diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index cfe507549..7efbee166 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1174,7 +1174,7 @@ function user_get_alias_details($username) {
     AND `goto` != :username_goto2
     AND `address` != :username_address");
   $stmt->execute(array(
-    ':username_goto' => '(^|,)'.$username.'($|,)',
+    ':username_goto' => '(^|,)'.preg_quote($username, '/').'($|,)',
     ':username_goto2' => $username,
     ':username_address' => $username
     ));
@@ -1222,7 +1222,7 @@ function user_get_alias_details($username) {
     $data['aliases_send_as_all'] = $row['send_as'];
   }
   $stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`address` SEPARATOR ', '), '') as `address` FROM `alias` WHERE `goto` REGEXP :username AND `address` LIKE '@%';");
-  $stmt->execute(array(':username' => '(^|,)'.$username.'($|,)'));
+  $stmt->execute(array(':username' => '(^|,)'.preg_quote($username, '/').'($|,)'));
   $run = $stmt->fetchAll(PDO::FETCH_ASSOC);
   while ($row = array_shift($run)) {
     $data['is_catch_all'] = $row['address'];
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 6cc98e92e..1b6f9ae47 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -3768,7 +3768,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $data['external_sender_aliases']                = array();
           // Fixed addresses
           $stmt = $pdo->prepare("SELECT `address` FROM `alias` WHERE `goto` REGEXP :goto AND `address` NOT LIKE '@%'");
-          $stmt->execute(array(':goto' => '(^|,)'.$_data.'($|,)'));
+          $stmt->execute(array(':goto' => '(^|,)'.preg_quote($_data, '/').'($|,)'));
           $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
           while ($row = array_shift($rows)) {
             $data['fixed_sender_aliases'][] = $row['address'];
@@ -5534,7 +5534,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             ));
             $stmt = $pdo->prepare("SELECT `address`, `goto` FROM `alias`
                 WHERE `goto` REGEXP :username");
-            $stmt->execute(array(':username' => '(^|,)'.$username.'($|,)'));
+            $stmt->execute(array(':username' => '(^|,)'.preg_quote($username, '/').'($|,)'));
             $GotoData = $stmt->fetchAll(PDO::FETCH_ASSOC);
             foreach ($GotoData as $gotos) {
               $goto_exploded = explode(',', $gotos['goto']);