diff --git a/app/call_flows/call_flow_delete.php b/app/call_flows/call_flow_delete.php
index 2441928b3a..6a6158d632 100644
--- a/app/call_flows/call_flow_delete.php
+++ b/app/call_flows/call_flow_delete.php
@@ -41,46 +41,61 @@
 	$language = new text;
 	$text = $language->get();
 
-//get the http value and set it as a php variable
-	if (count($_GET)>0) {
-		$id = check_str($_GET["id"]);
-	}
-
 //delete the user data
-	if (is_uuid($id)) {
+	if (is_uuid($_GET["id"])) {
+
+		$call_flow_uuid = $_GET["id"];
 
 		//get the dialplan uuid
 			$sql = "select * from v_call_flows ";
-			$sql .= "where domain_uuid = '$domain_uuid' ";
-			$sql .= "and call_flow_uuid = '$id' ";
-			$prep_statement = $db->prepare($sql);
-			$prep_statement->execute();
-			while($row = $prep_statement->fetch(PDO::FETCH_ASSOC)) {
+			$sql .= "where domain_uuid = :domain_uuid ";
+			$sql .= "and call_flow_uuid = :call_flow_uuid ";
+			$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+			$parameters['call_flow_uuid'] = $call_flow_uuid;
+			$database = new database;
+			$row = $database->select($sql, $parameters, 'row');
+			if (is_array($row) && sizeof($row) != 0) {
 				$dialplan_uuid = $row['dialplan_uuid'];
 				$call_flow_context = $row['call_flow_context'];
 			}
+			unset($sql, $parameters, $row);
 
 		//delete call_flow
-			$sql = "delete from v_call_flows ";
-			$sql .= "where domain_uuid = '$domain_uuid' ";
-			$sql .= "and call_flow_uuid = '$id' ";
-			$prep_statement = $db->prepare(check_sql($sql));
-			$prep_statement->execute();
-			unset($sql);
+			$array['call_flows'][0]['call_flow_uuid'] = $call_flow_uuid;
+			$array['call_flows'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+			$database = new database;
+			$database->app_name = 'call_flows';
+			$database->app_uuid = 'b1b70f85-6b42-429b-8c5a-60c8b02b7d14';
+			$database->delete($array);
+			unset($array);
 
 		//delete the dialplan entry
-			$sql = "delete from v_dialplans ";
-			$sql .= "where domain_uuid = '$domain_uuid' ";
-			$sql .= "and dialplan_uuid = '$dialplan_uuid' ";
-			$db->query($sql);
-			unset($sql);
+			$p = new permissions;
+			$p->add('dialplan_delete', 'temp');
+
+			$array['dialplans'][0]['dialplan_uuid'] = $dialplan_uuid;
+			$array['dialplans'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+			$database = new database;
+			$database->app_name = 'call_flows';
+			$database->app_uuid = 'b1b70f85-6b42-429b-8c5a-60c8b02b7d14';
+			$database->delete($array);
+			unset($array);
+
+			$p->delete('dialplan_delete', 'temp');
 
 		//delete the dialplan details
-			$sql = "delete from v_dialplan_details ";
-			$sql .= "where domain_uuid = '$domain_uuid' ";
-			$sql .= "and dialplan_uuid = '$dialplan_uuid' ";
-			$db->query($sql);
-			unset($sql);
+			$p = new permissions;
+			$p->add('dialplan_detail_delete', 'temp');
+
+			$array['dialplans'][0]['dialplan_uuid'] = $dialplan_uuid;
+			$array['dialplans'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+			$database = new database;
+			$database->app_name = 'call_flows';
+			$database->app_uuid = 'b1b70f85-6b42-429b-8c5a-60c8b02b7d14';
+			$database->delete($array);
+			unset($array);
+
+			$p->delete('dialplan_detail_delete', 'temp');
 
 		//syncrhonize configuration
 			save_dialplan_xml();
@@ -92,10 +107,11 @@
 			$cache = new cache;
 			$cache->delete("dialplan:".$call_flow_context);
 
