diff --git a/functions.php b/functions.php
index 1e54c13..dab2aa2 100644
--- a/functions.php
+++ b/functions.php
@@ -241,14 +241,22 @@ function syslog_partition_manage() {
 	// Always create the partition an hour ahead of time
 	$time = time() + 3600;
 
+	/*
+	 * Only run the retention prune when the next partition is ready.
+	 * If maintenance cannot safely create it, leave dMaxValue in place
+	 * as the write-path safety net and avoid dropping old partitions
+	 * without a replacement.
+	 */
 	if (syslog_partition_check('syslog', $time)) {
-		syslog_partition_create('syslog', $time);
-		$syslog_deleted = syslog_partition_remove('syslog');
+		if (syslog_partition_create('syslog', $time)) {
+			$syslog_deleted = syslog_partition_remove('syslog');
+		}
 	}
 
 	if (syslog_partition_check('syslog_removed', $time)) {
-		syslog_partition_create('syslog_removed', $time);
-		$syslog_deleted += syslog_partition_remove('syslog_removed');
+		if (syslog_partition_create('syslog_removed', $time)) {
+			$syslog_deleted += syslog_partition_remove('syslog_removed');
+		}
 	}
 
 	return $syslog_deleted;
@@ -291,10 +299,27 @@ function syslog_partition_create($table, $time = null) {
 		return false;
 	}
 
+	if (!preg_match('/^[a-zA-Z0-9_]+$/', $syslogdb_default)) {
+		cacti_log("SYSLOG ERROR: Invalid database name; partition create aborted", false, 'SYSLOG');
+
+		return false;
+	}
+
 	if ($time === null) {
 		$time = time() + 3600;
 	}
 
+	// Reject non-numeric, negative, or far-future timestamps; boundary
+	// math assumes a non-negative UTC epoch within 64-bit safe range so
+	// extreme inputs cannot underflow or overflow to float.
+	if (!is_numeric($time) || (int)$time < 0 || (int)$time > 4102444800) {
+		cacti_log("SYSLOG ERROR: syslog_partition_create called with invalid time '$time' for table '$table'", false, 'SYSLOG');
+
+		return false;
+	}
+
+	$time = (int)$time;
+
 	// Hash to guarantee the lock name stays within MySQL's 64-byte limit.
 	$lock_name = substr(hash('sha256', $syslogdb_default . '.syslog_partition_create.' . $table), 0, 60);
 
@@ -318,10 +343,32 @@ function syslog_partition_create($table, $time = null) {
 		return false;
 	}
 
+	$success = false;
+
 	try {
-		// determine the format of the table name
-		$cformat = 'd' . gmdate('Ymd', $time);
-		$lnow    = gmdate('Y-m-d', strtotime('+1 day', $time));
+		/*
+		 * Boundary arithmetic is done in PHP against the UTC epoch so the
+		 * result is independent of both the PHP and MySQL session time zones.
+		 * $boundary_epoch is the next UTC midnight strictly after $time; it
+		 * becomes the VALUES LESS THAN literal for UNIX_TIMESTAMP partitions
+		 * and the source for the date string passed to TO_DAYS.
+		 */
+		$boundary_epoch = ((int)($time / 86400) + 1) * 86400;
+
+		if ($boundary_epoch <= 0 || $boundary_epoch <= $time) {
+			cacti_log("SYSLOG ERROR: Boundary epoch computation failed for '$table' (time=$time); leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
+
+			return false;
+		}
+
+		$cformat        = 'd' . gmdate('Ymd', $time);
+		$boundary_date  = gmdate('Y-m-d', $boundary_epoch);
+
+		if (!preg_match('/^d\d{8}$/', $cformat) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $boundary_date)) {
+			cacti_log("SYSLOG ERROR: Derived partition values failed format validation for '$table'; leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
+
+			return false;
+		}
 
 		$exists = syslog_db_fetch_row_prepared('SELECT *
 			FROM `information_schema`.`partitions`
@@ -340,30 +387,41 @@ function syslog_partition_create($table, $time = null) {
 			 * MySQL does not support parameter binding for DDL identifiers
 			 * or partition definitions. $table is safe because it passed
 			 * syslog_partition_table_allowed() (two-value allowlist plus
-			 * regex guard). $cformat and $lnow derive from date() and
-			 * contain only digits, hyphens, and the letter 'd'.
+			 * regex guard). $cformat, $boundary_epoch, and $boundary_date
+			 * derive from integer arithmetic and gmdate(), so they contain
+			 * only digits, hyphens, and the letter 'd'.
 			 */
-			$create_syntax = syslog_db_fetch_row("SHOW CREATE TABLE `$syslogdb_default`.`$table`");
+			$create_syntax = syslog_db_fetch_row_prepared("SHOW CREATE TABLE `$syslogdb_default`.`$table`");
 
-			if (cacti_sizeof($create_syntax)) {
-				if (str_contains($create_syntax['Create Table'], 'TO_DAYS')) {
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
-						PARTITION $cformat VALUES LESS THAN (TO_DAYS('$lnow')),
-						PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
-				} else {
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
-						PARTITION $cformat VALUES LESS THAN (UNIX_TIMESTAMP('$lnow')),
-						PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
-				}
+			if (!cacti_sizeof($create_syntax) || empty($create_syntax['Create Table'])) {
+				cacti_log("SYSLOG ERROR: SHOW CREATE TABLE returned no rows for '$table'; leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
+
+				return false;
+			}
+
+			$create_sql = $create_syntax['Create Table'];
+
+			if (stripos($create_sql, 'TO_DAYS') !== false) {
+				syslog_db_execute_prepared("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
+					PARTITION $cformat VALUES LESS THAN (TO_DAYS('$boundary_date')),
+					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
+			} elseif (stripos($create_sql, 'UNIX_TIMESTAMP') !== false) {
+				syslog_db_execute_prepared("ALTER TABLE `$syslogdb_default`.`$table` REORGANIZE PARTITION dMaxValue INTO (
+					PARTITION $cformat VALUES LESS THAN ($boundary_epoch),
+					PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
 			} else {
-				cacti_log('WARNING: Unable to determine Partition type for rotation', false, 'SYSLOG');
+				cacti_log("SYSLOG ERROR: Unable to determine partition expression (neither TO_DAYS nor UNIX_TIMESTAMP) for '$table'; leaving writes in dMaxValue until maintenance recovers", false, 'SYSLOG');
+
+				return false;
 			}
 		}
+
+		$success = true;
 	} finally {
 		syslog_db_fetch_cell_prepared('SELECT RELEASE_LOCK(?)', [$lock_name]);
 	}
 
-	return true;
+	return $success;
 }
 
 /**
@@ -380,6 +438,12 @@ function syslog_partition_remove($table) {
 		return 0;
 	}
 
+	if (!preg_match('/^[a-zA-Z0-9_]+$/', $syslogdb_default)) {
+		cacti_log("SYSLOG ERROR: Invalid database name; partition remove aborted", false, 'SYSLOG');
+
+		return 0;
+	}
+
 	$lock_name = substr(hash('sha256', $syslogdb_default . '.syslog_partition_remove.' . $table), 0, 60);
 
 	$locked = syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', [$lock_name]);
@@ -418,11 +482,24 @@ function syslog_partition_remove($table) {
 				while ($user_partitions > $days) {
 					$oldest = $number_of_partitions[$i];
 
