diff --git a/backend/twitch.js b/backend/twitch.js
index 6a70c89..c713676 100644
--- a/backend/twitch.js
+++ b/backend/twitch.js
@@ -9,6 +9,13 @@ async function getCommentsForVOD(clientID, clientSecret, vodId) {
     const { promisify } = require('util');
     const child_process = require('child_process');
     const exec = promisify(child_process.exec);
+    
+    // Reject invalid params to prevent command injection attack
+    if (!clientID.match(/^[0-9a-z]+$/) || !clientSecret.match(/^[0-9a-z]+$/) || !vodId.match(/^[0-9a-z]+$/)) {
+        logger.error('Client ID, client secret, and VOD ID must be purely alphanumeric. Twitch chat download failed!');
+        return null;
+    }
+
     const result = await exec(`tcd --video ${vodId} --client-id ${clientID} --client-secret ${clientSecret} --format json -o appdata`, {stdio:[0,1,2]});
 
     if (result['stderr']) {