diff --git a/bin/database/module.js b/bin/database/module.js
index 5ddea97..c144c80 100644
--- a/bin/database/module.js
+++ b/bin/database/module.js
@@ -9,6 +9,7 @@
 
 // init
 var mongoose = require('mongoose');
+var sanitize = require('mongo-sanitize');
 var crypto = require('crypto');
 var methods = {};
 
@@ -63,10 +64,10 @@ methods.addUser = (nick, email, passhash, group, callback) => {
 	let userModel = models.user;
 
 	let user = new userModel();
-	user.nickname = nick;
-	user.email = email;
-	user.passhash = passhash;
-	user.group = group;
+	user.nickname = sanitize(nick);
+	user.email = sanitize(email);
+	user.passhash = sanitize(passhash);
+	user.group = sanitize(group);
 
 	user.save((err) => {
 		if(!err) callback(null, 1);
@@ -88,6 +89,9 @@ methods.delUser = (haystack, callback) => {
 
 	let userModel = models.user;
 
+	// sanitize input
+	haystack = sanitize(haystack);
+
 	userModel.findOneAndDelete().or([{nickname: haystack}, {email: haystack}])
 	.then((rep) => {
 		// TODO delete user
@@ -132,6 +136,9 @@ methods.getUser = (haystack, callback) => {
 
 	let userModel = models.user;
 
+	// sanitize input
+	haystack = sanitize(haystack);
+
 	let or = [];
 	if(typeof haystack === 'string') {
 		or = [{nickname: haystack}, {email: haystack}, {token: haystack}];
diff --git a/package.json b/package.json
index b664d4a..e0b8387 100644
--- a/package.json
+++ b/package.json
@@ -7,10 +7,11 @@
   "license": "",
   "dependencies": {
     "body-parser": "^1.19.0",
-	"chalk": "^2.4.2",
+    "chalk": "^2.4.2",
     "cookie-parser": "^1.4.4",
     "express": "^4.17.1",
     "express-session": "^1.16.1",
+    "mongo-sanitize": "^1.0.1",
     "mongoose": "^5.5.12",
     "pug": "^2.0.3",
     "request": "^2.88.0",