diff --git a/web/api.php b/web/api.php
index 77247e1..669f614 100644
--- a/web/api.php
+++ b/web/api.php
@@ -8,7 +8,7 @@ ini_set('display_errors', 1);
 include_once(ROOT.DS.'inc'.DS.'core.php');
 
 $action = strtolower($_REQUEST['a']);
-$email = strtolower($_REQUEST['email']);
+$email = basename(realpath(strtolower($_REQUEST['email'])));
 
 switch($action)
 {