diff --git a/access.php b/access.php
index 1883ffa..ef8dc64 100644
--- a/access.php
+++ b/access.php
@@ -12,7 +12,7 @@ if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
 }
 
-$sql = "SELECT ts, lat, lon FROM tracker WHERE device='" . $_GET["device"] . "' ORDER BY ts ASC;";
+$sql = "SELECT ts, lat, lon FROM tracker WHERE device='" . mysqli_real_escape_string($conn, $_GET["device"]) . "' ORDER BY ts ASC;";
 $result = $conn->query($sql);
 
 if ($result->num_rows > 0) {