diff --git a/function.php b/function.php
index 570ca39..754a81a 100644
--- a/function.php
+++ b/function.php
@@ -124,10 +124,12 @@ function importSQLFile($connection) {
 }
 
 function delete_bd_user() {
-    $id=$_POST['id'];
+    $id = $_POST['id'];
     $connectDatabase = connectDatabase();
-    $sql = "DELETE FROM bd_user WHERE `bd_user`.`id` = $id";
-    $result = $connectDatabase->query($sql);
+    $sql = "DELETE FROM bd_user WHERE `bd_user`.`id` = ?";
+    $stmt = $connectDatabase->prepare($sql);
+    $stmt->bind_param("i", $id);
+    $result = $stmt->execute();
 
     if ($result === true) {
     $response["success"] = true;
@@ -290,12 +292,14 @@ function revise_info(){
 return json_encode($response);
 }
 function switch_bd_user(){
-$id=$_POST['id'];
-$switch=$_POST['switch'];
+$id = $_POST['id'];
+$switch = $_POST['switch'];
 $switch = ($switch === '-1') ? '0' : (($switch === '0') ? '-1' : $switch);
-$sql="UPDATE `bd_user` SET `switch` = '$switch' WHERE `bd_user`.`id` = $id;";
 $connectDatabase = connectDatabase();
-$result = $connectDatabase->query($sql);
+$sql = "UPDATE `bd_user` SET `switch` = ? WHERE `bd_user`.`id` = ?";
+$stmt = $connectDatabase->prepare($sql);
+$stmt->bind_param("si", $switch, $id);
+$result = $stmt->execute();
    if ($result === true) {
     $response["success"] = true;
     $response["message"] ="更改状态成功";
@@ -310,11 +314,15 @@ function switch_bd_user(){
 
 function add() {
     $cookie = $_POST['cookie'];
-    $name = $_POST['name'];
+    $name = $_POST['name']; 
     $vip_type = $_POST['vip_type'];
-    $currentDateTime = date('Y-m-d H:i:s'); 
-    $sql = "INSERT INTO `bd_user` (`id`, `name`, `cookie`, `add_time`, `use`, `state`, `switch`, `vip_type`) 
-            VALUES (NULL, '$name', '$cookie', '$currentDateTime', '$currentDateTime', '-2', '0', '$vip_type');";
+    $currentDateTime = date('Y-m-d H:i:s');
+    
+    $connectDatabase = connectDatabase();
+    $stmt = $connectDatabase->prepare("INSERT INTO `bd_user` (`id`, `name`, `cookie`, `add_time`, `use`, `state`, `switch`, `vip_type`) 
+            VALUES (NULL, ?, ?, ?, ?, '-2', '0', ?)");
+    $stmt->bind_param("sssss", $name, $cookie, $currentDateTime, $currentDateTime, $vip_type);
+    $sql = $stmt;
 
     $connectDatabase = connectDatabase();
     $result = $connectDatabase->query($sql);