diff --git a/php/classes.user.php b/php/classes.user.php
index b1ab751..c4edc1b 100644
--- a/php/classes.user.php
+++ b/php/classes.user.php
@@ -5,8 +5,10 @@
 
     function get_info($session_id) {
       include $_SESSION["docroot"].'/php/connect.php';
-      $query = "SELECT uid, username, email, theme, last_login, salt FROM `users` WHERE `uid` = (SELECT user FROM `sessions` WHERE `session_id` = \"$session_id\")";
-      $result = $mysqli->query($query);
+      $selectQuery = $mysqli->prepare("SELECT uid, username, email, theme, last_login, salt FROM `users` WHERE `uid` = (SELECT user FROM `sessions` WHERE `session_id` = ?);");
+      $selectQuery->bind_param("s", $session_id);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       $user = $result->fetch_assoc();
       $this->uid = $user["uid"];
       $this->username = $user["username"];
@@ -21,11 +23,15 @@
       include $_SESSION["docroot"].'/php/hash.php';
       include $_SESSION["docroot"].'/php/connect.php';
       $current_pwhash = hash_password($current, $this->salt);
-      $query = "SELECT `uid` FROM `users` WHERE `uid` = $this->uid AND `password` = '$current_pwhash'";
-      $result = $mysqli->query($query);
+      $selectQuery = $mysqli->prepare("SELECT `uid` FROM `users` WHERE `uid` = ? AND `password` = ?;");
+      $selectQuery->bind_param("ss", $this->uid, $current_pwhash);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       if($result->num_rows===1){
         $new_pwdhash = hash_password($new, $this->salt);
-        $mysqli->query("UPDATE `users` SET `password` = '$new_pwdhash' WHERE `users`.`uid` = $this->uid;");
+        $updateQuery = $mysqli->prepare("UPDATE `users` SET `password` = ? WHERE `users`.`uid` = ?;");
+        $updateQuery->bind_param("ss", $new_pwdhash, $this->uid);
+        $updateQuery->execute();
         $mysqli->close();
         print_r("0");
       }
@@ -35,20 +41,25 @@
     }
 
     function change_mail($mailaddress){
-      include $_SESSION["docroot"].'/php/hash.php';
       include $_SESSION["docroot"].'/php/connect.php';
       $this->mail = $mailaddress;
-      $result = $mysqli->query("UPDATE `users` SET `email` = '$mailaddress' WHERE `users`.`uid` = $this->uid;");
+      $updateQuery = $mysqli->prepare("UPDATE `users` SET `email` = ? WHERE `users`.`uid` = ?;");
+      $updateQuery->bind_param("ss", $mailaddress, $this->uid);
+      $updateQuery->execute();
       $mysqli->close();
     }
 
     function change_username($newname){
-      include $_SESSION["docroot"].'/php/hash.php';
       include $_SESSION["docroot"].'/php/connect.php';
       $this->username = $newname;
-      $result = $mysqli->query("SELECT * WHERE `username` = $this->username;");
+      $selectQuery = $mysqli->prepare("SELECT * FROM `users` WHERE `username` =  ?;");
+      $selectQuery->bind_param("s", $this->username);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       if($result->num_rows==0){
-        $result = $mysqli->query("UPDATE `users` SET `username` = '$newname' WHERE `users`.`uid` = $this->uid;");
+        $updateQuery = $mysqli->prepare("UPDATE `users` SET `username` = ? WHERE `users`.`uid` = ?;");
+        $updateQuery->bind_param("ss", $newname, $this->uid);
+        $updateQuery->execute();
         print_r("0");
       }
       else{
@@ -59,7 +70,9 @@
 
     function change_theme($theme){
       include $_SESSION["docroot"].'/php/connect.php';
-      $result = $mysqli->query("UPDATE `users` SET `theme` = '$theme' WHERE `users`.`uid` = $this->uid;");
+      $updateQuery = $mysqli->prepare("UPDATE `users` SET `theme` = ? WHERE `users`.`uid` = ?;");
+      $updateQuery->bind_param("ss", $theme, $this->uid);
+      $updateQuery->execute();
       if($result){
         print_r("0");
       }
@@ -72,13 +85,17 @@
       include $_SESSION["docroot"].'/php/connect.php';
       include $_SESSION["docroot"].'/php/hash.php';
 
-      $query = "SELECT `uid` FROM `users` WHERE `username` = '$uname'";
-      $result = $mysqli->query($query);
+      $selectQuery = $mysqli->prepare("SELECT `uid` FROM `users` WHERE `username` = ?;");
+      $selectQuery->bind_param("s", $uname);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       if($result->num_rows==0){
         $salt = create_salt();
         $passhash = hash_password($password, $salt);
-        $query = "INSERT INTO `users` (`username`, `password`, `salt`, `last_login`) VALUES ('$uname', '$passhash', '$salt', CURRENT_TIMESTAMP);";
-        $result = $mysqli->query($query);
+        $insertQuery = $mysqli->prepare("INSERT INTO `users` (`username`, `password`, `salt`, `last_login`) VALUES (?, ?, ?, CURRENT_TIMESTAMP);");
+        $insertQuery->bind_param("sss", $uname, $passhash, $salt);
+        $insertQuery->execute();
+        $result = $insertQuery->get_result();
         unset($salt);
         unset($password);
         print_r(0);