diff --git a/app/xml_cdr/xml_cdr.php b/app/xml_cdr/xml_cdr.php
index 6e0e036399..ce15083cc7 100644
--- a/app/xml_cdr/xml_cdr.php
+++ b/app/xml_cdr/xml_cdr.php
@@ -47,14 +47,26 @@
 	$language = new text;
 	$text = $language->get();
 
+//set defaults
+	$archive_request = false;
+	$action = '';
+	$xml_cdrs = [];
+	$paging_controls_mini = '';
+	$paging_controls = null;
+	$order_by = "";
+	if(!isset($_REQUEST['show'])) {
+		//set to show only this domain
+		$_REQUEST['show'] = 'domain';
+	}
+
 //get posted data
-	if (!$archive_request && is_array($_POST['xml_cdrs'])) {
-		$action = $_POST['action'];
-		$xml_cdrs = $_POST['xml_cdrs'];
+	if (!$archive_request && isset($_POST['xml_cdrs']) && is_array($_POST['xml_cdrs'])) {
+		$action = $_POST['action'] ?? '';
+		$xml_cdrs = $_POST['xml_cdrs'] ?? [];
 	}
 
 //process the http post data by action
-	if (!$archive_request && $action != '' && is_array($xml_cdrs) && @sizeof($xml_cdrs) != 0) {
+	if (!$archive_request && $action != '' && count($xml_cdrs) > 0) {
 		switch ($action) {
 			case 'delete':
 				if (permission_exists('xml_cdr_delete')) {
@@ -134,39 +146,41 @@
 	if ($archive_request) {
 		echo "	<input type='hidden' name='archive_request' value='true'>\n";
 	}
-	echo "		<input type='hidden' name='cdr_id' value='".escape($cdr_id)."'>\n";
-	echo "		<input type='hidden' name='direction' value='".escape($direction)."'>\n";
-	echo "		<input type='hidden' name='caller_id_name' value='".escape($caller_id_name)."'>\n";
-	echo "		<input type='hidden' name='start_stamp_begin' value='".escape($start_stamp_begin)."'>\n";
-	echo "		<input type='hidden' name='start_stamp_end' value='".escape($start_stamp_end)."'>\n";
-	echo "		<input type='hidden' name='hangup_cause' value='".escape($hangup_cause)."'>\n";
-	echo "		<input type='hidden' name='call_result' value='".escape($call_result)."'>\n";
-	echo "		<input type='hidden' name='caller_id_number' value='".escape($caller_id_number)."'>\n";
-	echo "		<input type='hidden' name='caller_destination' value='".escape($caller_destination)."'>\n";
-	echo "		<input type='hidden' name='extension_uuid' value='".escape($extension_uuid)."'>\n";
-	echo "		<input type='hidden' name='destination_number' value='".escape($destination_number)."'>\n";
-	echo "		<input type='hidden' name='context' value='".escape($context)."'>\n";
-	echo "		<input type='hidden' name='answer_stamp_begin' value='".escape($answer_stamp_begin)."'>\n";
-	echo "		<input type='hidden' name='answer_stamp_end' value='".escape($answer_stamp_end)."'>\n";
-	echo "		<input type='hidden' name='end_stamp_begin' value='".escape($end_stamp_begin)."'>\n";
-	echo "		<input type='hidden' name='end_stamp_end' value='".escape($end_stamp_end)."'>\n";
-	echo "		<input type='hidden' name='start_epoch' value='".escape($start_epoch)."'>\n";
-	echo "		<input type='hidden' name='stop_epoch' value='".escape($stop_epoch)."'>\n";
-	echo "		<input type='hidden' name='duration' value='".escape($duration)."'>\n";
-	echo "		<input type='hidden' name='billsec' value='".escape($billsec)."'>\n";
-	echo "		<input type='hidden' name='xml_cdr_uuid' value='".escape($xml_cdr_uuid)."'>\n";
-	echo "		<input type='hidden' name='bleg_uuid' value='".escape($bleg_uuid)."'>\n";
-	echo "		<input type='hidden' name='accountcode' value='".escape($accountcode)."'>\n";
-	echo "		<input type='hidden' name='read_codec' value='".escape($read_codec)."'>\n";
-	echo "		<input type='hidden' name='write_codec' value='".escape($write_codec)."'>\n";
-	echo "		<input type='hidden' name='remote_media_ip' value='".escape($remote_media_ip)."'>\n";
-	echo "		<input type='hidden' name='network_addr' value='".escape($network_addr)."'>\n";
-	echo "		<input type='hidden' name='bridge_uuid' value='".escape($bridge_uuid)."'>\n";
-	echo "		<input type='hidden' name='leg' value='".escape($leg)."'>\n";
+	echo "		<input type='hidden' name='cdr_id' value='".escape($cdr_id ?? '')."'>\n";
