diff --git a/ntpdb/query.sql.go b/ntpdb/query.sql.go
index f5407eb..4e39afd 100644
--- a/ntpdb/query.sql.go
+++ b/ntpdb/query.sql.go
@@ -13,7 +13,11 @@ import (
 )
 
 const getMonitorByName = `-- name: GetMonitorByName :one
-select id, type, user_id, account_id, name, location, ip, ip_version, tls_name, api_key, status, config, client_version, last_seen, last_submit, created_on from monitors where tls_name = ?
+select id, type, user_id, account_id, name, location, ip, ip_version, tls_name, api_key, status, config, client_version, last_seen, last_submit, created_on from monitors
+where
+  tls_name like ?
+  order by id
+  limit 1
 `
 
 func (q *Queries) GetMonitorByName(ctx context.Context, tlsName sql.NullString) (Monitor, error) {
diff --git a/query.sql b/query.sql
index 6da64e5..d5405c1 100644
--- a/query.sql
+++ b/query.sql
@@ -48,7 +48,11 @@ where
   ip = sqlc.arg(ip);
 
 -- name: GetMonitorByName :one
-select * from monitors where tls_name = ?;
+select * from monitors
+where
+  tls_name like sqlc.arg('tls_name')
+  order by id
+  limit 1;
 
 -- name: GetMonitorsByID :many
 select * from monitors
diff --git a/server/history.go b/server/history.go
index 3072b26..09478f4 100644
--- a/server/history.go
+++ b/server/history.go
@@ -81,7 +81,14 @@ func (srv *Server) getHistory(ctx context.Context, c echo.Context, server ntpdb.
 		if err == nil {
 			monitorID = uint32(mID)
 		} else {
+			// only accept the name prefix; no wildcards; trust the database
+			// to filter out any other crazy
+			if strings.ContainsAny(monitorParam, "_%. \t\n") {
+				return nil, echo.NewHTTPError(http.StatusNotFound, "monitor not found")
+			}
+
 			if err != nil {
+				monitorParam = monitorParam + ".%"
 				monitor, err := q.GetMonitorByName(ctx, sql.NullString{Valid: true, String: monitorParam})
 				if err != nil {
 					log.Warn("could not find monitor", "name", monitorParam, "err", err)