-					cacti_log("SYSLOG: Removing old partition '" . $oldest['PARTITION_NAME'] . "'", false, 'SYSTEM');
+					$part_name = $oldest['PARTITION_NAME'];
+
+					if (!preg_match('/^[a-zA-Z0-9_]+$/', $part_name)) {
+						cacti_log("SYSLOG ERROR: Invalid partition name '$part_name' for '$table'; skipping drop", false, 'SYSLOG');
+						break;
+					}
+
+					cacti_log("SYSLOG: Removing old partition '" . $part_name . "'", false, 'SYSTEM');
 
-					syslog_debug("Removing partition '" . $oldest['PARTITION_NAME'] . "'");
+					syslog_debug("Removing partition '" . $part_name . "'");
 
-					syslog_db_execute("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION " . $oldest['PARTITION_NAME']);
+					/* $table passed syslog_partition_table_allowed() at function entry; $part_name is regex-validated above. DDL identifiers cannot be parameterized. */
+					$result = syslog_db_execute_prepared("ALTER TABLE `$syslogdb_default`.`$table` DROP PARTITION `$part_name`");
+
+					if ($result === false) {
+						cacti_log("SYSLOG ERROR: Failed to drop partition '$part_name' from '$table' after $i successful drop(s); aborting further drops", false, 'SYSLOG');
+						break;
+					}
 
 					$i++;
 					$user_partitions--;
@@ -785,6 +862,41 @@ function sql_hosts_where($tab) {
 	}
 }
 
+/**
+ * Defuse CSV formula injection without mutating content.
+ *
+ * Spreadsheet applications (Excel, LibreOffice, Google Sheets) interpret any
+ * cell starting with =, +, -, @, TAB, or CR as a formula. Prepending a
+ * single quote tells them to treat the cell as literal text. The quote is
+ * visible in the cell but does not alter the underlying data, unlike
+ * trimming which loses characters.
+ *
+ * See OWASP CSV Injection Prevention Cheat Sheet.
+ */
+function syslog_csv_safe($value) {
+	if (!is_string($value) || $value === '') {
+		return $value;
+	}
+
+	// Some CSV importers strip leading spaces before parsing as a
+	// formula, so " =SUM(A1)" is still dangerous. Only strip literal
+	// spaces here; tabs and carriage returns are themselves triggers
+	// and must remain detectable as the first character.
+	$stripped = ltrim($value, ' ');
+
+	if ($stripped === '') {
+		return $value;
+	}
+
+	$first = $stripped[0];
+
+	if ($first === '=' || $first === '+' || $first === '-' || $first === '@' || $first === "\t" || $first === "\r") {
+		return "'" . $value;
+	}
+
+	return $value;
+}
+
 function syslog_export($tab) {
 	global $syslog_incoming_config, $severities;
 	global $syslogdb_default;
@@ -851,20 +963,20 @@ function syslog_export($tab) {
 				}
 
 				if (isset($hosts[$message['host_id']])) {
-					$host = trim($hosts[$message['host_id']], ' =+-@');
+					$host = $hosts[$message['host_id']];
 				} else {
 					$host = 'Unknown';
 				}
 
-				$logmsg = trim($message[$syslog_incoming_config['textField']], ' =+-@');
+				$logmsg = $message[$syslog_incoming_config['textField']];
 
 				$line = [
-					$host,
-					ucfirst($facility),
-					ucfirst($priority),
-					ucfirst($program),
+					syslog_csv_safe($host),
+					syslog_csv_safe(ucfirst($facility)),
+					syslog_csv_safe(ucfirst($priority)),
+					syslog_csv_safe(ucfirst($program)),
 					$message['logtime'],
-					$logmsg
+					syslog_csv_safe($logmsg)
 				];
 
 				fputcsv($fp, $line);
@@ -894,17 +1006,14 @@ function syslog_export($tab) {
 					$severity = 'Unknown';
 				}
 
-				$host   = trim($message['host'], ' =+-@');
-				$logmsg = trim($message['logmsg'], ' =+-@');
-
 				$line = [
-					$message['name'],
-					$severity,
+					syslog_csv_safe($message['name']),
+					syslog_csv_safe($severity),
 					$message['logtime'],
-					$logmsg,
-					$host,
-					ucfirst($message['facility']),
-					ucfirst($message['priority']),
+					syslog_csv_safe($message['logmsg']),
+					syslog_csv_safe($message['host']),
+					syslog_csv_safe(ucfirst($message['facility'])),
+					syslog_csv_safe(ucfirst($message['priority'])),
 					$message['count']
 				];
 
@@ -920,7 +1029,7 @@ function syslog_debug($message) {
 	global $debug;
 
 	if ($debug) {
-		print date('H:m:s') . ' SYSLOG DEBUG: ' . trim($message) . PHP_EOL;
+		print date('H:i:s') . ' SYSLOG DEBUG: ' . trim($message) . PHP_EOL;
 	}
 }
 
@@ -985,6 +1094,19 @@ function syslog_manage_items($from_table, $to_table) {
 	global $config, $syslog_cnn, $syslog_incoming_config;
 	global $syslogdb_default;
 
+	/*
+	 * Table names are interpolated into DDL/DML below because MySQL does
+	 * not bind identifiers. Reject anything outside the static allowlist
+	 * so a future caller cannot turn this into a SQL injection surface.
+	 */
+	$allowed_tables = ['syslog', 'syslog_incoming', 'syslog_removed'];
+
+	if (!in_array($from_table, $allowed_tables, true) || !in_array($to_table, $allowed_tables, true)) {
+		cacti_log("SYSLOG ERROR: syslog_manage_items called with disallowed tables from='$from_table' to='$to_table'", false, 'SYSLOG');
+
+		return ['removed' => 0, 'xferred' => 0];
+	}
+
 	// Select filters to work on
 	$rows = syslog_db_fetch_assoc("SELECT * FROM `$syslogdb_default`.`syslog_remove` WHERE enabled = 'on'");
 
@@ -1054,10 +1176,10 @@ function syslog_manage_items($from_table, $to_table) {
 			} elseif ($remove['type'] == 'sql') {
 				if ($remove['method'] != 'del') {
 					$sql_sel = "SELECT seq FROM `$syslogdb_default`.`$from_table`
-						WHERE message (" . $remove['message'] . ') ';
+						WHERE (" . $remove['message'] . ')';
 				} else {
 					$sql_dlt = "DELETE FROM `$syslogdb_default`.`$from_table`
-						WHERE message (" . $remove['message'] . ') ';
+						WHERE (" . $remove['message'] . ')';
 				}
 			}
 
@@ -1767,7 +1889,6 @@ function syslog_get_alert_sql(&$alert, $max_seq) {
 		$params[] = $alert['message'];
 		$params[] = $max_seq;
 	} elseif ($alert['type'] == 'sql') {
-		// TODO: Make Injection proof
 		$sql = "SELECT *
 			FROM `$syslogdb_default`.`syslog_incoming`
 			WHERE ({$alert['message']})
@@ -2241,9 +2362,9 @@ function syslog_process_reports() {
 					$date1 = date('Y-m-d H:i:s', $current_time - $time_span);
 					$sql .= ' AND logtime BETWEEN ? AND ?';
 					$sql .= ' ORDER BY logtime DESC';
-					$items = syslog_db_fetch_assoc_prepared($sql, [$data1, $date2]);
+					$items = syslog_db_fetch_assoc_prepared($sql, [$date1, $date2]);
 