+	echo "		<input type='hidden' name='direction' value='".escape($direction ?? '')."'>\n";
+	echo "		<input type='hidden' name='caller_id_name' value='".escape($caller_id_name ?? '')."'>\n";
+	echo "		<input type='hidden' name='start_stamp_begin' value='".escape($start_stamp_begin ?? '')."'>\n";
+	echo "		<input type='hidden' name='start_stamp_end' value='".escape($start_stamp_end ?? '')."'>\n";
+	echo "		<input type='hidden' name='hangup_cause' value='".escape($hangup_cause ?? '')."'>\n";
+	echo "		<input type='hidden' name='call_result' value='".escape($call_result ?? '')."'>\n";
+	echo "		<input type='hidden' name='caller_id_number' value='".escape($caller_id_number ?? '')."'>\n";
+	echo "		<input type='hidden' name='caller_destination' value='".escape($caller_destination ?? '')."'>\n";
+	echo "		<input type='hidden' name='extension_uuid' value='".escape($extension_uuid ?? '')."'>\n";
+	echo "		<input type='hidden' name='destination_number' value='".escape($destination_number ?? '')."'>\n";
+	echo "		<input type='hidden' name='context' value='".escape($context ?? '')."'>\n";
+	echo "		<input type='hidden' name='answer_stamp_begin' value='".escape($answer_stamp_begin ?? '')."'>\n";
+	echo "		<input type='hidden' name='answer_stamp_end' value='".escape($answer_stamp_end ?? '')."'>\n";
+	echo "		<input type='hidden' name='end_stamp_begin' value='".escape($end_stamp_begin ?? '')."'>\n";
+	echo "		<input type='hidden' name='end_stamp_end' value='".escape($end_stamp_end ?? '')."'>\n";
+	echo "		<input type='hidden' name='start_epoch' value='".escape($start_epoch ?? '')."'>\n";
+	echo "		<input type='hidden' name='stop_epoch' value='".escape($stop_epoch ?? '')."'>\n";
+	echo "		<input type='hidden' name='duration' value='".escape($duration ?? '')."'>\n";
+	echo "		<input type='hidden' name='billsec' value='".escape($billsec ?? '')."'>\n";
+	echo "		<input type='hidden' name='xml_cdr_uuid' value='".escape($xml_cdr_uuid ?? '')."'>\n";
+	echo "		<input type='hidden' name='bleg_uuid' value='".escape($bleg_uuid ?? '')."'>\n";
+	echo "		<input type='hidden' name='accountcode' value='".escape($accountcode ?? '')."'>\n";
+	echo "		<input type='hidden' name='read_codec' value='".escape($read_codec ?? '')."'>\n";
+	echo "		<input type='hidden' name='write_codec' value='".escape($write_codec ?? '')."'>\n";
+	echo "		<input type='hidden' name='remote_media_ip' value='".escape($remote_media_ip ?? '')."'>\n";
+	echo "		<input type='hidden' name='network_addr' value='".escape($network_addr ?? '')."'>\n";
+	echo "		<input type='hidden' name='bridge_uuid' value='".escape($bridge_uuid ?? '')."'>\n";
+	echo "		<input type='hidden' name='leg' value='".escape($leg ?? '')."'>\n";
+	echo "		<input type='hidden' name='tta_min' value='".escape($tta_min ?? '')."'>\n";
+	echo "		<input type='hidden' name='tta_max' value='".escape($tta_max ?? '')."'>\n";
 	if (permission_exists('xml_cdr_all') && $_REQUEST['show'] == 'all') {
 		echo "	<input type='hidden' name='show' value='all'>\n";
 	}
-	if (is_array($_SESSION['cdr']['field'])) {
+	if (isset($_SESSION['cdr']['field']) && is_array($_SESSION['cdr']['field'])) {
 		foreach ($_SESSION['cdr']['field'] as $field) {
 			$array = explode(",", $field);
 			$field_name = $array[count($array) - 1];
@@ -183,7 +197,7 @@
 		echo button::create(['type'=>'button','label'=>$text['button-back'],'icon'=>$_SESSION['theme']['button_icon_back'],'link'=>'xml_cdr.php']);
 	}
 	echo button::create(['type'=>'button','label'=>$text['button-refresh'],'icon'=>'sync-alt','style'=>'margin-left: 15px;','onclick'=>'location.reload(true);']);
-	if ($_GET['call_result'] != 'missed') {
+	if (isset($_GET['call_result']) &&  $_GET['call_result'] != 'missed') {
 		echo button::create(['type'=>'button','label'=>$text['button-missed'],'icon'=>'phone-slash','link'=>'?call_result=missed']);
 	}
 
