diff --git a/lib/shop.lib.php b/lib/shop.lib.php
index c56cd70d0..ba7b79824 100644
--- a/lib/shop.lib.php
+++ b/lib/shop.lib.php
@@ -2245,7 +2245,7 @@ function get_shop_order_data($od_id, $type='item')
 {
     global $g5;
     
-    $od_id = clean_xss_tags($od_id);
+    $od_id = preg_replace('/[^0-9a-z_-]/i', '', clean_xss_tags($od_id));
 
     if( $type == 'personal' ){
         $row = sql_fetch("select * from {$g5['g5_shop_personalpay_table']} where pp_id = $od_id ", false);
diff --git a/mobile/shop/inicis/pay_return.php b/mobile/shop/inicis/pay_return.php
index eb759b943..b66167096 100644
--- a/mobile/shop/inicis/pay_return.php
+++ b/mobile/shop/inicis/pay_return.php
@@ -7,6 +7,8 @@ set_session('P_TID',  '');
 set_session('P_AMT',  '');
 set_session('P_HASH', '');
 
+$oid = preg_replace('/[^0-9a-z_-]/i', '', $oid);
+
 $sql = " select * from {$g5['g5_shop_order_data_table']} where od_id = '$oid' ";
 $row = sql_fetch($sql);