-					syslog_debug('We have ' . db_affected_rows($syslog_cnn) . ' items for the Report');
+					syslog_debug('We have ' . cacti_sizeof($items) . ' items for the Report');
 
 					$classes = ['even', 'odd'];
 
diff --git a/js/functions.js b/js/functions.js
index 81fb2e5..4a709f5 100644
--- a/js/functions.js
+++ b/js/functions.js
@@ -224,8 +224,13 @@ function initSyslogMain(config) {
 							});
 
 							$.each(data, function(index, hostData) {
-								if ($('#host option[value="'+index+'"]').length == 0) {
-									$('#host').append('<option class="'+DOMPurify.sanitize(hostData.class)+'" value="'+DOMPurify.sanitize(index)+'">'+DOMPurify.sanitize(hostData.host)+'</option>');
+								if ($('#host').find('option').filter(function() { return $(this).val() === String(index); }).length == 0) {
+									// jQuery attr/text handle escaping; string concat + DOMPurify leaves attribute quotes unescaped.
+									$('<option>')
+										.attr('value', index)
+										.attr('class', hostData.class)
+										.text(hostData.host)
+										.appendTo('#host');
 								}
 							});
 
@@ -580,16 +585,52 @@ function initSyslogReports() {
  * Autocomplete Form Callback Functions
  * ======================================================================== */
 
-function syslogExecuteFunctionByName(functionName, context /*, args */) {
-	var args       = Array.prototype.slice.call(arguments, 2);
-	var namespaces = functionName.split('.');
-	var func       = namespaces.pop();
+/**
+ * Invoke a whitelisted callback by bare identifier.
+ *
+ * Only accepts a simple identifier ([A-Za-z_$][A-Za-z0-9_$]*). Dotted
+ * paths, arguments, and non-identifier characters are rejected so an
+ * attacker who controls an onChange string cannot reach arbitrary
+ * globals (eval, Function, fetch, ...). If the callback is unknown or
+ * not a function, the call is skipped with a console warning.
+ */
+function syslogInvokeCallback(functionName) {
+	if (typeof functionName !== 'string') {
+		return;
+	}
 
-	for(var i = 0; i < namespaces.length; i++) {
-		context = context[namespaces[i]];
+	var trimmed = functionName.trim();
+
+	// Only tolerate an exact trailing "()" for legacy callers; reject any arguments.
+	if (trimmed.endsWith('()')) {
+		trimmed = trimmed.substring(0, trimmed.length - 2).trim();
+	} else if (trimmed.indexOf('(') !== -1 || trimmed.indexOf(')') !== -1) {
+		if (window.console && console.warn) {
+			console.warn('syslog: refusing to invoke callback with arguments or invalid parentheses', functionName);
+		}
+
+		return;
 	}
 
-	return context[func].apply(context, args);
+	if (!/^[A-Za-z_$][A-Za-z0-9_$]*$/.test(trimmed)) {
+		if (window.console && console.warn) {
+			console.warn('syslog: refusing to invoke non-identifier callback', functionName);
+		}
+
+		return;
+	}
+
+	var fn = window[trimmed];
+
+	if (typeof fn !== 'function') {
+		if (window.console && console.warn) {
+			console.warn('syslog: callback is not a function', trimmed);
+		}
+
+		return;
+	}
+
+	return fn();
 }
 
 /**
@@ -619,10 +660,7 @@ function initSyslogAutocomplete(formName, callback, onChange) {
 
 				if (onChange) {
 					$(this).autocomplete('close');
-
-					onChange = onChange.replace('(', '').replace(')', '');
-
-					syslogExecuteFunctionByName(onChange, window);
+					syslogInvokeCallback(onChange);
 				}
 			}
 		}).css('border', 'none').css('background-color', 'transparent');
diff --git a/setup.php b/setup.php
index 6fe9f52..c403528 100644
--- a/setup.php
+++ b/setup.php
@@ -463,18 +463,22 @@ function syslog_create_partitioned_syslog_table($engine = 'InnoDB', $days = 30)
 
 	$parts = '';
 
+	/*
+	 * Partition boundaries are integer epochs computed in PHP and injected
+	 * as numeric literals. This keeps both MySQL and PHP session time zones
+	 * out of the equation: the boundary is always the next UTC midnight
+	 * after the labeled day.
+	 */
 	for ($i = $days; $i >= -1; $i--) {
-		$timestamp = $now - ($i * 86400);
-		$date      = gmdate('Y-m-d', $timestamp);
-		$format    = gmdate('Ymd', strtotime('- 1 day', $timestamp));
+		$day_epoch      = $now - ($i * 86400);
+		$boundary_epoch = ((int)($day_epoch / 86400) + 1) * 86400;
+		$format         = gmdate('Ymd', $day_epoch);
 
-		$parts .= ($parts != '' ? ",\n" : '(') . ' PARTITION d' . $format . " VALUES LESS THAN (UNIX_TIMESTAMP('" . $date . "'))";
+		$parts .= ($parts != '' ? ",\n" : '(') . ' PARTITION d' . $format . ' VALUES LESS THAN (' . $boundary_epoch . ')';
 	}
 
 	$parts .= ",\nPARTITION dMaxValue VALUES LESS THAN MAXVALUE);";
 
-	//cacti_log($sql . $parts);
-
 	syslog_db_execute($sql . $parts);
 }
 
diff --git a/syslog.php b/syslog.php
index 0d1c45c..bc2e9c3 100644
--- a/syslog.php
+++ b/syslog.php
@@ -32,8 +32,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/html_tree.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
@@ -2135,8 +2136,13 @@ function syslog_form_callback($form_name, $classic_sql, $column_display, $column
 			white-space: normal !important;
 		}
 		</style>
+		<?php
+		// JSON_HEX_TAG escapes </script>; the other flags block HTML context
+		// escapes if the script block ever runs under unusual content types.
+		$js_flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT;
+		?>
 		<script type='text/javascript'>
-		initSyslogAutocomplete('<?php print $form_name; ?>', '<?php print $callback; ?>', '<?php print $on_change; ?>');
+		initSyslogAutocomplete(<?php print json_encode($form_name, $js_flags); ?>, <?php print json_encode($callback, $js_flags); ?>, <?php print json_encode($on_change, $js_flags); ?>);
 		</script>
 		<?php
 	}
diff --git a/syslog_alerts.php b/syslog_alerts.php
index 5beacd9..fbf6f28 100644
--- a/syslog_alerts.php
+++ b/syslog_alerts.php
@@ -25,8 +25,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_batch_transfer.php b/syslog_batch_transfer.php
index 50caa71..aff452a 100644
--- a/syslog_batch_transfer.php
+++ b/syslog_batch_transfer.php
@@ -25,8 +25,9 @@
 chdir('../../');
 include('./include/cli_check.php');
 include_once('./lib/poller.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_process.php b/syslog_process.php
index 7a59513..f6613f5 100644
--- a/syslog_process.php
+++ b/syslog_process.php
@@ -23,6 +23,7 @@
 */
 
