diff --git a/src/api/endpoints/drive/files.js b/src/api/endpoints/drive/files.js
index 5399461a37..7df8b81eac 100644
--- a/src/api/endpoints/drive/files.js
+++ b/src/api/endpoints/drive/files.js
@@ -41,7 +41,7 @@ module.exports = (params, user, app) =>
 
 	// Get 'folder_id' parameter
 	let folder = params.folder_id;
-	if (folder === undefined || folder === null || folder === 'null') {
+	if (folder === undefined || folder === null) {
 		folder = null;
 	} else {
 		folder = new mongo.ObjectID(folder);
diff --git a/src/api/endpoints/drive/files/create.js b/src/api/endpoints/drive/files/create.js
index 9f34a551d1..a04cd5dde4 100644
--- a/src/api/endpoints/drive/files/create.js
+++ b/src/api/endpoints/drive/files/create.js
@@ -46,7 +46,7 @@ module.exports = (file, params, user) =>
 
 	// Get 'folder_id' parameter
 	let folder = params.folder_id;
-	if (folder === undefined || folder === null || folder === 'null') {
+	if (folder === undefined || folder === null) {
 		folder = null;
 	} else {
 		folder = new mongo.ObjectID(folder);
diff --git a/src/api/endpoints/drive/files/find.js b/src/api/endpoints/drive/files/find.js
index a0a0e0b417..26c45c564b 100644
--- a/src/api/endpoints/drive/files/find.js
+++ b/src/api/endpoints/drive/files/find.js
@@ -25,7 +25,7 @@ module.exports = (params, user) =>
 
 	// Get 'folder_id' parameter
 	let folder = params.folder_id;
-	if (folder === undefined || folder === null || folder === 'null') {
+	if (folder === undefined || folder === null) {
 		folder = null;
 	} else {
 		folder = new mongo.ObjectID(folder);
diff --git a/src/api/endpoints/drive/files/update.js b/src/api/endpoints/drive/files/update.js
index 74ff012ecb..5af2b8e6da 100644
--- a/src/api/endpoints/drive/files/update.js
+++ b/src/api/endpoints/drive/files/update.js
@@ -58,16 +58,18 @@ module.exports = (params, user) =>
 
 	// Get 'folder_id' parameter
 	let folderId = params.folder_id;
-	if (folderId !== undefined && folderId !== 'null') {
-		folderId = new mongo.ObjectID(folderId);
-	}
-
-	let folder = null;
-	if (folderId !== undefined && folderId !== null) {
-		if (folderId === 'null') {
+	if (folderId !== undefined) {
+		if (folderId === null) {
 			file.folder_id = null;
 		} else {
-			folder = await DriveFolder
+			// Validate id
+			if (!mongo.ObjectID.isValid(folderId)) {
+				return rej('incorrect folder_id');
+			}
+
+			folderId = new mongo.ObjectID(folderId);
+
+			const folder = await DriveFolder
 				.findOne({
 					_id: folderId,
 					user_id: user._id
diff --git a/src/api/endpoints/drive/folders.js b/src/api/endpoints/drive/folders.js
index f233de25a1..672ae21789 100644
--- a/src/api/endpoints/drive/folders.js
+++ b/src/api/endpoints/drive/folders.js
@@ -41,7 +41,7 @@ module.exports = (params, user, app) =>
 
 	// Get 'folder_id' parameter
 	let folder = params.folder_id;
-	if (folder === undefined || folder === null || folder === 'null') {
+	if (folder === undefined || folder === null) {
 		folder = null;
 	} else {
 		folder = new mongo.ObjectID(folder);
diff --git a/src/api/endpoints/drive/folders/find.js b/src/api/endpoints/drive/folders/find.js
index 9a2faf6d82..be05427f57 100644
--- a/src/api/endpoints/drive/folders/find.js
+++ b/src/api/endpoints/drive/folders/find.js
@@ -25,7 +25,7 @@ module.exports = (params, user) =>
 
 	// Get 'parent_id' parameter
 	let parentId = params.parent_id;
-	if (parentId === undefined || parentId === null || parentId === 'null') {
+	if (parentId === undefined || parentId === null) {
 		parentId = null;
 	} else {
 		parentId = new mongo.ObjectID(parentId);
diff --git a/src/api/endpoints/drive/folders/update.js b/src/api/endpoints/drive/folders/update.js
index d04173158d..475cd205df 100644
--- a/src/api/endpoints/drive/folders/update.js
+++ b/src/api/endpoints/drive/folders/update.js
@@ -25,6 +25,11 @@ module.exports = (params, user) =>
 		return rej('folder_id is required');
 	}
 
+	// Validate id
+	if (!mongo.ObjectID.isValid(folderId)) {
+		return rej('incorrect folder_id');
+	}
+
 	// Fetch folder
 	const folder = await DriveFolder
 		.findOne({
@@ -49,17 +54,19 @@ module.exports = (params, user) =>
 
 	// Get 'parent_id' parameter
 	let parentId = params.parent_id;
-	if (parentId !== undefined && parentId !== 'null') {
-		parentId = new mongo.ObjectID(parentId);
-	}
-
-	let parent = null;
-	if (parentId !== undefined && parentId !== null) {
-		if (parentId === 'null') {
+	if (parentId !== undefined) {
+		if (parentId === null) {
 			folder.parent_id = null;
 		} else {
+			// Validate id
+			if (!mongo.ObjectID.isValid(parentId)) {
+				return rej('incorrect parent_id');
+			}
+
+			parentId = new mongo.ObjectID(parentId);
+
 			// Get parent folder
-			parent = await DriveFolder
+			const parent = await DriveFolder
 				.findOne({
 					_id: parentId,
 					user_id: user._id
diff --git a/src/web/app/desktop/tags/drive/browser.tag b/src/web/app/desktop/tags/drive/browser.tag
index 4c42987d03..640bf24b7e 100644
--- a/src/web/app/desktop/tags/drive/browser.tag
+++ b/src/web/app/desktop/tags/drive/browser.tag
@@ -407,7 +407,7 @@
 				@remove-file file
 				@api \drive/files/update do
 					file_id: file
-					folder_id: if @folder? then @folder.id else \null
+					folder_id: if @folder? then @folder.id else null
 				.then ~>
 					# something
 				.catch (err, text-status) ~>
@@ -424,7 +424,7 @@
 				@remove-folder folder
 				@api \drive/folders/update do
 					folder_id: folder
-					parent_id: if @folder? then @folder.id else \null
+					parent_id: if @folder? then @folder.id else null
 				.then ~>
 					# something
 				.catch (err) ~>