/create prepare statement, prevent SQL injection

public/index.php

@@ -104,10 +104,14 @@ $app->map(['GET', 'POST'], '/blog/create', function (Request $request, Response
         } else {
             $data = $request->getParsedBody();
             global $db;
-            $insertQuery = "INSERT INTO blogs (slug, title, content) VALUES ('" . $data['slug'] . "', '"  . $data['title'] . "', '"  . $data['content'] ."')";
-            $ret = $db->exec($insertQuery);
-
-            if($ret) {
+            // $insertQuery = "INSERT INTO blogs (slug, title, content) VALUES ('" . $data['slug'] . "', '"  . $data['title'] . "', '"  . $data['content'] ."')";
+            $stmt = $db->prepare("INSERT INTO blogs (slug, title, content) VALUES (:slug, :title, :content)");
+            $stmt->bindValue(':slug', $data['slug'], SQLITE3_TEXT);
+            $stmt->bindValue(':title', $data['title'], SQLITE3_TEXT);
+            $stmt->bindValue(':content', $data['content'], SQLITE3_TEXT);
+            $res = $stmt->execute();
+
+            if($res) {
                 return $response->withHeader('Location', '/')->withStatus(302);
             } else {
                 $err = $db->lastErrorMsg();