@@ -342,7 +356,7 @@
 			echo "			".$text['label-destination']."\n";
 			echo "		</div>\n";
 			echo "		<div class='field'>\n";
-			echo "			<input type='text' class='formfld' name='destination_number' id='destination_number' value='".escape($destination_number)."'>\n";
+			echo "			<input type='text' class='formfld' name='destination_number' id='destination_number' value='".escape($destination_number ?? '')."'>\n";
 			echo "		</div>\n";
 			echo "	</div>\n";
 		}
@@ -352,8 +366,8 @@
 			echo "			".$text['label-tta']." (".$text['label-seconds'].")\n";
 			echo "		</div>\n";
 			echo "		<div class='field no-wrap'>\n";
-			echo "			<input type='text' class='formfld' style='min-width: 75px; width: 75px;' name='tta_min' id='tta_min' value='".escape($tta)."' placeholder=\"".$text['label-minimum']."\">\n";
-			echo "			<input type='text' class='formfld' style='min-width: 75px; width: 75px;' name='tta_max' id='tta_max' value='".escape($tta)."' placeholder=\"".$text['label-maximum']."\">\n";
+			echo "			<input type='text' class='formfld' style='min-width: 75px; width: 75px;' name='tta_min' id='tta_min' value='".escape($tta_min)."' placeholder=\"".$text['label-minimum']."\">\n";
+			echo "			<input type='text' class='formfld' style='min-width: 75px; width: 75px;' name='tta_max' id='tta_max' value='".escape($tta_max)."' placeholder=\"".$text['label-maximum']."\">\n";
 			echo "		</div>\n";
 			echo "	</div>\n";
 		}
@@ -560,7 +574,7 @@
 		$col_count++;
 	}
 	if (permission_exists('xml_cdr_custom_fields')) {
-		if (is_array($_SESSION['cdr']['field']) && @sizeof($_SESSION['cdr']['field'])) {
+		if (isset($_SESSION['cdr']['field']) && is_array($_SESSION['cdr']['field']) && @sizeof($_SESSION['cdr']['field'])) {
 			foreach ($_SESSION['cdr']['field'] as $field) {
 				$array = explode(",", $field);
 				$field_name = end($array);
@@ -839,4 +853,3 @@
 //show the footer
 	require_once "resources/footer.php";
 
-?>
diff --git a/app/xml_cdr/xml_cdr_inc.php b/app/xml_cdr/xml_cdr_inc.php
index bfde2d1c1a..6acca0f50d 100644
--- a/app/xml_cdr/xml_cdr_inc.php
+++ b/app/xml_cdr/xml_cdr_inc.php
@@ -45,43 +45,49 @@
 //set 24hr or 12hr clock
 	define('TIME_24HR', 1);
 
