diff --git a/inc/Do.php b/inc/Do.php
index 10b7437..2ad9880 100755
--- a/inc/Do.php
+++ b/inc/Do.php
@@ -350,6 +350,11 @@ public static function ChangeWhitelist()
 				throw new Exception("You don't have enough permissions to edit this user");
 			}
 
+			// whitelist must be a value between 0 and 3
+			if ($_POST["newwhitelist"] < 0 || $_POST["newwhitelist"] > 3) {
+				throw new Exception("Invalid whitelist value");
+			}
+
 			$GLOBALS['db']->execute('UPDATE users SET whitelist = ? WHERE id = ?', [$_POST['newwhitelist'], $_POST["id"]]);
 
 			// log this whitelist change to the users rap notes