 include(__DIR__ . '/../../include/cli_check.php');
+include_once(__DIR__ . '/setup.php');
 include_once(__DIR__ . '/functions.php');
 include_once(__DIR__ . '/database.php');
 
diff --git a/syslog_removal.php b/syslog_removal.php
index b92193e..d446490 100644
--- a/syslog_removal.php
+++ b/syslog_removal.php
@@ -25,8 +25,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/syslog_reports.php b/syslog_reports.php
index 048fbc8..054b397 100644
--- a/syslog_reports.php
+++ b/syslog_reports.php
@@ -25,8 +25,9 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./lib/xml.php');
-include_once('./plugins/syslog/functions.php');
-include_once('./plugins/syslog/database.php');
+include_once(__DIR__ . '/setup.php');
+include_once(__DIR__ . '/functions.php');
+include_once(__DIR__ . '/database.php');
 
 syslog_connect();
 
diff --git a/tests/e2e/playwright/browser-check.js b/tests/e2e/playwright/browser-check.js
new file mode 100644
index 0000000..4d26923
--- /dev/null
+++ b/tests/e2e/playwright/browser-check.js
@@ -0,0 +1,51 @@
+const { chromium } = require('playwright');
+
+function expectContains(haystack, needle, label) {
+  if (!haystack.includes(needle)) {
+    throw new Error(`Expected ${label} to contain: ${needle}`);
+  }
+}
+
+async function login(page) {
+  await page.goto('http://cacti_web/cacti/', { waitUntil: 'domcontentloaded' });
+  await page.locator('#login_username').fill('admin');
+  await page.locator('#login_password').fill('Admin123!');
+  await Promise.all([
+    page.waitForURL(/\/cacti\/index\.php/, { timeout: 30000 }),
+    page.locator('form#auth').evaluate((form) => form.submit())
+  ]);
+}
+
+async function main() {
+  const browser = await chromium.launch({
+    headless: true,
+    args: ['--no-sandbox', '--disable-dev-shm-usage']
+  });
+  const page = await browser.newPage();
+
+  await login(page);
+
+  const pagePath = process.env.PAGE_PATH || 'index.php';
+  await page.goto(`http://cacti_web/cacti/${pagePath}`, { waitUntil: 'domcontentloaded' });
+
+  const title = await page.title();
+  const body = await page.locator('body').innerText();
+
+  if (process.env.EXPECT_TITLE) {
+    expectContains(title, process.env.EXPECT_TITLE, 'title');
+  }
+
+  for (const key of ['EXPECT_TEXT', 'EXPECT_TEXT_2', 'EXPECT_TEXT_3']) {
+    if (process.env[key]) {
+      expectContains(body, process.env[key], 'body');
+    }
+  }
+
+  console.log(`ok ${pagePath}`);
+  await browser.close();
+}
+
+main().catch((error) => {
+  console.error(error.stack || String(error));
+  process.exit(1);
+});
diff --git a/tests/e2e/playwright/package.json b/tests/e2e/playwright/package.json
new file mode 100644
index 0000000..9a99923
--- /dev/null
+++ b/tests/e2e/playwright/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "plugin-syslog-e2e",
+  "private": true,
+  "version": "1.0.0",
+  "devDependencies": {
+    "playwright": "1.52.0"
+  }
+}
diff --git a/tests/e2e/playwright/run-e2e.sh b/tests/e2e/playwright/run-e2e.sh
new file mode 100755
index 0000000..4ea0443
--- /dev/null
+++ b/tests/e2e/playwright/run-e2e.sh
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PW_IMAGE="mcr.microsoft.com/playwright:v1.52.0-jammy"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
+PW_PREFIX=(
+  docker run --rm
+  --network cacti-syslog-e2e_default
+  --ipc=host
+  -v "${ROOT_DIR}/tests/e2e/playwright:/work"
+  -w /work
+)
+
+pass_count=0
+
+db_scalar() {
+  docker exec cacti_db mariadb -N -B -ucacti -pcacti cacti -e "$1"
+}
+
+db_exec() {
+  docker exec cacti_db mariadb -ucacti -pcacti cacti -e "$1" >/dev/null
+}
+
+browser_check() {
+  local page_path="$1"
+  local expect_title="$2"
+  local expect_text="$3"
+  local expect_text_2="${4:-}"
+  local expect_text_3="${5:-}"
+
+  "${PW_PREFIX[@]}" \
+    -e "PAGE_PATH=${page_path}" \
+    -e "EXPECT_TITLE=${expect_title}" \
+    -e "EXPECT_TEXT=${expect_text}" \
+    -e "EXPECT_TEXT_2=${expect_text_2}" \
+    -e "EXPECT_TEXT_3=${expect_text_3}" \
+    "$PW_IMAGE" \
+    node browser-check.js >/dev/null
+}
+
+run_test() {
+  local name="$1"
+  shift
+  echo "TEST ${name}"
+  "$@"
+  pass_count=$((pass_count + 1))
+  echo "PASS ${name}"
+}
+
+assert_equals() {
+  local actual="$1"
+  local expected="$2"
+  local label="$3"
+
+  if [[ "$actual" != "$expected" ]]; then
+    echo "FAIL ${label}: expected '${expected}', got '${actual}'" >&2
+    exit 1
+  fi
+}
+
+normalize_admin() {
+  docker exec cacti_web php -r 'require "include/global.php"; $hash = password_hash("Admin123!", PASSWORD_BCRYPT); db_execute_prepared("UPDATE user_auth SET password = ?, must_change_password = \"\", password_change = \"\" WHERE username = \"admin\"", [$hash]);' >/dev/null
+}
+
+reset_syslog_data() {
+  db_exec "TRUNCATE syslog_incoming; TRUNCATE syslog; TRUNCATE syslog_removed; TRUNCATE syslog_statistics; TRUNCATE syslog_hosts; TRUNCATE syslog_programs; TRUNCATE syslog_host_facilities; DELETE FROM syslog_remove;"
+}
+
+seed_incoming() {
+  local host="$1"
+  local program="$2"
+  local message="$3"
+  db_exec "INSERT INTO syslog_incoming (facility_id, priority_id, program, logtime, host, message) VALUES (1, 6, '${program}', NOW(), '${host}', '${message}')"
+}
+
+run_processor() {
+  docker exec cacti_web php /var/www/html/cacti/plugins/syslog/syslog_process.php --debug >/dev/null
+}
+
+test_login_console() {
+  browser_check "index.php" "Console" "Main Console" "Logged in as admin"
+}
+
+test_syslog_empty_page() {
+  reset_syslog_data
+  browser_check "plugins/syslog/syslog.php" "Console > Syslog" "No Syslog Messages" "Unprocessed Messages: 0"
+}
+
+test_alerts_page() {
+  browser_check "plugins/syslog/syslog_alerts.php" "Console > Syslog Alerts" "No Syslog Alerts Defined"
+}
+
+test_removal_page() {
+  browser_check "plugins/syslog/syslog_removal.php" "Console > Syslog Removal" "No Syslog Removal Rules Defined"
+}
+
+test_reports_page() {
+  browser_check "plugins/syslog/syslog_reports.php" "Console > Syslog Reports" "No Syslog Reports Defined"
+}
+
+test_plain_ingest_to_main() {
+  seed_incoming "e2e-host-1" "e2e-prog-1" "E2E-TOKEN-ONE plain ingest"
+  run_processor
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_incoming")" "0" "incoming queue should be drained"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog WHERE message = 'E2E-TOKEN-ONE plain ingest'")" "1" "plain message should land in syslog"