+//set defaults
+	if(!isset($_GET['show'])) {
+		$_GET['show'] = 'false';
+	}
+
+
 //get post or get variables from http
 	if (count($_REQUEST) > 0) {
-		$cdr_id = $_REQUEST["cdr_id"];
-		$direction = $_REQUEST["direction"];
-		$caller_id_name = $_REQUEST["caller_id_name"];
-		$caller_id_number = $_REQUEST["caller_id_number"];
-		$caller_destination = $_REQUEST["caller_destination"];
-		$extension_uuid = $_REQUEST["extension_uuid"];
-		$destination_number = $_REQUEST["destination_number"];
-		$context = $_REQUEST["context"];
-		$start_stamp_begin = $_REQUEST["start_stamp_begin"];
-		$start_stamp_end = $_REQUEST["start_stamp_end"];
-		$answer_stamp_begin = $_REQUEST["answer_stamp_begin"];
-		$answer_stamp_end = $_REQUEST["answer_stamp_end"];
-		$end_stamp_begin = $_REQUEST["end_stamp_begin"];
-		$end_stamp_end = $_REQUEST["end_stamp_end"];
-		$start_epoch = $_REQUEST["start_epoch"];
-		$stop_epoch = $_REQUEST["stop_epoch"];
-		$duration_min = $_REQUEST["duration_min"];
-		$duration_max = $_REQUEST["duration_max"];
-		$billsec = $_REQUEST["billsec"];
-		$hangup_cause = $_REQUEST["hangup_cause"];
-		$call_result = $_REQUEST["call_result"];
-		$xml_cdr_uuid = $_REQUEST["xml_cdr_uuid"];
-		$bleg_uuid = $_REQUEST["bleg_uuid"];
-		$accountcode = $_REQUEST["accountcode"];
-		$read_codec = $_REQUEST["read_codec"];
-		$write_codec = $_REQUEST["write_codec"];
-		$remote_media_ip = $_REQUEST["remote_media_ip"];
-		$network_addr = $_REQUEST["network_addr"];
-		$bridge_uuid = $_REQUEST["network_addr"];
-		$tta_min = $_REQUEST['tta_min'];
-		$tta_max = $_REQUEST['tta_max'];
-		$recording = $_REQUEST['recording'];
-		$order_by = $_REQUEST["order_by"];
-		$order = $_REQUEST["order"];
-		if (is_array($_SESSION['cdr']['field'])) {
+		$cdr_id = $_REQUEST["cdr_id"] ?? '';
+		$direction = $_REQUEST["direction"] ?? '';
+		$caller_id_name = $_REQUEST["caller_id_name"] ?? '';
+		$caller_id_number = $_REQUEST["caller_id_number"] ?? '';
+		$caller_destination = $_REQUEST["caller_destination"] ?? '';
+		$extension_uuid = $_REQUEST["extension_uuid"] ?? '';
+		$destination_number = $_REQUEST["destination_number"] ?? '';
+		$context = $_REQUEST["context"] ?? '';
+		$start_stamp_begin = $_REQUEST["start_stamp_begin"] ?? '';
+		$start_stamp_end = $_REQUEST["start_stamp_end"] ?? '';
+		$answer_stamp_begin = $_REQUEST["answer_stamp_begin"] ?? '';
+		$answer_stamp_end = $_REQUEST["answer_stamp_end"] ?? '';
+		$end_stamp_begin = $_REQUEST["end_stamp_begin"] ?? '';
+		$end_stamp_end = $_REQUEST["end_stamp_end"] ?? '';
+		$start_epoch = $_REQUEST["start_epoch"] ?? '';
+		$stop_epoch = $_REQUEST["stop_epoch"] ?? '';
+		$duration_min = $_REQUEST["duration_min"] ?? '';
+		$duration_max = $_REQUEST["duration_max"] ?? '';
+		$billsec = $_REQUEST["billsec"] ?? '';
+		$hangup_cause = $_REQUEST["hangup_cause"] ?? '';
+		$call_result = $_REQUEST["call_result"] ?? '';
+		$xml_cdr_uuid = $_REQUEST["xml_cdr_uuid"] ?? '';
+		$bleg_uuid = $_REQUEST["bleg_uuid"] ?? '';
+		$accountcode = $_REQUEST["accountcode"] ?? '';
+		$read_codec = $_REQUEST["read_codec"] ?? '';
+		$write_codec = $_REQUEST["write_codec"] ?? '';
+		$remote_media_ip = $_REQUEST["remote_media_ip"] ?? '';
+		$network_addr = $_REQUEST["network_addr"] ?? '';
+		$bridge_uuid = $_REQUEST["network_addr"] ?? '';
+		$tta_min = $_REQUEST['tta_min'] ?? '';
+		$tta_max = $_REQUEST['tta_max'] ?? '';
+		$recording = $_REQUEST['recording'] ?? '';
+		$order_by = $_REQUEST["order_by"] ?? '';
+		$order = $_REQUEST["order"] ?? '';
+		if (isset($_SESSION['cdr']['field']) && is_array($_SESSION['cdr']['field'])) {
 			foreach ($_SESSION['cdr']['field'] as $field) {
 				$array = explode(",", $field);
 				$field_name = end($array);
@@ -104,8 +110,8 @@
 			$mos_comparison = '';
 		}
 		//$mos_comparison = $_REQUEST["mos_comparison"];
-		$mos_score = $_REQUEST["mos_score"];
-		$leg = $_REQUEST["leg"];
+		$mos_score = $_REQUEST["mos_score"] ?? '';
+		$leg = $_REQUEST["leg"] ?? 'a';
 	}
 
