diff --git a/src/api/models/user.ts b/src/api/models/user.ts
index 30805e4b6..c8c187c50 100644
--- a/src/api/models/user.ts
+++ b/src/api/models/user.ts
@@ -8,9 +8,14 @@ const collection = db.get('users');
 export default collection as any; // fuck type definition
 
 export function validateUsername(username: string): boolean {
-	return /^[a-zA-Z0-9\-]{3,20}$/.test(username);
+	return typeof username == 'string' && /^[a-zA-Z0-9\-]{3,20}$/.test(username);
+}
+
+export function validatePassword(password: string): boolean {
+	return typeof password == 'string' && password != '';
 }
 
 export function isValidBirthday(birthday: string): boolean {
-	return /^([0-9]{4})\-([0-9]{2})-([0-9]{2})$/.test(birthday);
+	return typeof birthday == 'string' && /^([0-9]{4})\-([0-9]{2})-([0-9]{2})$/.test(birthday);
+}
 }
diff --git a/src/api/private/signin.ts b/src/api/private/signin.ts
index 14dd1c705..fe3b5f708 100644
--- a/src/api/private/signin.ts
+++ b/src/api/private/signin.ts
@@ -12,6 +12,16 @@ export default async (req: express.Request, res: express.Response) => {
 	const username = req.body['username'];
 	const password = req.body['password'];
 
+	if (typeof username != 'string') {
+		res.sendStatus(400);
+		return;
+	}
+
+	if (typeof password != 'string') {
+		res.sendStatus(400);
+		return;
+	}
+
 	// Fetch user
 	const user = await User.findOne({
 		username_lower: username.toLowerCase()
diff --git a/src/api/private/signup.ts b/src/api/private/signup.ts
index 73e04f8b3..bd2a7ef02 100644
--- a/src/api/private/signup.ts
+++ b/src/api/private/signup.ts
@@ -3,7 +3,7 @@ import * as bcrypt from 'bcryptjs';
 import rndstr from 'rndstr';
 import recaptcha = require('recaptcha-promise');
 import User from '../models/user';
-import { validateUsername } from '../models/user';
+import { validateUsername, validatePassword } from '../models/user';
 import serialize from '../serializers/user';
 import config from '../../conf';
 
@@ -34,7 +34,7 @@ export default async (req: express.Request, res: express.Response) => {
 	}
 
 	// Validate password
-	if (password == '') {
+	if (!validatePassword(password)) {
 		res.sendStatus(400);
 		return;
 	}
diff --git a/test/api.js b/test/api.js
index 40dbdf201..6b1cbe1c4 100644
--- a/test/api.js
+++ b/test/api.js
@@ -120,6 +120,19 @@ describe('API', () => {
 			});
 		}));
 
+		it('クエリをインジェクションできない', () => new Promise(async (done) => {
+			const me = await insertSakurako();
+			request('/signin', {
+				username: me.username,
+				password: {
+					$gt: ''
+				}
+			}).then(res => {
+				res.should.have.status(400);
+				done();
+			});
+		}));
+
 		it('正しい情報でサインインできる', () => new Promise(async (done) => {
 			const me = await insertSakurako();
 			request('/signin', {