $quote_discount = floatval($_POST['quote_discount']);
+
+$config_quote_prefix = sanitizeInput($config_quote_prefix);