diff --git a/backend/package-lock.json b/backend/package-lock.json
index 2c117eb..97e67ff 100644
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -1406,9 +1406,9 @@
       "dev": true
     },
     "sqlstring": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/sqlstring/-/sqlstring-2.3.1.tgz",
-      "integrity": "sha1-R1OT/56RR5rqYtyvDKPRSYOn+0A="
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/sqlstring/-/sqlstring-2.3.2.tgz",
+      "integrity": "sha512-vF4ZbYdKS8OnoJAWBmMxCQDkiEBkGQYU7UZPtL8flbDRSNkhaXvRJ279ZtI6M+zDaQovVU4tuRgzK5fVhvFAhg=="
     },
     "statuses": {
       "version": "1.5.0",
diff --git a/backend/package.json b/backend/package.json
index a2d9a56..5ae1253 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -20,7 +20,8 @@
     "moment": "^2.26.0",
     "morgan": "^1.10.0",
     "mysql2": "^2.1.0",
-    "path": "^0.12.7"
+    "path": "^0.12.7",
+    "sqlstring": "^2.3.2"
   },
   "devDependencies": {
     "nodemon": "^2.0.4"
diff --git a/backend/routes/countries.js b/backend/routes/countries.js
index b265b18..abeeadc 100644
--- a/backend/routes/countries.js
+++ b/backend/routes/countries.js
@@ -2,13 +2,15 @@ const router = require("express").Router();
 const getCountries = require("../models/getCountries.js");
 const getCountryById = require("../models/getCountryById.js");
 
+const sqlstring = require("sqlstring")
+
 module.exports = dbConn => {
     router.get("/api/v1/countries", async (req, res) => {
         res.json(await getCountries(dbConn));
     });
 
     router.get("/api/v1/countries/:id", async (req, res) => {
-        const id = req.params.id;
+        const id = sqlstring.escape(req.params.id);
         res.json(await getCountryById(dbConn, id))
     });
     return router;
diff --git a/backend/routes/place.js b/backend/routes/place.js
index fa543a0..019cbab 100644
--- a/backend/routes/place.js
+++ b/backend/routes/place.js
@@ -10,12 +10,15 @@ module.exports = dbConn => {
     });
 
     router.get("/api/v1/place/nearby", async (req, res) => {
-        const place = await getPlaceNearby(req.query.lat, req.query.lng)
+        const lat = sqlstring.escape(req.query.lat)
+        const lng = sqlstring.escape(req.query.lng)
+        const place = await getPlaceNearby(lat, lng)
         res.json(place)
     });
 
     router.get("/api/v1/place/photo", async (req, res) => {
-        const photo = await getPlacePhoto(req.query.photoref)
+        const photoref = sqlstring.escape(req.query.photoref)
+        const photo = await getPlacePhoto(photoref)
         res.json(photo)
     });
 
diff --git a/backend/routes/regions.js b/backend/routes/regions.js
index 33cf9f6..677ab30 100644
--- a/backend/routes/regions.js
+++ b/backend/routes/regions.js
@@ -1,24 +1,25 @@
 const router = require("express").Router();
 const getRegions = require("../models/getRegions.js");
 const getRegionById = require("../models/getRegionById.js");
-const handleRegionLonLat = require("../models/handleRegionLonLat.js")
 const getRegionNearbyById = require("../models/getRegionNearbyById.js")
 const path = require("path");
 const fs = require("fs");
 const _ = require('lodash')
+const sqlstring = require("sqlstring")
 
 module.exports = dbConn => {
     router.get("/api/v1/regions", async (req, res) => {
         const data = await getRegions(dbConn)
         if (req.query.randomize) {
-            res.json(_.sampleSize(data, req.query.randomize))
+            const randomize = sqlstring.escape(req.query.randomize)
+            res.json(_.sampleSize(data, randomize))
         } else {
             res.json(data);
         }
     });
 
     router.get("/api/v1/regions/:id", async (req, res) => {
-        const id = req.params.id;
+        const id = sqlstring.escape(req.params.id);
        res.json(await getRegionById(dbConn, id))
     });
 
@@ -31,7 +32,8 @@ module.exports = dbConn => {
     })
 
     router.get("/api/v1/regions/:id/nearby", async (req,res) => {
-        res.json(await getRegionNearbyById(dbConn,req.params.id))
+        const id = sqlstring.escape(req.params.id);
+        res.json(await getRegionNearbyById(dbConn,id))
     });
     return router;
 };
diff --git a/backend/routes/update.js b/backend/routes/update.js
index 73d4250..bff369e 100644
--- a/backend/routes/update.js
+++ b/backend/routes/update.js
@@ -3,6 +3,7 @@ const handleUpdateRegionNearby = require("../models/handleUpdateRegionNearby.js"
 const handleUpdateRegionNearbyById = require("../models/handleUpdateRegionNearbyById.js")
 const handleUpdateRegionNearbyImgUrl = require("../models/handleUpdateRegionNearbyImgUrl.js")
 const handleUpdateRegionNearbyImgUrlById = require("../models/handleUpdateRegionNearbyImgUrlById.js")
+const sqlstring = require("sqlstring")
 
 module.exports = dbConn => {
     router.patch("/api/v1/update/regions/all/nearby", async (req, res) => {
@@ -14,7 +15,8 @@ module.exports = dbConn => {
     });
 
     router.patch("/api/v1/update/regions/:id/nearby", async (req, res) => {
-        res.json(await handleUpdateRegionNearbyById(dbConn, req.params.id))
+        const id = sqlstring.escape(req.params.id);
+        res.json(await handleUpdateRegionNearbyById(dbConn, id))
     });
 
     router.patch("/api/v1/update/regions/all/nearby/imgurl", async (req, res) => {
@@ -22,7 +24,8 @@ module.exports = dbConn => {
     });
 
     router.patch("/api/v1/update/regions/:id/nearby/imgurl", async (req, res) => {
-        res.json(await handleUpdateRegionNearbyImgUrlById(dbConn, req.params.id))
+        const id = sqlstring.escape(req.params.id);
+        res.json(await handleUpdateRegionNearbyImgUrlById(dbConn, id))
     });
 
     return router