+}
+
+test_plain_ingest_normalization() {
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_hosts WHERE host = 'e2e-host-1'")" "1" "host should be normalized"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_programs WHERE program = 'e2e-prog-1'")" "1" "program should be normalized"
+}
+
+test_plain_ingest_visible_in_ui() {
+  browser_check "plugins/syslog/syslog.php?rfilter=E2E-TOKEN-ONE" "Console > Syslog" "E2E-TOKEN-ONE" "e2e-host-1" "e2e-prog-1"
+}
+
+test_second_ingest_accumulates() {
+  seed_incoming "e2e-host-2" "e2e-prog-2" "E2E-TOKEN-TWO second ingest"
+  run_processor
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog")" "2" "two processed records should exist"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_hosts WHERE host = 'e2e-host-2'")" "1" "second host should be normalized"
+  assert_equals "$(db_scalar "SELECT COUNT(*) FROM syslog_programs WHERE program = 'e2e-prog-2'")" "1" "second program should be normalized"
+}
+
+test_second_ingest_visible_in_ui() {
+  browser_check "plugins/syslog/syslog.php?rfilter=E2E-TOKEN-TWO" "Console > Syslog" "E2E-TOKEN-TWO" "e2e-host-2" "e2e-prog-2"
+}
+
+normalize_admin
+
+run_test "1 login console" test_login_console
+run_test "2 syslog empty page" test_syslog_empty_page
+run_test "3 alerts page" test_alerts_page
+run_test "4 removal page" test_removal_page
+run_test "5 reports page" test_reports_page
+run_test "6 plain ingest to main" test_plain_ingest_to_main
+run_test "7 plain ingest normalization" test_plain_ingest_normalization
+run_test "8 plain ingest visible in ui" test_plain_ingest_visible_in_ui
+run_test "9 second ingest accumulates" test_second_ingest_accumulates
+run_test "10 second ingest visible in ui" test_second_ingest_visible_in_ui
+
+echo "ALL PASS ${pass_count}"
diff --git a/tests/e2e/run-orb-docker-e2e.sh b/tests/e2e/run-orb-docker-e2e.sh
new file mode 100755
index 0000000..796e0f7
--- /dev/null
+++ b/tests/e2e/run-orb-docker-e2e.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+CACTI_REPO="${CACTI_REPO:-$(cd "${ROOT_DIR}/../cacti" && pwd)}"
+TEMP_DIR="${TEMP_DIR:-/tmp/cacti-syslog-e2e}"
+PW_IMAGE="${PW_IMAGE:-mcr.microsoft.com/playwright:v1.52.0-jammy}"
+
+rm -rf "${TEMP_DIR}"
+mkdir -p "${TEMP_DIR}/plugins/syslog"
+
+rsync -a --delete "${CACTI_REPO}/" "${TEMP_DIR}/"
+rsync -a --delete "${ROOT_DIR}/" "${TEMP_DIR}/plugins/syslog/"
+
+cat > "${TEMP_DIR}/.env" <<'EOF'
+WEB_PORT=18080
+PHP_MEMORY_LIMIT=512M
+DB_ROOT_PASSWORD=root
+DB_NAME=cacti
+DB_USER=cacti
+DB_PASSWORD=cacti
+DB_PORT=13306
+DB_MAX_CONNECTIONS=200
+DB_BUFFER_POOL_SIZE=512M
+TIMEZONE=UTC
+EOF
+
+cat > "${TEMP_DIR}/plugins/syslog/config.php" <<'EOF'
+<?php
+
+global $config, $database_type, $database_default, $database_hostname;
+global $database_username, $database_password, $database_port, $database_retries;
+global $database_ssl, $database_ssl_key, $database_ssl_cert, $database_ssl_ca;
+
+$use_cacti_db = true;
+
+if (!$use_cacti_db) {
+	$syslogdb_type     = 'mysql';
+	$syslogdb_default  = 'syslog';
+	$syslogdb_hostname = 'localhost';
+	$syslogdb_username = 'cactiuser';
+	$syslogdb_password = 'cactiuser';
+	$syslogdb_port     = 3306;
+	$syslogdb_retries  = 5;
+	$syslogdb_ssl      = false;
+	$syslogdb_ssl_key  = '';
+	$syslogdb_ssl_cert = '';
+	$syslogdb_ssl_ca   = '';
+} else {
+	$syslogdb_type     = $database_type;
+	$syslogdb_default  = $database_default;
+	$syslogdb_hostname = $database_hostname;
+	$syslogdb_username = $database_username;
+	$syslogdb_password = $database_password;
+	$syslogdb_port     = $database_port;
+	$syslogdb_retries  = $database_retries;
+	$syslogdb_ssl      = $database_ssl;
+	$syslogdb_ssl_key  = $database_ssl_key;
+	$syslogdb_ssl_cert = $database_ssl_cert;
+	$syslogdb_ssl_ca   = $database_ssl_ca;
+}
+
+$syslog_install_options['upgrade_type'] = 'truncate';
+$syslog_install_options['engine']       = 'innodb';
+$syslog_install_options['db_type']      = 'trad';
+$syslog_install_options['days']         = '30';
+$syslog_install_options['mode']         = 'install';
+$syslog_install_options['id']           = 'syslog';
+
+$syslog_incoming_config['priorityField'] = 'priority_id';
+$syslog_incoming_config['facilityField'] = 'facility_id';
+$syslog_incoming_config['programField']  = 'program';
+$syslog_incoming_config['timeField']     = 'logtime';
+$syslog_incoming_config['hostField']     = 'host';
+$syslog_incoming_config['textField']     = 'message';
+$syslog_incoming_config['id']            = 'seq';
+EOF
+
+docker compose -f "${TEMP_DIR}/docker-compose.yml" down -v >/dev/null 2>&1 || true
+docker compose -f "${TEMP_DIR}/docker-compose.yml" up -d --build
+
+docker exec cacti_web ln -sf /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini
+docker exec cacti_web sh -lc 'mkdir -p /var/www/html/cacti/cache/boost /var/www/html/cacti/cache/mibcache /var/www/html/cacti/cache/realtime /var/www/html/cacti/cache/spikekill && chown -R www-data:www-data /var/www/html/cacti/cache'
+docker exec cacti_web sh -lc 'apt-get update >/dev/null && apt-get install -y --no-install-recommends fping >/dev/null'
+docker exec cacti_web sh -lc 'touch /var/www/html/cacti/log/cacti.log && chown www-data:www-data /var/www/html/cacti/log/cacti.log'
+
+docker exec cacti_web php cli/install_cacti.php --accept-eula --install --force
+docker exec cacti_web php cli/plugin_manage.php --plugin=syslog --install --enable --allperms
+
+docker run --rm \
+  --network cacti-syslog-e2e_default \
+  --ipc=host \
+  -v "${ROOT_DIR}/tests/e2e/playwright:/work" \
+  -w /work \
+  "${PW_IMAGE}" \
+  npm install
+
+"${ROOT_DIR}/tests/e2e/playwright/run-e2e.sh"
diff --git a/tests/regression/include_path_normalization_test.php b/tests/regression/include_path_normalization_test.php
new file mode 100644
index 0000000..3d4ddf6
--- /dev/null
+++ b/tests/regression/include_path_normalization_test.php
@@ -0,0 +1,108 @@
+<?php
+
+$root = dirname(__DIR__, 2);
+
+$entrypoints = [
+	'syslog.php',
+	'syslog_alerts.php',
+	'syslog_removal.php',
+	'syslog_batch_transfer.php',
+	'syslog_reports.php',
+	'syslog_process.php'
+];
+
+$plugin_includes = [
+	'setup.php',
+	'functions.php',
+	'database.php'
+];
+
+foreach ($plugin_includes as $inc) {
