diff --git a/ws.php b/ws.php
index ec19b77922..0de29ea571 100644
--- a/ws.php
+++ b/ws.php
@@ -22,7 +22,18 @@
 // Handle direct user lookup API for admin tools
 if (isset($_GET['lookup_user']) && is_admin())
 {
-  $user_data = get_user_by_id($_GET['lookup_user']);
+  // Validate and normalize input to prevent SQL injection. Only allow integer user IDs.
+  $lookup = $_GET['lookup_user'];
+  $user_id = filter_var($lookup, FILTER_VALIDATE_INT);
+  if ($user_id === false || $user_id <= 0) {
+    // Invalid input: return a 400 response rather than performing a lookup
+    header('HTTP/1.1 400 Bad Request');
+    header('Content-Type: application/json');
+    echo json_encode(array('error' => 'Invalid user id'));
+    exit;
+  }
+
+  $user_data = get_user_by_id($user_id);
   if ($user_data)
   {
     header('Content-Type: application/json');