diff --git a/mobile/shop/search.php b/mobile/shop/search.php
index b5deff178..561212159 100644
--- a/mobile/shop/search.php
+++ b/mobile/shop/search.php
@@ -20,7 +20,7 @@ $q       = utf8_strcut(get_search_string(trim($_GET['q'])), 30, "");
 $qname   = isset($_GET['qname']) ? trim($_GET['qname']) : '';
 $qexplan = isset($_GET['qexplan']) ? trim($_GET['qexplan']) : '';
 $qid     = isset($_GET['qid']) ? trim($_GET['qid']) : '';
-$qcaid   = isset($_GET['qcaid']) ? trim($_GET['qcaid']) : '';
+$qcaid   = isset($_GET['qcaid']) ? preg_replace('#[^a-z0-9]#i', '', trim($_GET['qcaid'])) : '';
 $qfrom   = isset($_GET['qfrom']) ? preg_replace('/[^0-9]/', '', trim($_GET['qfrom'])) : '';
 $qto     = isset($_GET['qto']) ? preg_replace('/[^0-9]/', '', trim($_GET['qto'])) : '';
 if (isset($_GET['qsort']))  {
diff --git a/shop/search.php b/shop/search.php
index 3fe4c5762..2c3e38fd3 100644
--- a/shop/search.php
+++ b/shop/search.php
@@ -25,7 +25,7 @@ $q       = utf8_strcut(get_search_string(trim($_GET['q'])), 30, "");
 $qname   = isset($_GET['qname']) ? trim($_GET['qname']) : '';
 $qexplan = isset($_GET['qexplan']) ? trim($_GET['qexplan']) : '';
 $qid     = isset($_GET['qid']) ? trim($_GET['qid']) : '';
-$qcaid   = isset($_GET['qcaid']) ? trim($_GET['qcaid']) : '';
+$qcaid   = isset($_GET['qcaid']) ? preg_replace('#[^a-z0-9]#i', '', trim($_GET['qcaid'])) : '';
 $qfrom   = isset($_GET['qfrom']) ? preg_replace('/[^0-9]/', '', trim($_GET['qfrom'])) : '';
 $qto     = isset($_GET['qto']) ? preg_replace('/[^0-9]/', '', trim($_GET['qto'])) : '';
 if (isset($_GET['qsort']))  {