diff --git a/sqli/dao/student.py b/sqli/dao/student.py
index d41ef885..22375ab7 100644
--- a/sqli/dao/student.py
+++ b/sqli/dao/student.py
@@ -39,9 +39,8 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
 
     @staticmethod
     async def create(conn: Connection, name: str):
-        q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
+        q = "INSERT INTO students (name) VALUES (:name)"
         async with conn.cursor() as cur:
-            await cur.execute(q)
+            await cur.execute(q, {"name": name})
 
 
diff --git a/sqli/dao/user.py b/sqli/dao/user.py
index c663ddc3..94ef4564 100644
--- a/sqli/dao/user.py
+++ b/sqli/dao/user.py
@@ -1,4 +1,5 @@
 from hashlib import md5
+import hashlib
 from typing import NamedTuple, Optional
 
 from aiopg import Connection
@@ -38,4 +39,4 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        return self.pwd_hash == hashlib.scrypt(password.encode('utf-8'), salt=b'somesalt', n=16384, r=8, p=1).hex()