diff --git a/app/config/passport.js b/app/config/passport.js
index c317814..138ff40 100644
--- a/app/config/passport.js
+++ b/app/config/passport.js
@@ -25,7 +25,7 @@ module.exports = function (passport) {
 
     // used to deserialize the user
     passport.deserializeUser(function (id, done) {
-        connection.query("select * from users where id = " + id, function (err, rows) {
+        connection.query("select * from users where id = ?", [id], function (err, rows) {
             done(err, rows[0]);
         });
     });
@@ -46,7 +46,7 @@ module.exports = function (passport) {
         function (req, email, password, done) {
             // find a user whose email is the same as the forms email
             // we are checking to see if the user trying to login already exists
-            connection.query("select * from users where email = '" + email + "'", function (err, rows) {
+            connection.query("select * from users where email = ?" + [email], function (err, rows) {
                 if (err) {return done(err);}
                 if (rows.length) {
                     req.signUpMessage = 'Diese e-Mail ist bei uns bereits registriert';
@@ -84,7 +84,7 @@ module.exports = function (passport) {
             passReqToCallback: true // allows us to pass back the entire request to the callback
         },
         function (req, email, password, done) { // callback with email and password from our form
-            connection.query("SELECT * FROM `users` WHERE `email` = '" + email + "'", function (err, rows) {
+            connection.query("SELECT * FROM `users` WHERE `email` = ?", [email], function (err, rows) {
                 if (err) {return done(err);}
 
                 if (!rows.length) {