diff --git a/src/api/account/data.rs b/src/api/account/data.rs
index 3bf5cfd..dc0a873 100644
--- a/src/api/account/data.rs
+++ b/src/api/account/data.rs
@@ -2,9 +2,9 @@ use serde::{Deserialize, Serialize};
 
 #[derive(Debug, Deserialize)]
 pub struct RegisterRequest {
-    username: String,
-    password: String,
-    email: String,
+    pub username: String,
+    pub password: String,
+    pub email: String,
 }
 
 #[derive(Debug, Serialize)]
@@ -24,7 +24,7 @@ pub enum RegisterResponse {
 
 #[derive(Debug, Deserialize)]
 pub struct VerifyRequest {
-    token: String,
+    pub token: String,
 }
 
 #[derive(Debug)]
@@ -36,8 +36,8 @@ pub enum VerifyResponse {
 
 #[derive(Debug, Deserialize)]
 pub struct AuthenticateRequest {
-    username: String,
-    password: String,
+    pub username: String,
+    pub password: String,
 }
 
 #[derive(Debug, Serialize)]
diff --git a/src/api/account/handlers.rs b/src/api/account/handlers.rs
index 5a5826e..96f12c4 100644
--- a/src/api/account/handlers.rs
+++ b/src/api/account/handlers.rs
@@ -2,17 +2,46 @@ use crate::api::account::data;
 use anyhow::Result;
 use log::info;
 
+fn is_sql_injection(string: &String) -> bool {
+    match libinjection::sqli(string) {
+        Some((is_injection, _)) => is_injection,
+        None => true, // this could be a false positive, but that would be better than an SQLi
+    }
+}
+
+trait AlphaExt {
+    fn is_alpha(&self) -> bool;
+}
+
+impl AlphaExt for String {
+    fn is_alpha(&self) -> bool {
+        self.chars().all(|c| c.is_alphanumeric())
+    }
+}
+
 pub async fn register(request: data::RegisterRequest) -> Result<data::RegisterResponse> {
+    if is_sql_injection(&request.username) || is_sql_injection(&request.email) {
+        return Ok(data::RegisterResponse::Blocked);
+    }
+
     Ok(data::RegisterResponse::Success)
 }
 
 pub async fn verify(request: data::VerifyRequest) -> Result<data::VerifyResponse> {
+    if !request.token.is_alpha() {
+        return Ok(data::VerifyResponse::Blocked);
+    }
+
     Ok(data::VerifyResponse::Success)
 }
 
 pub async fn authenticate(
     request: data::AuthenticateRequest,
 ) -> Result<data::AuthenticateResponse> {
+    if is_sql_injection(&request.username) {
+        return Ok(data::AuthenticateResponse::Blocked);
+    }
+
     Ok(data::AuthenticateResponse::Success(
         data::AuthenticateSuccess {
             token: "not_a_valid_token".to_string(),
@@ -21,6 +50,10 @@ pub async fn authenticate(
 }
 
 pub async fn delete(token: String) -> Result<data::DeleteResponse> {
+    if !token.is_alpha() {
+        return Ok(data::DeleteResponse::Blocked);
+    }
+
     info!("Token: {}", token);
     Ok(data::DeleteResponse::Success)
 }