+		//set message
+			message::add($text['message-delete']);
 	}
 
-//send a message an redirect the browser
-	message::add($text['message-delete']);
+//redirect the browser
 	header("Location: call_flows.php");
 	return;
 
diff --git a/app/call_flows/call_flow_edit.php b/app/call_flows/call_flow_edit.php
index 3880c4093e..b153960f9c 100644
--- a/app/call_flows/call_flow_edit.php
+++ b/app/call_flows/call_flow_edit.php
@@ -44,9 +44,9 @@
 	$text = $language->get();
 
 //action add or update
-	if (isset($_REQUEST["id"])) {
+	if (is_uuid($_REQUEST["id"])) {
 		$action = "update";
-		$call_flow_uuid = check_str($_REQUEST["id"]);
+		$call_flow_uuid = $_REQUEST["id"];
 	}
 	else {
 		$action = "add";
@@ -56,21 +56,21 @@
 	if (is_array($_POST)) {
 
 		//set the variables from the http values
-			$call_flow_uuid = check_str($_POST["call_flow_uuid"]);
-			$dialplan_uuid = check_str($_POST["dialplan_uuid"]);
-			$call_flow_name = check_str($_POST["call_flow_name"]);
-			$call_flow_extension = check_str($_POST["call_flow_extension"]);
-			$call_flow_feature_code = check_str($_POST["call_flow_feature_code"]);
-			$call_flow_status = check_str($_POST["call_flow_status"]);
-			$call_flow_pin_number = check_str($_POST["call_flow_pin_number"]);
-			$call_flow_label = check_str($_POST["call_flow_label"]);
-			$call_flow_sound = check_str($_POST["call_flow_sound"]);
-			$call_flow_destination = check_str($_POST["call_flow_destination"]);
-			$call_flow_alternate_label = check_str($_POST["call_flow_alternate_label"]);
-			$call_flow_alternate_sound = check_str($_POST["call_flow_alternate_sound"]);
-			$call_flow_alternate_destination = check_str($_POST["call_flow_alternate_destination"]);
-			$call_flow_context = check_str($_POST["call_flow_context"]);
-			$call_flow_description = check_str($_POST["call_flow_description"]);
+			$call_flow_uuid = $_POST["call_flow_uuid"];
+			$dialplan_uuid = $_POST["dialplan_uuid"];
+			$call_flow_name = $_POST["call_flow_name"];
+			$call_flow_extension = $_POST["call_flow_extension"];
+			$call_flow_feature_code = $_POST["call_flow_feature_code"];
+			$call_flow_status = $_POST["call_flow_status"];
+			$call_flow_pin_number = $_POST["call_flow_pin_number"];
+			$call_flow_label = $_POST["call_flow_label"];
+			$call_flow_sound = $_POST["call_flow_sound"];
+			$call_flow_destination = $_POST["call_flow_destination"];
+			$call_flow_alternate_label = $_POST["call_flow_alternate_label"];
+			$call_flow_alternate_sound = $_POST["call_flow_alternate_sound"];
+			$call_flow_alternate_destination = $_POST["call_flow_alternate_destination"];
+			$call_flow_context = $_POST["call_flow_context"];
+			$call_flow_description = $_POST["call_flow_description"];
 
 		//seperate the action and the param
 			$destination_array = explode(":", $call_flow_destination);
@@ -88,7 +88,7 @@
 
 		//get the uuid from the POST
 			if ($action == "update") {
-				$call_flow_uuid = check_str($_POST["call_flow_uuid"]);
+				$call_flow_uuid = $_POST["call_flow_uuid"];
 			}
 
 		//check for all required data
@@ -125,12 +125,12 @@
 			}
 
 		//add the call_flow_uuid
-			if (strlen($call_flow_uuid) == 0) {
+			if (!is_uuid($call_flow_uuid)) {
 				$call_flow_uuid = uuid();
 			}
 
