diff --git a/doc/api/http_api.md b/doc/api/http_api.md
index 2ae674d8c..7ee8f953d 100644
--- a/doc/api/http_api.md
+++ b/doc/api/http_api.md
@@ -388,10 +388,12 @@ Group pads are normal pads, but with the name schema GROUPID$PADNAME. A security
  * API >= 1
 
 creates a new (non-group) pad.  Note that if you need to create a group Pad, you should call **createGroupPad**.
+You get an error message if you use one of the following characters in the padID: "/", "?", "&" or "#".
 
 *Example returns:*
   * `{code: 0, message:"ok", data: null}`
-  * `{code: 1, message:"pad does already exist", data: null}`
+  * `{code: 1, message:"padID does already exist", data: null}`
+  * `{code: 1, message:"malformed padID: Remove special characters", data: null}`
 
 #### getRevisionsCount(padID)
  * API >= 1
diff --git a/src/node/db/API.js b/src/node/db/API.js
index edd130e2e..97d5162d8 100644
--- a/src/node/db/API.js
+++ b/src/node/db/API.js
@@ -687,12 +687,21 @@ Example returns:
 exports.createPad = function(padID, text, callback)
 {  
   //ensure there is no $ in the padID
-  if(padID && padID.indexOf("$") != -1)
+  if(padID)
   {
-    callback(new customError("createPad can't create group pads","apierror"));
-    return;
+    if(padID.indexOf("$") != -1)
+    {
+      callback(new customError("createPad can't create group pads","apierror"));
+      return;
+    }
+    //check for url special characters
+    else if(padID.match(/(\/|\?|&|#)/))
+    {
+      callback(new customError("malformed padID: Remove special characters","apierror"));
+      return;
+    }
   }
-  
+
   //create pad
   getPadSafe(padID, false, text, function(err)
   {
diff --git a/tests/backend/specs/api/pad.js b/tests/backend/specs/api/pad.js
index 52849c2ea..75e779714 100644
--- a/tests/backend/specs/api/pad.js
+++ b/tests/backend/specs/api/pad.js
@@ -2,7 +2,8 @@ var assert = require('assert')
  supertest = require(__dirname+'/../../../../src/node_modules/supertest'),
         fs = require('fs'),
        api = supertest('http://localhost:9001');
-      path = require('path');
+      path = require('path'),
+     async = require(__dirname+'/../../../../src/node_modules/async');
 
 var filePath = path.join(__dirname, '../../../../APIKEY.txt');
 
@@ -80,6 +81,7 @@ describe('Permission', function(){
                                -> setHTML(padID) -- Should fail on invalid HTML
                                 -> setHTML(padID) *3 -- Should fail on invalid HTML
                                  -> getHTML(padID) -- Should return HTML close to posted HTML
+                                  -> createPad -- Tries to create pads with bad url characters
 
 */
 
@@ -494,6 +496,23 @@ describe('getHTML', function(){
   });
 })
 
+describe('createPad', function(){
+  it('errors if pad can be created', function(done) {
+    var badUrlChars = ["/", "%23", "%3F", "%26"];
+    async.map(
+      badUrlChars, 
+      function (badUrlChar, cb) {
+        api.get(endPoint('createPad')+"&padID="+badUrlChar)
+        .expect(function(res){
+          if(res.body.code !== 1) throw new Error("Pad with bad characters was created");
+        })
+        .expect('Content-Type', /json/)
+        .end(cb);
+      },
+      done);
+  });
+})
+
 
 /*
                           -> movePadForce Test