diff --git a/model/products.js b/model/products.js
index 6df3f921..e4f7cde4 100644
--- a/model/products.js
+++ b/model/products.js
@@ -11,42 +11,39 @@ function list_products() {
 
 function getProduct(product_id) {
 
-    var q = "SELECT * FROM products WHERE id = '" + product_id + "';";
+    var q = "SELECT * FROM products WHERE id = $1;";
 
-    return db.one(q);
+    return db.one(q, [product_id]);
 }
 
 function search(query) {
 
-    var q = "SELECT * FROM products WHERE name ILIKE '%" + query + "%' OR description ILIKE '%" + query + "%';";
+    var q = "SELECT * FROM products WHERE name ILIKE $1 OR description ILIKE $2;";
 
-    return db.many(q);
+    return db.many(q, ['%' + query + '%', '%' + query + '%']);
 
 }
 
 function purchase(cart) {
 
-    var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES('" +
-            cart.mail + "', '" +
-            cart.product_name + "', '" +
-            cart.username + "', '" +
-            cart.product_id + "', '" +
-            cart.address + "', '" +
-            cart.ship_date + "', '" +
-            cart.phone + "', '" +
-            cart.price +
-            "');";
+    var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES($1, $2, $3, $4, $5, $6, $7, $8);";
 
-    return db.one(q);
+    return db.one(q, [cart.mail, cart.product_name, cart.username, cart.product_id, cart.address, cart.phone, cart.ship_date, cart.price]);
 
 }
 
 function get_purcharsed(username) {
 
-    var q = "SELECT * FROM purchases WHERE user_name = '" + username + "';";
+    var q = "SELECT * FROM purchases WHERE user_name = $1;";
 
-    return db.many(q);
+    return db.many(q, [username]);
+
+}
+
+function create(product) {
+    var q = "INSERT INTO products(name, description, price) VALUES($1, $2, $3);";
 
+    return db.one(q, [product.name, product.description, product.price]);
 }
 
 var actions = {
@@ -54,7 +51,8 @@ var actions = {
     "getProduct": getProduct,
     "search": search,
     "purchase": purchase,
-    "getPurchased": get_purcharsed
+    "getPurchased": get_purcharsed,
+    "create": create
 }
 
 module.exports = actions;
diff --git a/routes/products.js b/routes/products.js
index 814f834b..2d7eb897 100644
--- a/routes/products.js
+++ b/routes/products.js
@@ -144,6 +144,31 @@ router.all('/products/buy', function(req, res, next) {
 
 });
 
+router.all('/products/create', function(req, res, next) {
+    let params = null;
+    if (req.method == "GET"){
+        params = url.parse(req.url, true).query;
+    } else {
+        params = req.body;
+    }
+
+    let product = null;
+    product = {
+        name: params.name,
+        description: params.description,
+        price: params.price,
+        image: params.image,
+        username: req.session.user_name
+    }
 
+    db_products.create(product)
+        .then(function () {
+            res.json({ message: "Product created successfully" });
+        })
+        .catch(function (err) {
+            console.log(err);
+            res.status(500).json({ message: "Error creating product" });
+        });
+});
 
 module.exports = router;