diff --git a/sqli/dao/student.py b/sqli/dao/student.py
index d41ef885..f6a2ca45 100644
--- a/sqli/dao/student.py
+++ b/sqli/dao/student.py
@@ -39,9 +39,6 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
 
     @staticmethod
     async def create(conn: Connection, name: str):
-        q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
+        q = "INSERT INTO students (name) VALUES (%s)"
         async with conn.cursor() as cur:
-            await cur.execute(q)
-
-
+            await cur.execute(q, (name,))
diff --git a/sqli/dao/user.py b/sqli/dao/user.py
index c663ddc3..7665ccf7 100644
--- a/sqli/dao/user.py
+++ b/sqli/dao/user.py
@@ -1,4 +1,4 @@
-from hashlib import md5
+from hashlib import scrypt
 from typing import NamedTuple, Optional
 
 from aiopg import Connection
@@ -10,7 +10,7 @@ class User(NamedTuple):
     middle_name: Optional[str]
     last_name: str
     username: str
-    pwd_hash: str
+    pwd_hash: bytes
     is_admin: bool
 
     @classmethod
@@ -38,4 +38,4 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        return self.pwd_hash == scrypt(password.encode('utf-8'), salt=b'salt', n=16384, r=8, p=1)