+	if (!file_exists($root . '/' . $inc)) {
+		fwrite(STDERR, "Required plugin file missing: $inc\n");
+		exit(1);
+	}
+}
+
+foreach ($entrypoints as $file) {
+	$path = $root . '/' . $file;
+
+	if (!file_exists($path)) {
+		fwrite(STDERR, "Entrypoint file missing: $file\n");
+		exit(1);
+	}
+
+	$content = file_get_contents($path);
+
+	if ($content === false) {
+		fwrite(STDERR, "Failed to read $file\n");
+		exit(1);
+	}
+
+	foreach ($plugin_includes as $inc) {
+		$pattern = '/include_once\s*\(\s*__DIR__\s*\.\s*[\'"]\/\s*' . preg_quote($inc, '/') . '[\'"]\s*\)/';
+
+		if (!preg_match($pattern, $content)) {
+			fwrite(STDERR, "$file must use __DIR__-based include for $inc\n");
+			exit(1);
+		}
+
+		$old_pattern = '/include_once\s*\(\s*[\'"]\.\/plugins\/syslog\/' . preg_quote($inc, '/') . '[\'"]\s*\)/';
+
+		if (preg_match($old_pattern, $content)) {
+			fwrite(STDERR, "$file still uses legacy CWD-relative include for $inc\n");
+			exit(1);
+		}
+	}
+}
+
+$setup = file_get_contents($root . '/setup.php');
+
+if ($setup === false) {
+	fwrite(STDERR, "Failed to read setup.php\n");
+	exit(1);
+}
+
+$expected_functions = [
+	'plugin_syslog_install',
+	'plugin_syslog_check_config',
+	'syslog_connect',
+	'syslog_determine_config'
+];
+
+foreach ($expected_functions as $func) {
+	if (!preg_match('/function\s+' . preg_quote($func, '/') . '\s*\(/', $setup)) {
+		fwrite(STDERR, "setup.php missing expected function: $func\n");
+		exit(1);
+	}
+}
+
+$functions = file_get_contents($root . '/functions.php');
+$database  = file_get_contents($root . '/database.php');
+
+if ($functions === false || $database === false) {
+	fwrite(STDERR, "Failed to read functions.php or database.php\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_db_connect_real\s*\(/', $database)) {
+	fwrite(STDERR, "database.php missing syslog_db_connect_real\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_apply_selected_items_action\s*\(/', $functions)) {
+	fwrite(STDERR, "functions.php missing syslog_apply_selected_items_action\n");
+	exit(1);
+}
+
+if (!preg_match('/include_once\s*\(\s*__DIR__\s*\.\s*[\'"]\/functions\.php[\'"]\s*\)/', $setup)) {
+	fwrite(STDERR, "setup.php must use __DIR__ for functions.php include\n");
+	exit(1);
+}
+
+if (!preg_match('/include_once\s*\(\s*__DIR__\s*\.\s*[\'"]\/database\.php[\'"]\s*\)/', $setup)) {
+	fwrite(STDERR, "setup.php must use __DIR__ for database.php include\n");
+	exit(1);
+}
+
+print "include_path_normalization_test passed\n";
diff --git a/tests/regression/issue254_partition_table_locking_test.php b/tests/regression/issue254_partition_table_locking_test.php
new file mode 100644
index 0000000..564c92b
--- /dev/null
+++ b/tests/regression/issue254_partition_table_locking_test.php
@@ -0,0 +1,310 @@
+<?php
+
+/*
+ * Regression guard for issue #254 (partition table locking) and the
+ * partition-boundary correctness fixes from the PR #313 follow-up.
+ *
+ * Static analysis: greps functions.php for safety invariants that must hold
+ * regardless of how the rotation logic is refactored. Updated to track the
+ * two-argument signatures introduced in PR #313 (syslog_partition_check and
+ * syslog_partition_create each accept an optional $time parameter).
+ */
+
+$functions = file_get_contents(dirname(__DIR__, 2) . '/functions.php');
+
+if ($functions === false) {
+	fwrite(STDERR, "Failed to load functions.php\n");
+	exit(1);
+}
+
+/* All three information_schema queries must be prepared statements
+ * scoped to the requested table via a placeholder. Match only calls
+ * whose first argument contains 'information_schema' to exclude the
+ * GET_LOCK / RELEASE_LOCK uses of syslog_db_fetch_cell_prepared. */
+$partition_query_count = preg_match_all('/syslog_db_fetch_(?:row|assoc|cell)_prepared\s*\([^)]*information_schema/', $functions);
+
+if ($partition_query_count === false || $partition_query_count !== 3) {
+	fwrite(STDERR, "Partition queries are not consistently scoped to the requested table.\n");
+	exit(1);
+}
+
+if (!preg_match('/SELECT\s+GET_LOCK\s*\(\s*\?\s*,\s*10\s*\)/', $functions)) {
+	fwrite(STDERR, "Partition create lock acquisition is missing.\n");
+	exit(1);
+}
+
+if (!preg_match('/SELECT\s+RELEASE_LOCK\s*\(\s*\?\s*\)/', $functions)) {
+	fwrite(STDERR, "Partition create lock release is missing.\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_partition_table_allowed\s*\(/', $functions)) {
+	fwrite(STDERR, "Partition table validation helper is missing.\n");
+	exit(1);
+}
+
+// RELEASE_LOCK must appear inside a finally block, not just anywhere in the function.
+if (!preg_match('/finally\s*\{[^}]*RELEASE_LOCK/s', $functions)) {
+	fwrite(STDERR, "RELEASE_LOCK is not inside a finally block; lock may be held on exception.\n");
+	exit(1);
+}
+
+// The allowlist must be exactly the two known partition tables, nothing else.
+if (!preg_match("/in_array\(\s*\\\$table\s*,\s*(?:array\s*\(\s*'syslog'\s*,\s*'syslog_removed'\s*\)|\[\s*'syslog'\s*,\s*'syslog_removed'\s*\])\s*,\s*true\s*\)/", $functions)) {
+	fwrite(STDERR, "syslog_partition_table_allowed allowlist is not exactly ['syslog', 'syslog_removed'].\n");
+	exit(1);
+}
+
+// syslog_partition_check must return false in its guard clause for disallowed tables.
+// Signature may be ($table) or ($table, $time = null).
+if (!preg_match('/function\s+syslog_partition_check\s*\(\s*\$table(?:\s*,\s*\$time[^)]*)?\s*\)\s*\{(.{0,600})/s', $functions, $m_check)) {
+	fwrite(STDERR, "syslog_partition_check function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed[^}]*return\s+false/s', $m_check[1])) {
+	fwrite(STDERR, "syslog_partition_check does not return false for disallowed tables.\n");
+	exit(1);
+}
+
+// syslog_partition_remove must return 0 in its guard clause for disallowed tables.
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,400})/s', $functions, $m_remove)) {
+	fwrite(STDERR, "syslog_partition_remove function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed[^}]*return\s+0/s', $m_remove[1])) {
+	fwrite(STDERR, "syslog_partition_remove does not return 0 for disallowed tables.\n");
+	exit(1);
+}
+
+// syslog_partition_remove's information_schema query must bind table_name via placeholder.
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,1800})/s', $functions, $m_remove_full)) {