 //check to see if permission does not exist
@@ -113,10 +119,6 @@
 		$leg = 'a';
 	}
 
-//get variables used to control the order
-	$order_by = $_REQUEST["order_by"];
-	$order = $_REQUEST["order"];
-
 //validate the order
 	switch ($order) {
 		case 'asc':
@@ -128,7 +130,7 @@
 	}
 
 //set the assigned extensions
-	if (!permission_exists('xml_cdr_domain') && is_array($_SESSION['user']['extension'])) {
+	if (!permission_exists('xml_cdr_domain') && isset($_SESSION['user']['extension']) && is_array($_SESSION['user']['extension'])) {
 		foreach ($_SESSION['user']['extension'] as $row) {
 			if (is_uuid($row['extension_uuid'])) {
 				$extension_uuids[] = $row['extension_uuid'];
@@ -172,7 +174,7 @@
 	$param .= "&tta_min=".urlencode($tta_min ?? '');
 	$param .= "&tta_max=".urlencode($tta_max ?? '');
 	$param .= "&recording=".urlencode($recording ?? '');
-	if (is_array($_SESSION['cdr']['field'])) {
+	if (isset($_SESSION['cdr']['field']) && is_array($_SESSION['cdr']['field'])) {
 		foreach ($_SESSION['cdr']['field'] as $field) {
 			$array = explode(",", $field);
 			$field_name = end($array);
@@ -218,8 +220,11 @@
 
 //prepare to page the results
 	//$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50; //set on the page that includes this page
-	if (is_numeric($_GET['page'])) { $page = $_GET['page']; }
-	if (!isset($_GET['page'])) { $page = 0; $_GET['page'] = 0; }
+	if (!isset($_GET['page']) || !is_numeric($_GET['page'])) { 
+		$_GET['page'] = 0;
+	}
+	//ensure page is within bounds of integer
+	$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT);
 	$offset = $rows_per_page * $page;
 
 //set the time zone
@@ -260,14 +265,14 @@
 	$sql .= "c.cc_side, \n";
 	//$sql .= "(c.xml is not null or c.json is not null) as raw_data_exists, \n";
 	//$sql .= "c.json, \n";
-	if (is_array($_SESSION['cdr']['field'])) {
+	if (isset($_SESSION['cdr']['field']) && is_array($_SESSION['cdr']['field'])) {
 		foreach ($_SESSION['cdr']['field'] as $field) {
 			$array = explode(",", $field);
 			$field_name = end($array);
 			$sql .= $field_name.", \n";
 		}
 	}
-	if (is_array($_SESSION['cdr']['export'])) {
+	if (isset($_SESSION['cdr']['export']) && is_array($_SESSION['cdr']['export'])) {
 		foreach ($_SESSION['cdr']['export'] as $field) {
 			$sql .= $field.", \n";
 		}
@@ -296,7 +301,7 @@
 		$parameters['domain_uuid'] = $domain_uuid;
 	}
 	if (!permission_exists('xml_cdr_domain')) { //only show the user their calls
-		if (is_array($extension_uuids) && @sizeof($extension_uuids)) {
+		if (isset($extension_uuids) && is_array($extension_uuids) && @sizeof($extension_uuids)) {
 			$sql .= "and (c.extension_uuid = '".implode("' or c.extension_uuid = '", $extension_uuids)."') \n";
 		}
 		else {
@@ -572,7 +577,7 @@
 	if (!empty($order_by)) {
 		$sql .= order_by($order_by, $order);
 	}
-	if ($_REQUEST['export_format'] !== "csv" && $_REQUEST['export_format'] !== "pdf") {
+	if (isset($_REQUEST['export_format']) && $_REQUEST['export_format'] !== "csv" && $_REQUEST['export_format'] !== "pdf") {
 		if ($rows_per_page == 0) {
 			$sql .= " limit :limit offset 0 \n";
 			$parameters['limit'] = $_SESSION['cdr']['limit']['numeric'];
@@ -599,7 +604,7 @@
 	unset($database, $sql, $parameters);
 
