Security protections implemented:

1. All queries use PDO prepared statements
2. Agents restricted by WHERE agent_id=session user
3. Completed reports cannot be edited unless admin
4. All outputs should use htmlspecialchars to prevent XSS