+	fwrite(STDERR, "syslog_partition_remove function body not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/syslog_db_fetch_(?:row|assoc|cell)_prepared[^)]*information_schema[^)]*table_name\s*=\s*\?/s', $m_remove_full[1])) {
+	fwrite(STDERR, "syslog_partition_remove information_schema query is not scoped to table_name via placeholder.\n");
+	exit(1);
+}
+
+// ---- Allowlist acceptance / rejection tests ----
+
+// The allowlist function must reject values not in the list by returning false.
+if (!preg_match('/function\s+syslog_partition_table_allowed\s*\(\s*\$table\s*\)\s*\{(.{0,600})/s', $functions, $m_allowed)) {
+	fwrite(STDERR, "syslog_partition_table_allowed function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/return\s+false/', $m_allowed[1])) {
+	fwrite(STDERR, "syslog_partition_table_allowed does not explicitly return false for non-members.\n");
+	exit(1);
+}
+
+// Defense-in-depth: the allowlist function must include a regex guard for safe identifiers.
+if (!preg_match('/preg_match.*\[a-z_\]/', $m_allowed[1])) {
+	fwrite(STDERR, "syslog_partition_table_allowed is missing regex defense-in-depth guard.\n");
+	exit(1);
+}
+
+// ---- Lock name must be scoped to both database and table ----
+
+if (!preg_match('/hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*\$syslogdb_default\s*\.\s*[\'"][^"\']*[\'"]\s*\.\s*\$table\s*\)/', $functions)) {
+	fwrite(STDERR, "Lock name hash does not include both database and table.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_remove must log when called with a disallowed table ----
+
+if (!preg_match('/function\s+syslog_partition_remove\s*\(\s*\$table\s*\)\s*\{(.{0,600})/s', $functions, $m_remove_log)) {
+	fwrite(STDERR, "syslog_partition_remove function not found for log check.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed.*cacti_log.*disallowed.*return\s+0/s', $m_remove_log[1])) {
+	fwrite(STDERR, "syslog_partition_remove does not log a warning for disallowed tables.\n");
+	exit(1);
+}
+
+// ---- DDL safety comment must exist near ALTER TABLE in syslog_partition_create ----
+
+if (!preg_match('/MySQL does not support parameter binding for DDL/', $functions)) {
+	fwrite(STDERR, "Missing DDL safety comment in syslog_partition_create.\n");
+	exit(1);
+}
+
+// ---- No raw (non-prepared) information_schema partition queries may exist ----
+
+$raw_partition_queries = preg_match_all('/syslog_db_fetch_(?:row|assoc|cell)\s*\([^)]*information_schema/', $functions);
+
+if ($raw_partition_queries !== false && $raw_partition_queries > 0) {
+	fwrite(STDERR, "Found $raw_partition_queries raw (non-prepared) information_schema partition queries; all must use _prepared.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_remove must also use GET_LOCK / RELEASE_LOCK in a finally block ----
+
+$remove_start = strpos($functions, 'function syslog_partition_remove');
+
+if ($remove_start === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_remove.\n");
+	exit(1);
+}
+
+$remove_end = strpos($functions, 'function syslog_partition_check', $remove_start);
+
+if ($remove_end === false) {
+	fwrite(STDERR, "Could not bound syslog_partition_remove.\n");
+	exit(1);
+}
+
+$remove_body = substr($functions, $remove_start, $remove_end - $remove_start);
+
+if (!preg_match('/GET_LOCK/', $remove_body)) {
+	fwrite(STDERR, "syslog_partition_remove does not acquire a lock before ALTER TABLE.\n");
+	exit(1);
+}
+
+if (!preg_match('/finally\s*\{[^}]*RELEASE_LOCK/s', $remove_body)) {
+	fwrite(STDERR, "syslog_partition_remove does not release its lock in a finally block.\n");
+	exit(1);
+}
+
+// ---- Lock names must differ between create and remove (per-operation scoping) ----
+
+if (!preg_match('/syslog_partition_create\.\'\s*\.\s*\$table/', $functions)) {
+	fwrite(STDERR, "syslog_partition_create lock name does not include function scope.\n");
+	exit(1);
+}
+
+if (!preg_match('/syslog_partition_remove\.\'\s*\.\s*\$table/', $functions)) {
+	fwrite(STDERR, "syslog_partition_remove lock name does not include function scope.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_create must return early (no DDL) when allowlist fails ----
+// Signature may be ($table) or ($table, $time = null).
+if (!preg_match('/function\s+syslog_partition_create\s*\(\s*\$table(?:\s*,\s*\$time[^)]*)?\s*\)\s*\{(.{0,400})/s', $functions, $m_create_guard)) {
+	fwrite(STDERR, "syslog_partition_create function not found.\n");
+	exit(1);
+}
+
+if (!preg_match('/!syslog_partition_table_allowed[^}]*return\s+false;/s', $m_create_guard[1])) {
+	fwrite(STDERR, "syslog_partition_create does not return early for disallowed tables.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_check must use _prepared for info_schema ----
+
+if (!preg_match('/function\s+syslog_partition_check\s*\(\s*\$table(?:\s*,\s*\$time[^)]*)?\s*\)\s*\{(.{0,1200})/s', $functions, $m_check_prep)) {
+	fwrite(STDERR, "syslog_partition_check function not found for _prepared check.\n");
+	exit(1);
+}
+
+if (!preg_match('/syslog_db_fetch_cell_prepared[^)]*information_schema[^)]*table_name\s*=\s*\?/s', $m_check_prep[1])) {
+	fwrite(STDERR, "syslog_partition_check does not use _prepared with table_name placeholder.\n");
+	exit(1);
+}
+
+// ---- Partition boundary must be computed in PHP, not via strtotime/UNIX_TIMESTAMP('date') ----
+
+// Isolate the syslog_partition_create function body for partition-specific checks.
+$create_start = strpos($functions, 'function syslog_partition_create');
+
+if ($create_start === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_create.\n");
+	exit(1);
+}
+
+$create_end = strpos($functions, 'function syslog_partition_remove', $create_start);
+
+if ($create_end === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_remove to bound syslog_partition_create.\n");
+	exit(1);
+}
+
+$create_body = substr($functions, $create_start, $create_end - $create_start);
+
+// strtotime() mixes PHP's local time zone into UTC-intended math. Forbid it inside partition code.
+if (preg_match('/strtotime\s*\(/', $create_body)) {
+	fwrite(STDERR, "syslog_partition_create must not call strtotime(); partition math should be integer arithmetic.\n");
+	exit(1);
+}
+
+// UNIX_TIMESTAMP('YYYY-MM-DD') interprets the literal in the MySQL session TZ.
