diff --git a/web/api/index.php b/web/api/index.php
index 078ef1bd6..c938512a5 100644
--- a/web/api/index.php
+++ b/web/api/index.php
@@ -14,7 +14,8 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
         
         $v_user = escapeshellarg($_POST['user']);
         $v_password = escapeshellarg($_POST['password']);
-        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'",  $output, $auth_code);
+        $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
+        exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'",  $output, $auth_code);
     } else {
         $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
         if (file_exists($key) && is_file($key)) {