Username should be a prepared variable

var/www/cron.php

@@ -206,6 +206,7 @@ foreach($reload as $key => $val){
 
 //continue deleting old accounts
 $stmt=$db->prepare('SELECT mysql_database FROM mysql_databases WHERE user_id=?;');
+$drop_user=$db->prepare("DROP USER ?@'%';");
 foreach($accounts as $account){
 	//kill processes of the user to allow deleting system users
 	exec('skill -u ' . escapeshellarg($account[0]));
@@ -225,7 +226,7 @@ foreach($accounts as $account){
 		unlink("/var/log/nginx/error_$account[0].log.1");
 	}
 	//delete user from database
-	$db->exec("DROP USER '$account[2]'@'%';");
+	$drop_user->execute([$account[2]]);
 	$stmt->execute([$account[1]]);
 	while($tmp=$stmt->fetch(PDO::FETCH_NUM)){
 		$db->exec("DROP DATABASE IF EXISTS `$tmp[0]`;");

var/www/html/register.php

@@ -108,10 +108,11 @@ if($_SERVER['REQUEST_METHOD']==='POST'){
 		$stmt->execute([$user_id, $onion]);
 		$stmt=$db->prepare('INSERT INTO onions (user_id, onion, private_key, version) VALUES (?, ?, ?, ?);');
 		$stmt->execute([$user_id, $onion, $priv_key, 2]);
-		$create_user=$db->prepare("CREATE USER '$onion.onion'@'%' IDENTIFIED BY ?;");
-		$create_user->execute([$_POST['pass']]);
+		$create_user=$db->prepare("CREATE USER ?@'%' IDENTIFIED BY ?;");
+		$create_user->execute(["$onion.onion", $_POST['pass']]);
 		$db->exec("CREATE DATABASE IF NOT EXISTS `$onion`;");
-		$db->exec("GRANT ALL PRIVILEGES ON `$onion`.* TO '$onion.onion'@'%';");
+		$stmt=$db->prepare("GRANT ALL PRIVILEGES ON `$onion`.* TO ?@'%';");
+		$stmt->execute(["$onion.onion"]);
 		$db->exec('FLUSH PRIVILEGES;');
 		$stmt=$db->prepare('INSERT INTO new_account (user_id, password) VALUES (?, ?);');
 		$stmt->execute([$user_id, get_system_hash($_POST['pass'])]);