diff --git a/lib/ldap-auth.php b/lib/ldap-auth.php
index bdf5656c21c2e35207b230e562d48aab61e9f01a..10bb2f2ae587788fcb8cdbcd61514282fb2e6d43 100644
--- a/lib/ldap-auth.php
+++ b/lib/ldap-auth.php
@@ -12,7 +12,7 @@ will return "nope" if the user/pass passed is inavlid
 
 Example usage:
 
-include_once("ldap-auth.php");
+require "ldap-auth.php";
 
 isAuthd = ldapAuth("usaername", "password");
 
@@ -29,6 +29,8 @@ if (isAuthd == "sucs"){
 // we don't care about warnings, we write our own
 error_reporting(E_ERROR | E_PARSE);
 
+define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);
+
 function ldapAuth($username, $password)
 {
 
@@ -45,24 +47,29 @@ function ldapAuth($username, $password)
             $username = implode("@", $s);
         }
 
+        // filter out everything but A-Z a-z 0-9 . - _ from username
+        $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $username);
+
+        // if safeusername isn't the same as username just error out
+        if ($safeusername != $username) {
+            return "nope";
+        }
+
         // ldap servers
         $sucsLDAPServer = 'silver.sucs.swan.ac.uk';
-        $lisLDAPServer = 'ccs-suld1.swan.ac.uk';
-
-        // lis auth stuffs
-        $lisUsernameOu = substr($username, -1);
-        $lisOtherOu = "Moved";
+        $issLDAPServer = '192.168.10.16';
 
         // how to bind
-        $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org";
-        $lisBindDn1 = "cn=$username,ou=$lisUsernameOu,ou=Students,ou=SWANSEA,o=SWANUNI";
-        $lisBindDn2 = "cn=$username,ou=$lisOtherOu,ou=Students,ou=SWANSEA,o=SWANUNI";
+        $sucsBindDn = "uid=$safeusername,ou=People,dc=sucs,dc=org";
+        $issBindDn = "cn=$safeusername,ou=Students,ou=Active,ou=Resources,o=Swansea";
 
         // Main auth
 
         // Try and connect to silver
         $ldapconnSUCS = ldap_connect($sucsLDAPServer) or die("Could not connect to SUCS LDAP server.");
 
+        ldap_set_option($ldapconnSUCS,LDAP_OPT_PROTOCOL_VERSION,3);
+
         if ($ldapconnSUCS) {
 
             //echo "Connected to $sucsLDAPServer <br>";
@@ -73,28 +80,28 @@ function ldapAuth($username, $password)
             if ($ldapbindSUCS) {
                 //echo "Auth'd as $username using SUCS LDAP<br>";
                 return "sucs";
-                // turns out they didn't give us valid sucs creds, lets try lis now
+                // turns out they didn't give us valid sucs creds, lets try iss now
             } else {
 
-                // try and connect to the lis ldap server
-                $ldapconnLIS = ldap_connect($lisLDAPServer) or die("Could not connect to uni LDAP server.");
-                //echo "Connected to $lisLDAPServer <br>";
+                // try and connect to the iss ldap server
+                $ldapconnISS = ldap_connect($issLDAPServer) or die("Could not connect to uni LDAP server.");
+                // echo "Connected to $issLDAPServer <br>";
+
+                ldap_set_option($ldapconnISS,LDAP_OPT_PROTOCOL_VERSION,3);
 
                 // lets try and bind to the uni ldap
-                $ldapbindLIS1 = ldap_bind($ldapconnLIS, $lisBindDn1, $password);
-                if ($ldapbindLIS1) {
-                    //echo "Auth'd as $username using uni LDAP using ou=$lisUsernameOu<br>";
+                $ldapbindiss = ldap_bind($ldapconnISS, $issBindDn, $password);
+
+                /*if (ldap_get_option($ldapconnISS, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
+                   echo "Error Binding to LDAP: $extended_error";
+                }*/
+
+                if ($ldapbindiss) {
+                    //echo "Auth'd as $username using uni LDAP using ou=$issUsernameOu<br>";
                     return "uni";
                 } else {
-                    $ldapbindLIS2 = ldap_bind($ldapconnLIS, $lisBindDn2, $password);
-                    if ($ldapbindLIS2) {
-                        //echo "Auth'd as $username using uni LDAP using ou=moved<br>";
-                        return "uni";
-                        // shit, couldn't bind to anything
-                    } else {
-                        //exit("Invalid Username or Password");
-                        return "nope";
-                    }
+                    //exit("Invalid Username or Password");
+                    return "nope";
                 }
             }
         }
diff --git a/lib/session.php b/lib/session.php
index 00b472bf9226e7bd013a79f480e3008b32238963..243e01250523b2dd04551cd37e2501c0dacde0ff 100644
--- a/lib/session.php
+++ b/lib/session.php
@@ -116,7 +116,15 @@ class Session
 
         // Is this a login attempt ?
         if ($submit != '' && $session_user != '' && $session_pass != '') {
-            $this->session_init($session_user, $session_pass);
+            // filter out everything but A-Z a-z 0-9 . - _ from username
+            $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $session_user);
+            if ($safeusername != $session_user) {
+                trigger_error("Invalid username", E_USER_NOTICE);
+                $this->newsession();
+                return;
+            } elseif ($safeusername == $session_user) {
+                $this->session_init($safeusername, $session_pass);
+            }
         }
 
         // Retrieve session information