diff --git a/doc/api.yaml b/doc/api.yaml
index 044e39a..da9a07c 100644
--- a/doc/api.yaml
+++ b/doc/api.yaml
@@ -1064,8 +1064,8 @@ components:
           $ref: "#/components/schemas/comment"
     comment:
       minLength: 5
-      maxLength: 100 #todo think about it
-      pattern: ".*" #everything except newlines
+      maxLength: 255
+      pattern: ".*" #everything except newlines ^[*]{5, 255}$
       type: string
       example: "What a lovely picture! 😊"
       description: The comment's text
diff --git a/service/api/comments.go b/service/api/comments.go
index 9db468b..b7f502f 100644
--- a/service/api/comments.go
+++ b/service/api/comments.go
@@ -3,6 +3,7 @@ package api
 import (
 	"encoding/json"
 	"net/http"
+	"regexp"
 	"strconv"
 
 	"github.com/julienschmidt/httprouter"
@@ -87,6 +88,19 @@ func (rt *_router) PostComment(w http.ResponseWriter, r *http.Request, ps httpro
 		return
 	}
 
+	// check if the comment is valid (should not contain newlines and at be between 5 and 255 characters)
+	stat, err := regexp.Match(`^[*]{5, 255}$`, []byte(request_body.Comment))
+
+	if err != nil {
+		helpers.SendInternalError(err, "Error matching regex", w, rt.baseLogger)
+		return
+	}
+
+	if !stat {
+		helpers.SendBadRequest(w, "Invalid comment", rt.baseLogger)
+		return
+	}
+
 	// add the comment to the database
 	success, err := rt.db.PostComment(uid, photo_id, request_body.UID, request_body.Comment)
 
diff --git a/service/api/put-updateusername.go b/service/api/put-updateusername.go
index 14ce271..d5d23d2 100644
--- a/service/api/put-updateusername.go
+++ b/service/api/put-updateusername.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"net/http"
+	"regexp"
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/notherealmarco/WASAPhoto/service/api/authorization"
@@ -22,6 +23,18 @@ func (rt *_router) UpdateUsername(w http.ResponseWriter, r *http.Request, ps htt
 		return
 	}
 
+	stat, err := regexp.Match(`^[a-zA-Z0-9_]{3,16}$`, []byte(req.Name))
+
+	if err != nil {
+		helpers.SendInternalError(err, "Error while matching username", w, rt.baseLogger)
+		return
+	}
+
+	if !stat { //todo: sta regex non me piace
+		helpers.SendBadRequest(w, "Username must be between 3 and 16 characters long and can only contain letters, numbers and underscores", rt.baseLogger)
+		return
+	}
+
 	status, err := rt.db.UpdateUsername(uid, req.Name)
 
 	if status == database.ERR_EXISTS {