+// Boundaries must be integer literals computed in PHP instead.
+if (preg_match("/UNIX_TIMESTAMP\s*\(\s*'/", $create_body)) {
+	fwrite(STDERR, "syslog_partition_create must not pass a date literal to UNIX_TIMESTAMP(); compute the epoch in PHP.\n");
+	exit(1);
+}
+
+// The boundary computation must be explicit (next UTC midnight).
+if (!preg_match('/\(\(int\)\(\$time\s*\/\s*86400\)\s*\+\s*1\)\s*\*\s*86400/', $create_body)) {
+	fwrite(STDERR, "syslog_partition_create is missing the UTC-midnight boundary epoch computation.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_create must fall back to dMaxValue when the expression cannot be detected ----
+
+if (!preg_match('/SHOW CREATE TABLE.*Unable to determine partition expression.*dMaxValue/s', $functions)) {
+	fwrite(STDERR, "syslog_partition_create does not preserve dMaxValue fallback on unknown partition expression.\n");
+	exit(1);
+}
+
+// ---- syslog_partition_manage must gate syslog_partition_remove on syslog_partition_create's return ----
+
+$manage_start = strpos($functions, 'function syslog_partition_manage');
+
+if ($manage_start === false) {
+	fwrite(STDERR, "Could not locate syslog_partition_manage.\n");
+	exit(1);
+}
+
+$manage_end = strpos($functions, 'function syslog_partition_table_allowed', $manage_start);
+
+if ($manage_end === false) {
+	fwrite(STDERR, "Could not bound syslog_partition_manage.\n");
+	exit(1);
+}
+
+$manage_body = substr($functions, $manage_start, $manage_end - $manage_start);
+
+// The remove() call must be inside an if that checks create()'s return.
+if (!preg_match('/if\s*\(\s*syslog_partition_create\s*\(\s*\'syslog\'\s*,[^)]*\)\s*\)\s*\{\s*\$syslog_deleted\s*=\s*syslog_partition_remove\s*\(\s*\'syslog\'\s*\)/s', $manage_body)) {
+	fwrite(STDERR, "syslog_partition_manage does not gate syslog_partition_remove('syslog') on syslog_partition_create's return value.\n");
+	exit(1);
+}
+
+if (!preg_match('/if\s*\(\s*syslog_partition_create\s*\(\s*\'syslog_removed\'\s*,[^)]*\)\s*\)\s*\{\s*\$syslog_deleted\s*\+\=\s*syslog_partition_remove\s*\(\s*\'syslog_removed\'\s*\)/s', $manage_body)) {
+	fwrite(STDERR, "syslog_partition_manage does not gate syslog_partition_remove('syslog_removed') on syslog_partition_create's return value.\n");
+	exit(1);
+}
+
+// ---- syslog_manage_items must validate $from_table and $to_table against an allowlist ----
+
+if (!preg_match('/function\s+syslog_manage_items\s*\(\s*\$from_table\s*,\s*\$to_table\s*\)\s*\{(.{0,800})/s', $functions, $m_manage)) {
+	fwrite(STDERR, "syslog_manage_items function not found.\n");
+	exit(1);
+}
+
+$manage_head = $m_manage[1];
+
+// The allowlist literal must appear explicitly in the guard block.
+if (!preg_match("/\\\$allowed_tables\s*=\s*\[\s*'syslog'\s*,\s*'syslog_incoming'\s*,\s*'syslog_removed'\s*\]/", $manage_head)) {
+	fwrite(STDERR, "syslog_manage_items does not declare the expected \$allowed_tables literal.\n");
+	exit(1);
+}
+
+// Both $from_table and $to_table must be checked with in_array against the allowlist, and the guard must fail closed.
+if (!preg_match('/!in_array\(\$from_table,\s*\$allowed_tables,\s*true\).*!in_array\(\$to_table,\s*\$allowed_tables,\s*true\)/s', $manage_head)) {
+	fwrite(STDERR, "syslog_manage_items does not check both \$from_table and \$to_table with in_array(..., true).\n");
+	exit(1);
+}
+
+if (!preg_match("/return\s*\[\s*'removed'\s*=>\s*0\s*,\s*'xferred'\s*=>\s*0\s*\]/", $manage_head)) {
+	fwrite(STDERR, "syslog_manage_items guard does not fail closed with ['removed' => 0, 'xferred' => 0].\n");
+	exit(1);
+}
+
+print "issue254_partition_table_locking_test passed\n";
diff --git a/tests/regression/issue315_csv_safe_unit_test.php b/tests/regression/issue315_csv_safe_unit_test.php
new file mode 100644
index 0000000..d10a829
--- /dev/null
+++ b/tests/regression/issue315_csv_safe_unit_test.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * Unit coverage for syslog_csv_safe(). Extracts the function source from
+ * functions.php and evals a renamed copy so this test does not collide
+ * with the rest of functions.php (which defines many dependencies like
+ * syslog_debug that conflict with test-time stubs).
+ */
+
+$functions = file_get_contents(dirname(__DIR__, 2) . '/functions.php');
+
+if ($functions === false) {
+	fwrite(STDERR, "Failed to load functions.php\n");
+	exit(1);
+}
+
+if (!preg_match('/function\s+syslog_csv_safe\s*\([^)]*\)\s*\{.*?\n\}/s', $functions, $m)) {
+	fwrite(STDERR, "Could not extract syslog_csv_safe from functions.php\n");
+	exit(1);
+}
+
+$source = str_replace('function syslog_csv_safe', 'function issue315_csv_safe', $m[0]);
+
+eval($source);
+
+$cases = [
+	// [input, expected output, label]
+	['',               '',                'empty string passes through'],
+	[null,             null,              'null passes through'],
+	[42,               42,                'integer passes through'],
+	['router1',        'router1',         'benign string unchanged'],
+	['=SUM(A1)',       "'=SUM(A1)",       'leading = prefixed'],
+	['+1234567',       "'+1234567",       'leading + prefixed'],
+	['-2+3',           "'-2+3",           'leading - prefixed'],
+	['@user',          "'@user",          'leading @ prefixed'],
+	["\tevil",         "'\tevil",         'leading tab prefixed'],
+	["\rboot",         "'\rboot",         'leading CR prefixed'],
+	[' =SUM(A1)',      "' =SUM(A1)",      'leading whitespace before = prefixed'],
+	['  @user',        "'  @user",        'multiple leading spaces before @ prefixed'],
+	['router@home',    'router@home',     '@ not at start unchanged'],
+	['has =equals',    'has =equals',     '= not at start unchanged'],
+	["'=already",      "'=already",       'already-escaped value is not double-prefixed'],
+];
+
+$failures = 0;
+
+foreach ($cases as $idx => $case) {
+	list($input, $expected, $label) = $case;
+
+	$actual = issue315_csv_safe($input);
+
+	if ($actual !== $expected) {
+		fwrite(STDERR, sprintf(
+			"case %d (%s): expected %s, got %s\n",
+			$idx,
+			$label,
+			var_export($expected, true),
+			var_export($actual, true)
+		));
+
+		$failures++;
+	}
+}
+
+if ($failures > 0) {
+	fwrite(STDERR, "$failures syslog_csv_safe test(s) failed\n");
+	exit(1);
+}
+
+print "issue315_csv_safe_unit_test passed\n";