diff --git a/htdocs/create.php b/htdocs/create.php
index 86dab02febd70edc3a3a101269038fe8ce4d9d2d..137ae73069ae621dc3c6c458f41bc6e826c01a01 100644
--- a/htdocs/create.php
+++ b/htdocs/create.php
@@ -105,13 +105,24 @@ function isAuthorized($mail,$secret) {
 	}
 	return false;
 }
+
+if(strlen($mbox) > 30 || strlen($name) > 30 || strlen($pw) > 1024 || strlen($pw2) > 1024 || strlen($authmail) > 1024 || strlen($authsecret) > 1024) {
+    echo "Input too large";
+    exit;
+}
+
+if(!preg_match("/^[a-z0-9_\-\.]{3,30}$/", $mbox)) {
+    echo "Invalid username";
+    exit;
+}
+
 if(!isset($_POST['authmail']) || !isset($_POST['authsecret'])) {
 	echo "You are not authorized to create an account";
 	exit;
 }
 if(!isAuthorized(trim($authmail),trim($authsecret))) {
-	echo "You are not authorized to create an account";
-        exit;
+    echo "You are not authorized to create an account";
+    exit;
 }
 
 if(!isset($_POST['username']) || !isset($_POST['password']) ||!isset($_POST['displayname']) ||!isset($_POST['repassword']) || strcmp($pw,$pw2)!=0) 
@@ -121,7 +132,7 @@ if(!isset($_POST['username']) || !isset($_POST['password']) ||!isset($_POST['dis
 	} else {
 		echo "Passwords do not match";
     }
-    return;
+    exit;
 }
 
 $resultmail=$mbox."@".$domain;