diff --git a/include/constants.php b/include/constants.php
index 99ab2f525..56ee44516 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -37,6 +37,7 @@ define('ACTIVITY_SYSTEM_THEME', 3);
 
 // Sanity checks
 define('PATTERN_ID', '/^\d+$/');
+define('PATTERN_ORDER', '/^(rand(om)?|[a-z_]+(\s+(asc|desc))?)(\s*,\s*(rand(om)?|[a-z_]+(\s+(asc|desc))?))*$/i');
 
 // Table names
 if (!defined('CATEGORIES_TABLE'))
diff --git a/include/ws_functions/pwg.groups.php b/include/ws_functions/pwg.groups.php
index 3997fee4d..1f4320633 100644
--- a/include/ws_functions/pwg.groups.php
+++ b/include/ws_functions/pwg.groups.php
@@ -15,6 +15,11 @@
  */
 function ws_groups_getList($params, &$service)
 {
+  if (!preg_match(PATTERN_ORDER, $params['order']))
+  {
+    return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter order');
+  }
+
   $where_clauses = array('1=1');
 
   if (!empty($params['name']))
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index d7bfe0ae9..fe5000860 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -29,6 +29,11 @@ function ws_users_getList($params, &$service)
 {
   global $conf;
 
+  if (!preg_match(PATTERN_ORDER, $params['order']))
+  {
+    return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid input parameter order');
+  }
+
   $where_clauses = array('1=1');
 
   if (!empty($params['user_id']))
diff --git a/ws.php b/ws.php
index ae127cbf1..cc9368c65 100644
--- a/ws.php
+++ b/ws.php
@@ -1102,6 +1102,8 @@ function ws_addDefaultMethods( $arr )
                               'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
         'order' =>      array('default'=>'id',
                               'info'=>'id, username, level, email'),
+        'exclude' =>    array('flags'=>WS_PARAM_OPTIONAL|WS_PARAM_FORCE_ARRAY,
+                              'type'=>WS_TYPE_ID),
         'display' =>    array('default'=>'basics',
                               'info'=>'Comma saparated list (see method description)'),
         ),