diff --git a/web/api.php b/web/api.php
index eb7ebbb..77247e1 100644
--- a/web/api.php
+++ b/web/api.php
@@ -19,7 +19,7 @@ switch($action)
     break;
     case 'attachment':
         $id = $_REQUEST['id'];
-        $filename = $_REQUEST['filename'];
+        $filename = basename(realpath($_REQUEST['filename']));
         $filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename;
         if(!filter_var($email, FILTER_VALIDATE_EMAIL))
             $o = array('status'=>'err','reason'=>'Invalid Email address');