 //return the paging
-	if ($_REQUEST['export_format'] !== "csv" && $_REQUEST['export_format'] !== "pdf") {
+	if (isset($_REQUEST['export_format']) && $_REQUEST['export_format'] !== "csv" && $_REQUEST['export_format'] !== "pdf") {
 		list($paging_controls_mini, $rows_per_page) = paging($num_rows, $param, $rows_per_page, true, $result_count); //top
 		list($paging_controls, $rows_per_page) = paging($num_rows, $param, $rows_per_page, false, $result_count); //bottom
 	}
diff --git a/app/xml_cdr/xml_cdr_search.php b/app/xml_cdr/xml_cdr_search.php
index 876cc8962a..a59ea89055 100644
--- a/app/xml_cdr/xml_cdr_search.php
+++ b/app/xml_cdr/xml_cdr_search.php
@@ -45,6 +45,31 @@
 	$language = new text;
 	$text = $language->get();
 
+//declare variables
+	$direction = "";
+	$caller_id_name = "";
+	$caller_id_number = "";
+	$destination_number = "";
+	$context = "";
+	$start_stamp_begin = "";
+	$start_stamp_end = "";
+	$answer_stamp_begin = "";
+	$answer_stamp_end = "";
+	$end_stamp_begin = "";
+	$end_stamp_end = "";
+	$duration_min = "";
+	$duration_max = "";
+	$billsec = "";
+	$hangup_cause = "";
+	$xml_cdr_uuid = "";
+	$bridge_uuid = "";
+	$accountcode = "";
+	$read_codec = "";
+	$write_codec = "";
+	$remote_media_ip = "";
+	$network_addr = "";
+	$mos_score = "";
+
 //send the header
 	$document['title'] = $text['title-advanced_search'];
 	require_once "resources/header.php";
@@ -63,7 +88,7 @@
 	echo "</script>";
 
 //start the html form
-	if ($_GET['redirect'] == 'xml_cdr_statistics') {
+	if (isset($_GET['redirect']) && $_GET['redirect'] == 'xml_cdr_statistics') {
 		echo "<form method='get' action='xml_cdr_statistics.php'>\n";
 	}
 	else {
@@ -201,7 +226,7 @@
 			echo "	<tr>";
 			echo "		<td class='vncell'>".$text['button-show_all']."</td>";
 			echo "		<td class='vtable'>\n";
-			if (permission_exists('xml_cdr_all') && $_REQUEST['showall'] == "true") {
+			if (permission_exists('xml_cdr_all') && isset($_REQUEST['show']) && $_REQUEST['show'] == "all") {
 				echo "			<input type='checkbox' class='formfld' name='showall' checked='checked' value='true'>";
 			}
 			else {
@@ -252,7 +277,7 @@
 		echo "		<td class='vncell'>".$text['label-network_addr']."</td>";
 		echo "		<td class='vtable'><input type='text' class='formfld' name='network_addr' value='".escape($network_addr)."'></td>";
 		echo "	</tr>";
-		if (is_array($_SESSION['cdr']['field'])) {
+		if (isset($_SESSION['cdr']['field']) && is_array($_SESSION['cdr']['field'])) {
 			foreach ($_SESSION['cdr']['field'] as $field) {
 				$array = explode(",", $field);
 				$field_name = end($array);
diff --git a/app/xml_cdr/xml_cdr_statistics.php b/app/xml_cdr/xml_cdr_statistics.php
index 49f3e51795..3dde4b4f75 100644
--- a/app/xml_cdr/xml_cdr_statistics.php
+++ b/app/xml_cdr/xml_cdr_statistics.php
@@ -46,6 +46,9 @@
 	$language = new text;
 	$text = $language->get();
 
