diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 0000000..94a25f7
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/services/Access.php b/services/Access.php
index 715bcb6..2fd8774 100644
--- a/services/Access.php
+++ b/services/Access.php
@@ -7,6 +7,7 @@ class Access
 {
     static function login($username, $password)
     {
+        // ADORO L'SQL INJECTION ' OR '1'='1
         global $conn;
         $query = "SELECT * FROM users WHERE DESCRIZIONE = '$username' AND PASSWORD = '$password'";
         return $conn->query($query);
diff --git a/services/Search.php b/services/Search.php
index a78360a..a0ebf52 100644
--- a/services/Search.php
+++ b/services/Search.php
@@ -8,10 +8,16 @@ class Search
     static function searchByUsername($username)
     {
         global $conn;
-        $query = "SELECT persone.* FROM users
-                    RIGHT JOIN persone ON persone.ID = users.ID_PERSONA
-                    WHERE users.DESCRIZIONE = '$username'";
-        return $conn->query($query);
+        $query = "SELECT persone.* 
+          FROM users 
+          RIGHT JOIN persone ON persone.ID = users.ID_PERSONA 
+          WHERE users.DESCRIZIONE = ?";
+
+        $stmt = $conn->prepare($query);
+        $stmt->bind_param("s", $username);
+        $stmt->execute();
+        $result = $stmt->get_result();
+        return $result;
     }
 
 }
\ No newline at end of file