diff --git a/guestbook.php b/guestbook.php
index 5cc2e59..39b24a8 100644
--- a/guestbook.php
+++ b/guestbook.php
@@ -13,14 +13,19 @@
 
 if(isset($_POST['entry']) && $_POST['entry'] != "") {
     $id = $_SESSION['userid'];
-    $entry = $_POST['entry'];
+    $entry = strip_tags($_POST['entry']);
     $query = "select * from `users` where `id` = '$id' LIMIT 1";
     $result = $db->query($query);
     if ($row = $result->fetch_assoc()) {
         $username = $row['username'];
     }
-    $query = "INSERT INTO `guestbook` (`username`, `entry`) VALUES ('$username', '$entry');";
-    $result = $db->query($query);
+    $query = "INSERT INTO `guestbook` (`username`, `entry`) VALUES (?, ?);";
+
+    $stmt = $db->prepare($query);
+    $stmt->bind_param("ss", $username, $entry);
+    $stmt->execute();
+    $result = $stmt->get_result();
+
     $db->commit();
     print('<div class="row">
             <div class="col-lg-12 text-center">
diff --git a/login.php b/login.php
index 0dce5fc..96eb383 100644
--- a/login.php
+++ b/login.php
@@ -2,8 +2,13 @@
 
 function login($username, $password) {
     global $db;
-    $query = "select `id` from `users` where `username` = '$username' AND `password` = '$password'";
-    $result = $db->query($query);
+    $query = "select `id` from `users` where `username` = ? AND `password` = ?";
+
+    $stmt = $db->prepare($query);
+    $stmt->bind_param("ss", $username, $password);
+    $stmt->execute();
+    $result = $stmt->get_result();
+
     if ($result->num_rows > 0 && $row = $result->fetch_assoc()) {
         $_SESSION['logged_in'] = true;
         $_SESSION['userid'] = $row['id'];