diff --git a/src/Controller/GameController.php b/src/Controller/GameController.php
index ecacef4..af5b293 100644
--- a/src/Controller/GameController.php
+++ b/src/Controller/GameController.php
@@ -107,6 +107,10 @@ class GameController
     {
         // create Challenge
         $challengeToken = rand();
+        while ($this->challengeRepository->getByToken($challengeToken)) {
+            // if a challenge with the same token already exists
+            $challengeToken = rand();
+        }
 
         $challenge = new Challenge();
         $challenge->setToken($challengeToken);
diff --git a/src/Repository/ChallengeRepository.php b/src/Repository/ChallengeRepository.php
index 1da5ed0..bcce4d9 100644
--- a/src/Repository/ChallengeRepository.php
+++ b/src/Repository/ChallengeRepository.php
@@ -31,6 +31,13 @@ class ChallengeRepository
 
     public function getByTokenStr(string $token_str): ?Challenge
     {
+        // validate token string
+        foreach (str_split($token_str) as $char) {
+            if (!(('0' <= $char && $char <= '9') || ('a' <= $char && $char <= 'f'))) {
+                return null;
+            }
+        }
+        // convert token to int
         $token = hexdec($token_str);
 
         return $this->getByToken($token);
diff --git a/src/Repository/UserInChallengeRepository.php b/src/Repository/UserInChallengeRepository.php
index a033589..c059c82 100644
--- a/src/Repository/UserInChallengeRepository.php
+++ b/src/Repository/UserInChallengeRepository.php
@@ -48,6 +48,13 @@ class UserInChallengeRepository
             $withRelations = array_unique(array_merge($withRelations, $necessaryRelations));
         }
 
+        // validate token string
+        foreach (str_split($token_str) as $char) {
+            if (!(('0' <= $char && $char <= '9') || ('a' <= $char && $char <= 'f'))) {
+                return null;
+            }
+        }
+        // convert token to int
         $token = hexdec($token_str);
 
         $select = new Select(\Container::$dbConnection);