diff --git a/inc/accounts.php b/inc/accounts.php
index 5c57119..d84da98 100644
--- a/inc/accounts.php
+++ b/inc/accounts.php
@@ -39,17 +39,17 @@ function web_add($form, $admin_mail) {
 
     if(!$form->getField('password_random')->getValue()) {
         $exec_cmd .= sprintf(' -p %s',
-                             $form->getField('password')->getValue());
+                             escapeshellarg($form->getField('password')->getValue()));
     }
 
     /* Ajout des options spécifiques à MySQL si nécessaire */
     if($form->getField('mysql_db')->getValue()) {
         $exec_cmd .= sprintf(' -m %s',
-                             $form->getField('mysql_dbname')->getValue());
+                             escapeshellarg($form->getField('mysql_dbname')->getValue()));
 
         if(!$form->getField('mysql_password_random')->getValue()) {
             $exec_cmd .= sprintf(' -P %s',
-                                $form->getField('mysql_password')->getValue());
+                                escapeshellarg($form->getField('mysql_password')->getValue()));
         }
     }
 
@@ -58,12 +58,12 @@ function web_add($form, $admin_mail) {
     }
 
     if ($conf['quota']) {
-        $exec_cmd .= sprintf(' -q %s:%s', $form->getField('quota_soft')->getValue(), $form->getField('quota_hard')->getValue());
+        $exec_cmd .= sprintf(' -q %s:%s', escapeshellarg($form->getField('quota_soft')->getValue()), escapeshellarg($form->getField('quota_hard')->getValue()));
     }
 
     $exec_cmd .= sprintf(' -l %s %s %s 2>&1', $admin_mail,
-        $form->getField('username')->getValue(), 
-        $form->getField('domain')->getValue());
+        escapeshellarg($form->getField('username')->getValue()),
+        escapeshellarg($form->getField('domain')->getValue()));
 
     //domain_add($form, $_SERVER['SERVER_ADDR'], true);
     sudoexec($exec_cmd, $exec_output, $exec_return);
@@ -72,7 +72,7 @@ function web_add($form, $admin_mail) {
     if ( $form->getField('domain_alias')->getValue() ) {
         $domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue());
         foreach ( $domain_alias as $domain ) {
-            $exec_cmd = 'web-add.sh add-alias '.$form->getField('username')->getValue().' ';
+            $exec_cmd = 'web-add.sh add-alias '.escapeshellarg($form->getField('username')->getValue()).' ';
             $domain = trim($domain);
             $exec_cmd .= $domain.' '. $server_list;
             sudoexec($exec_cmd, $exec_output, $exec_return);
@@ -97,17 +97,17 @@ function web_add_cluster($form, $admin_mail) {
 
     if(!$form->getField('password_random')->getValue()) {
         $exec_cmd .= sprintf(' -p %s',
-                             $form->getField('password')->getValue());
+                             escapeshellarg($form->getField('password')->getValue()));
     }
 
     /* Ajout des options spécifiques à MySQL si nécessaire */
     if($form->getField('mysql_db')->getValue()) {
         $exec_cmd .= sprintf(' -m %s',
-                             $form->getField('mysql_dbname')->getValue());
+                             escapeshellarg($form->getField('mysql_dbname')->getValue()));
 
         if(!$form->getField('mysql_password_random')->getValue()) {
             $exec_cmd .= sprintf(' -P %s',
-                                $form->getField('mysql_password')->getValue());
+                                escapeshellarg($form->getField('mysql_password')->getValue()));
         }
 
         $account['bdd'] = $form->getField('mysql_dbname')->getValue();
@@ -173,13 +173,13 @@ function web_add_cluster($form, $admin_mail) {
             break;
     }
 
-    $exec_cmd .= sprintf(' -l %s %s %s %s %s %s 2>&1', 
-        $admin_mail,
-        $form->getField('username')->getValue(), 
-        $form->getField('domain')->getValue(),
-        $master,
-        $slave,
-        ($realtime ? 'realtime': 'deferred'));
+    $exec_cmd .= sprintf(' -l %s %s %s %s %s %s 2>&1',
+        escapeshellarg($admin_mail),
+        escapeshellarg($form->getField('username')->getValue()),
+        escapeshellarg($form->getField('domain')->getValue()),
+        escapeshellarg($master),
+        escapeshellarg($slave),
+        escapeshellarg( ($realtime ? 'realtime': 'deferred')) );
 
     //if ($conf['bindadmin'])
     domain_add($form->getField('domain')->getValue(), gethostbyname($master), true, $form->getField('use_gmail_mxs')->getValue());
@@ -189,7 +189,7 @@ function web_add_cluster($form, $admin_mail) {
     if ( $form->getField('domain_alias')->getValue() ) {
         $domain_alias = preg_split('/,/', $form->getField('domain_alias')->getValue());
         foreach ( $domain_alias as $alias ) {
-            $exec_cmd = 'web-add-cluster.sh add-alias '.$form->getField('username')->getValue().' ';
+            $exec_cmd = 'web-add-cluster.sh add-alias '.escapeshellarg($form->getField('username')->getValue()).' ';
             $alias = trim($alias);
             $exec_cmd .= $alias.' '.$master.' '.$slave;
             sudoexec($exec_cmd, $exec_output2, $exec_return2);