+//set default showall
+	$show_all = false;
+
 //additional includes
 	$document['title'] = $text['title-call-statistics'];
 	require_once "resources/header.php";
@@ -55,8 +58,9 @@
 	if (permission_exists('xml_cdr_search_advanced')) {
 		$search_url .= '&redirect=xml_cdr_statistics';
 	}
-	if(permission_exists('xml_cdr_all') && ($_GET['showall'] === 'true')){
+	if(permission_exists('xml_cdr_all') && (isset($_GET['showall']) && $_GET['showall'] === 'true')){
 		$search_url .= '&showall=true';
+		$show_all = true;
 	}
 	if (!empty($_GET['direction'])) {
 		$search_url .= '&direction='.urlencode($_GET['direction']);
@@ -144,7 +148,7 @@
 	if (permission_exists('xml_cdr_search_advanced')) {
 		echo button::create(['type'=>'button','label'=>$text['button-advanced_search'],'icon'=>'tools','link'=>'xml_cdr_search.php?type=advanced'.$search_url]);
 	}
-	if (permission_exists('xml_cdr_all') && $_GET['showall'] != 'true') {
+	if (permission_exists('xml_cdr_all') && !$show_all) {
 		echo button::create(['type'=>'button','label'=>$text['button-show_all'],'icon'=>$_SESSION['theme']['button_icon_all'],'link'=>'xml_cdr_statistics.php?showall=true'.$search_url]);
 	}
 	echo button::create(['type'=>'button','label'=>$text['button-extension_summary'],'icon'=>'list','link'=>'xml_cdr_extension_summary.php']);
diff --git a/app/xml_cdr/xml_cdr_statistics_inc.php b/app/xml_cdr/xml_cdr_statistics_inc.php
index 3da58c9f22..a5296d8c48 100644
--- a/app/xml_cdr/xml_cdr_statistics_inc.php
+++ b/app/xml_cdr/xml_cdr_statistics_inc.php
@@ -41,6 +41,9 @@
 		exit;
 	}
 
+// assign default value for show all
+	$showall = false;
+
 //show all call detail records to admin and superadmin. for everyone else show only the call details for extensions assigned to them
 	if (!permission_exists('xml_cdr_domain')) {
 		// select caller_id_number, destination_number from v_xml_cdr where domain_uuid = ''
@@ -65,7 +68,7 @@
 	}
 	else {
 		//superadmin or admin
-		if ($_GET['showall'] && permission_exists('xml_cdr_all')) {
+		if (isset($_GET['showall']) && $_GET['showall'] === 'true' && permission_exists('xml_cdr_all')) {
 			$sql_where = '';
 		} else {
 			$sql_where = "c.domain_uuid = '".$_SESSION['domain_uuid']."' ";
@@ -82,36 +85,36 @@
 
