diff --git a/server/plugins-available/backup_plugin.inc.php b/server/plugins-available/backup_plugin.inc.php
index 167ef420e658c033b9253ea4ce0b0c814f2498d0..3e4fad6cb4e840d7f210b4c51483ab7da6fdb1a1 100644
--- a/server/plugins-available/backup_plugin.inc.php
+++ b/server/plugins-available/backup_plugin.inc.php
@@ -127,7 +127,7 @@ class backup_plugin {
 						//$db_name = $parts[1];
 						preg_match('@^db_(.+)_\d{4}-\d{2}-\d{2}_\d{2}-\d{2}\.sql\.gz$@', $backup['filename'], $matches);
 						$db_name = $matches[1];
-						$command = "gunzip --stdout ".escapeshellarg($backup_dir.'/'.$backup['filename'])." | mysql -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".escapeshellcmd($clientdb_password)."' '".$db_name."'";
+						$command = "gunzip --stdout ".escapeshellarg($backup_dir.'/'.$backup['filename'])." | mysql -h '".escapeshellarg($clientdb_host)."' -u '".escapeshellarg($clientdb_user)."' -p'".escapeshellarg($clientdb_password)."' '".$db_name."'";
 						exec($command);
 					}
 					unset($clientdb_host);