diff --git a/lib/commands/admin-rpc.js b/lib/commands/admin-rpc.js
index 204487de8..8042dbdd0 100644
--- a/lib/commands/admin-rpc.js
+++ b/lib/commands/admin-rpc.js
@@ -381,20 +381,15 @@ var isValidKey = key => {
 var getUserTotalSize = function (Env, Server, cb, data) {
     var signingKey = Array.isArray(data) && data[1];
     if (!isValidKey(signingKey)) { return void cb("EINVAL"); }
-    Pinning.getTotalSize(Env, signingKey, cb); // XXX frequently incorrect...
+    var safeKey = Util.escapeKeyCharacters(signingKey);
+    Pinning.getTotalSize(Env, safeKey, cb);
 };
 
 var getPinActivity = function (Env, Server, cb, data) {
     var signingKey = Array.isArray(data) && data[1];
     if (!isValidKey(signingKey)) { return void cb("EINVAL"); }
+    // the db-worker ensures the signing key is of the appropriate form
     Env.getPinActivity(signingKey, function (err, response) {
-        // XXX
-    /*
-        Env.Log.debug('GET_PIN_ACTIVITY', {
-            error: err,
-            response: response,
-        });
-    */
         if (err) { return void cb(err && err.code); }
         cb(void 0, response);
     });
diff --git a/lib/workers/db-worker.js b/lib/workers/db-worker.js
index bbb19c5f8..69375e18c 100644
--- a/lib/workers/db-worker.js
+++ b/lib/workers/db-worker.js
@@ -381,8 +381,8 @@ const getOlderHistory = function (data, cb) {
 };
 
 const getPinState = function (data, cb) {
-    const safeKey = data.key;
-
+    if (typeof(data.key) !== 'string') { return void cb('INVALID_KEY'); }
+    const safeKey = Util.escapeKeyCharacters(data.key);
     var ref = {};
     var lineHandler = Pins.createLineHandler(ref, Env.Log.error);
 
@@ -504,8 +504,9 @@ const getHashOffset = function (data, cb) {
 };
 
 const removeOwnedBlob = function (data, cb) {
+    if (typeof(data.safeKey) !== 'string') { return void cb("INVALID_KEY"); }
     const blobId = data.blobId;
-    const safeKey = data.safeKey;
+    const safeKey = Util.escapeKeyCharacters(data.safeKey);
 
     nThen(function (w) {
         // check if you have permissions
@@ -570,8 +571,9 @@ var reportStatus = function (Env, label, safeKey, err, id, size) {
 
 const completeUpload = function (data, cb) {
     if (!data) { return void cb('INVALID_ARGS'); }
+    if (typeof(data.key) !== 'string') { return void cb("INVALID_KEY"); }
     var owned = data.owned;
-    var safeKey = data.safeKey;
+    var safeKey = Util.escapeKeyCharacters(data.safeKey);
     var arg = data.arg;
     var size = data.size;
 
@@ -593,9 +595,11 @@ const completeUpload = function (data, cb) {
 
 const getPinActivity = function (data, cb) {
     if (!data) { return void cb("INVALID_ARGS"); }
+    if (typeof(data.key) !== 'string') { return void cb("INVALID_KEY"); }
+    var safeKey = Util.escapeKeyCharacters(data.key);
     var first;
     var latest;
-    pinStore.getMessages(data.key, line => {
+    pinStore.getMessages(safeKey, line => {
         if (!line || !line.trim()) { return; }
         try {
             var parsed = JSON.parse(line);