diff --git a/shop.py b/shop.py
index 39b963d..91bffb6 100644
--- a/shop.py
+++ b/shop.py
@@ -33,10 +33,13 @@ def doesTableExist():
         mycursor.execute('''CREATE TABLE USERS (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(255), password VARCHAR(255))''')
     mydb.close()
 
-def runQuery(query):
+def runQuery(query, data=None):
     mydb = dbConnect()
     c = mydb.cursor()
-    c.execute(query)
+    if data is not None:
+        c.execute(query, data)
+    else:
+        c.execute(query)
     if query.lower().startswith("select"):
         ret = c.fetchall()
     else:
@@ -51,40 +54,47 @@ def readFromDB():
     return runQuery(query)
 
 def insertToDB(data):
-    query = f"INSERT INTO SHOPLIST (item, gotten, user_id) VALUES (\"{data['item']}\", 0, {data['name']})"
+    query = f"INSERT INTO SHOPLIST (item, gotten, user_id) VALUES (%s, 0, %s)"
+    data = (data['item'], data['name'])
     # print(query)
-    runQuery(query)
+    runQuery(query, data)
 
 
 def deleteRow(rowID):
-    query = f"DELETE FROM SHOPLIST WHERE id = {rowID}"
-    runQuery(query)
+    query = f"DELETE FROM SHOPLIST WHERE id = %s"
+    data = (rowID, )
+    runQuery(query, data)
 
 def getItem(rowID):
-    query = f"UPDATE SHOPLIST set gotten = 1 where id = {rowID}"
-    runQuery(query)
+    query = f"UPDATE SHOPLIST set gotten = 1 where id = %s"
+    data = (rowID, )
+    runQuery(query, data)
 
 def unGetItem(rowID):
-    query = f"UPDATE SHOPLIST set gotten = 0 where id = {rowID}"
-    runQuery(query)
+    query = f"UPDATE SHOPLIST set gotten = 0 where id = %s"
+    data = (rowID, )
+    runQuery(query, data)
 
 def get_users(username=None):
     if username == None:
         #return all users
         query = "select username, admin, id from USERS"
         return runQuery(query)
-    query = f"select username, admin from USERS where username like '{username}'"
-    return runQuery(query)
+    query = f"select username, admin from USERS where username like %s"
+    data = (username, )
+    return runQuery(query, data)
 
 def add_user(userData):
     username = userData["username"]
     password = userData["password"]
-    query = f"insert into USERS (username, password, admin) values ('{username}', md5('{password}'), False)"
-    runQuery(query)
+    query = f"insert into USERS (username, password, admin) values (%s, md5(%s), False)"
+    data = (username, password)
+    runQuery(query, data)
 
 def update_pass(user_id, newpass):
-    query = f"update USERS set password=md5('{newpass}') where id={user_id}"
-    runQuery(query)
+    query = f"update USERS set password=md5(%s) where id=%s"
+    data = (newpass, user_id)
+    runQuery(query, data)
 
 app = Flask(__name__)
 app.config["DEBUG"] = True
@@ -120,9 +130,10 @@ def handle_data():
         unGetItem(request.form["ungot"])
         
     if "loginform" in request.form:
-        query = "select id, username, admin from USERS where username = '%s' and password = md5('%s')" % (request.form["username"].lower(), request.form["password"])
+        query = "select id, username, admin from USERS where username = %s and password = md5(%s)"
+        data = (request.form["username"].lower(), request.form["password"])
 
-        res = runQuery(query)
+        res = runQuery(query, data)
         if len(res) != 0:
             session["id"] = res[0][0]
             session["username"] = res[0][1]