 //get post or get variables from http
 	if (isset($_REQUEST)) {
-		$cdr_id = $_REQUEST["cdr_id"];
-		$missed = $_REQUEST["missed"];
-		$direction = $_REQUEST["direction"];
-		$caller_id_name = $_REQUEST["caller_id_name"];
-		$caller_id_number = $_REQUEST["caller_id_number"];
-		$caller_extension_uuid = $_REQUEST["caller_extension_uuid"];
-		$extension_uuid = $_REQUEST["extension_uuid"];
-		$destination_number = $_REQUEST["destination_number"];
-		$context = $_REQUEST["context"];
-		$start_stamp_begin = $_REQUEST["start_stamp_begin"];
-		$start_stamp_end = $_REQUEST["start_stamp_end"];
-		$answer_stamp_begin = $_REQUEST["answer_stamp_begin"];
-		$answer_stamp_end = $_REQUEST["answer_stamp_end"];
-		$end_stamp_begin = $_REQUEST["end_stamp_begin"];
-		$end_stamp_end = $_REQUEST["end_stamp_end"];
-		$start_epoch = $_REQUEST["start_epoch"];
-		$stop_epoch = $_REQUEST["stop_epoch"];
-		$duration = $_REQUEST["duration"];
-		$billsec = $_REQUEST["billsec"];
-		$hangup_cause = $_REQUEST["hangup_cause"];
-		$uuid = $_REQUEST["uuid"];
-		$bleg_uuid = $_REQUEST["bleg_uuid"];
-		$accountcode = $_REQUEST["accountcode"];
-		$read_codec = $_REQUEST["read_codec"];
-		$write_codec = $_REQUEST["write_codec"];
-		$remote_media_ip = $_REQUEST["remote_media_ip"];
-		$network_addr = $_REQUEST["network_addr"];
-		$bridge_uuid = $_REQUEST["network_addr"];
-		$order_by = $_REQUEST["order_by"];
-		$order = $_REQUEST["order"];
+		$cdr_id = $_REQUEST["cdr_id"] ?? '';
+		$missed = $_REQUEST["missed"] ?? '';
+		$direction = $_REQUEST["direction"] ?? '';
+		$caller_id_name = $_REQUEST["caller_id_name"] ?? '';
+		$caller_id_number = $_REQUEST["caller_id_number"] ?? '';
+		$caller_extension_uuid = $_REQUEST["caller_extension_uuid"] ?? '';
+		$extension_uuid = $_REQUEST["extension_uuid"] ?? '';
+		$destination_number = $_REQUEST["destination_number"] ?? '';
+		$context = $_REQUEST["context"] ?? '';
+		$start_stamp_begin = $_REQUEST["start_stamp_begin"] ?? '';
+		$start_stamp_end = $_REQUEST["start_stamp_end"] ?? '';
+		$answer_stamp_begin = $_REQUEST["answer_stamp_begin"] ?? '';
+		$answer_stamp_end = $_REQUEST["answer_stamp_end"] ?? '';
+		$end_stamp_begin = $_REQUEST["end_stamp_begin"] ?? '';
+		$end_stamp_end = $_REQUEST["end_stamp_end"] ?? '';
+		$start_epoch = $_REQUEST["start_epoch"] ?? '';
+		$stop_epoch = $_REQUEST["stop_epoch"] ?? '';
+		$duration = $_REQUEST["duration"] ?? '';
+		$billsec = $_REQUEST["billsec"] ?? '';
+		$hangup_cause = $_REQUEST["hangup_cause"] ?? '';
+		$uuid = $_REQUEST["uuid"] ?? '';
+		$bleg_uuid = $_REQUEST["bleg_uuid"] ?? '';
+		$accountcode = $_REQUEST["accountcode"] ?? '';
+		$read_codec = $_REQUEST["read_codec"] ?? '';
+		$write_codec = $_REQUEST["write_codec"] ?? '';
+		$remote_media_ip = $_REQUEST["remote_media_ip"] ?? '';
+		$network_addr = $_REQUEST["network_addr"] ?? '';
+		$bridge_uuid = $_REQUEST["network_addr"] ?? '';
+		$order_by = $_REQUEST["order_by"] ?? '';
+		$order = $_REQUEST["order"] ?? '';
 		if (!empty($_REQUEST["mos_comparison"])) {
 			switch($_REQUEST["mos_comparison"]) {
 				case 'less':
@@ -138,14 +141,14 @@
 			unset($mos_comparison);
 		}
 		//$mos_comparison = $_REQUEST["mos_comparison"];
-		$mos_score = $_REQUEST["mos_score"];
+		$mos_score = $_REQUEST["mos_score"] ?? '';
 		if (permission_exists('xml_cdr_b_leg')) {
-			$leg = $_REQUEST["leg"];
+			$leg = $_REQUEST["leg"] ?? '';
 		}
-		$show_all = permission_exists('xml_cdr_all') && ($_REQUEST['showall'] == 'true');
+		$show_all = permission_exists('xml_cdr_all') && (isset($_REQUEST['show']) && $_REQUEST['show'] === 'all');
 	}
 	else {
-		$show_all = permission_exists('xml_cdr_all') && ($_GET['showall'] == 'true');
+		$show_all = permission_exists('xml_cdr_all') && ($_GET['showall'] === 'true');
 		//$direction = 'inbound';
 	}