 		//add the dialplan_uuid
-			if (strlen($dialplan_uuid) == 0) {
+			if (!is_uuid($dialplan_uuid)) {
 				$dialplan_uuid = uuid();
 			}
 
@@ -267,7 +267,6 @@
 		$parameters['call_flow_uuid'] = $call_flow_uuid;
 		$database = new database;
 		$result = $database->select($sql, $parameters, 'all');
-		unset($parameters, $sql);
 		foreach ($result as $row) {
 			//set the php variables
 				$call_flow_uuid = $row["call_flow_uuid"];
@@ -304,7 +303,7 @@
 					$alternate_destination_label = $call_flow_alternate_data;
 				}
 		}
-		unset ($prep_statement);
+		unset ($sql, $parameters, $result, $row);
 	}
 
 //set the context for users that are not in the superadmin group
@@ -410,7 +409,6 @@
 						echo "	<option value='phrase:".escape($row["phrase_uuid"])."'>".escape($row["phrase_name"])."</option>\n";
 					}
 				}
-				unset ($prep_statement);
 				echo "</optgroup>\n";
 			}
 		//sounds
diff --git a/app/call_flows/call_flows.php b/app/call_flows/call_flows.php
index d1106d50ed..4325a70f24 100644
--- a/app/call_flows/call_flows.php
+++ b/app/call_flows/call_flows.php
@@ -46,26 +46,11 @@
 	$document['title'] = $text['title-call_flows'];
 
 //get variables used to control the order
-	$order_by = check_str($_GET["order_by"]);
-	$order = check_str($_GET["order"]);
-
-//validate order by
-	if (strlen($order_by) > 0) {
-		$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
-	}
-
-//validate the order
-	switch ($order) {
-		case 'asc':
-			break;
-		case 'desc':
-			break;
-		default:
-			$order = '';
-	}
+	$order_by = $_GET["order_by"];
+	$order = $_GET["order"];
 
 //add the search term
-	$search = strtolower(check_str($_GET["search"]));
+	$search = strtolower($_GET["search"]);
 	if (strlen($search) > 0) {
 		$sql_search = "and (";
 		$sql_search .= "lower(call_flow_name) like :search ";
@@ -84,6 +69,7 @@
 		//$sql_search .= "or lower(call_flow_alternate_data) like :search ";
 		$sql_search .= "or lower(call_flow_description) like :search ";
 		$sql_search .= ") ";
+		$parameters['search'] = '%'.$search.'%';
 	}
 
 //additional includes
@@ -91,15 +77,13 @@
 	require_once "resources/paging.php";
 
 //prepare to page the results
-	$sql = "select count(call_flow_uuid) as num_rows from v_call_flows ";
+	$sql = "select count(call_flow_uuid) from v_call_flows ";
 	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= $sql_search;
 	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
-	if (strlen($search) > 0) {
-		$parameters['search'] = '%'.$search.'%';
-	}
 	$database = new database;
 	$num_rows = $database->select($sql, $parameters, 'column');
+	unset($sql);
 
 //prepare to page the results
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
@@ -113,12 +97,11 @@
 	$sql = "select * from v_call_flows ";
 	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= $sql_search;
-	if (strlen($order_by) > 0) { $sql .= "order by $order_by $order "; }
-	$sql .= "limit :rows_per_page offset :offset ";
+	$sql .= order_by($order_by, $order);
+	$sql .= limit_offset($rows_per_page, $offset);
 	$database = new database;
-	$parameters['rows_per_page'] = $rows_per_page;
-	$parameters['offset'] = $offset;
 	$call_flows = $database->select($sql, $parameters, 'all');
+	unset($sql, $parameters);
 
 //alternate the row style
 	$c = 0;
@@ -215,7 +198,7 @@
 			echo "</tr>\n";
 			if ($c==0) { $c=1; } else { $c=0; }
 		} //end foreach
-		unset($sql, $call_flows, $row_count);
+		unset($call_flows);
 	} //end if results
 
 	echo "<tr>\n";