diff --git a/internal/config/controller.go b/internal/config/controller.go
index 3f4f512..7398262 100644
--- a/internal/config/controller.go
+++ b/internal/config/controller.go
@@ -145,6 +145,11 @@ func (c *Controller) format(controllerName string) error {
 		/* check parameters */
 		for pName, pData := range method.Ptr.Parameters {
 
+			// check name
+			if strings.Trim(pName, "_") != pName {
+				return fmt.Errorf("Invalid name '%s' must not begin/end with '_'", pName)
+			}
+
 			if len(pData.Rename) < 1 {
 				pData.Rename = pName
 			}
diff --git a/internal/request/dataset.go b/internal/request/dataset.go
index 114b089..8abd470 100644
--- a/internal/request/dataset.go
+++ b/internal/request/dataset.go
@@ -62,6 +62,12 @@ func (i *DataSet) fetchGet(req *http.Request) {
 
 	for name, value := range req.URL.Query() {
 
+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("get.injection: '%s'\n", name)
@@ -131,6 +137,12 @@ func (i *DataSet) parseJSON(req *http.Request) {
 	// else store values 'parsed' values
 	for name, value := range parsed {
 
+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("post.injection: '%s'\n", name)
@@ -162,6 +174,12 @@ func (i *DataSet) parseUrlencoded(req *http.Request) {
 
 	for name, value := range req.PostForm {
 
+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("post.injection: '%s'\n", name)
@@ -200,6 +218,12 @@ func (i *DataSet) parseMultipart(req *http.Request) {
 	/* (3) Store data into 'Form' and 'Set */
 	for name, data := range mpr.Data {
 
+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("post.injection: '%s'\n", name)
diff --git a/internal/request/utils.go b/internal/request/utils.go
index 6af5abb..f8c1853 100644
--- a/internal/request/utils.go
+++ b/internal/request/utils.go
@@ -34,6 +34,12 @@ func nameInjection(pName string) bool {
 	return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
 }
 
+// validName returns whether a parameter name (without the GET@ or URL# prefix) is valid
+// if fails if the name begins/ends with underscores
+func validName(pName string) bool {
+	return strings.Trim(pName, "_") == pName
+}
+
 // parseParameter parses http GET/POST data
 // - []string
 //		- size = 1 : return json of first element