diff --git a/lnbits/extensions/smtp/crud.py b/lnbits/extensions/smtp/crud.py
index a4158fa4c..c7b96df59 100644
--- a/lnbits/extensions/smtp/crud.py
+++ b/lnbits/extensions/smtp/crud.py
@@ -123,7 +123,7 @@ async def set_email_paid(payment_hash: str) -> bool:
     email = await get_email_by_payment_hash(payment_hash)
     if email and email.paid == False:
         await db.execute(
-            f"UPDATE smtp.email SET paid = true WHERE payment_hash = {payment_hash}"
+            f"UPDATE smtp.email SET paid = true WHERE payment_hash = ?", (payment_hash,)
         )
         return True
     return False
@@ -131,13 +131,13 @@ async def set_email_paid(payment_hash: str) -> bool:
 
 async def get_email_by_payment_hash(payment_hash: str) -> Optional[Email]:
     row = await db.fetchone(
-        f"SELECT * FROM smtp.email WHERE payment_hash = {payment_hash}"
+        f"SELECT * FROM smtp.email WHERE payment_hash = ?", (payment_hash,)
     )
     return Email(**row) if row else None
 
 
 async def get_email(id: str) -> Optional[Email]:
-    row = await db.fetchone(f"SELECT * FROM smtp.email WHERE id = {id}")
+    row = await db.fetchone(f"SELECT * FROM smtp.email WHERE id = ?", (id,))
     return Email(**row) if row else None
 
 
diff --git a/lnbits/extensions/smtp/views_api.py b/lnbits/extensions/smtp/views_api.py
index 92b2d0bd9..66bc49835 100644
--- a/lnbits/extensions/smtp/views_api.py
+++ b/lnbits/extensions/smtp/views_api.py
@@ -13,6 +13,7 @@ from .crud import (
     delete_email,
     delete_emailaddress,
     get_email,
+    get_email_by_payment_hash,
     get_emailaddress,
     get_emailaddresses,
     get_emails,
@@ -37,7 +38,7 @@ async def api_email(
 
 @smtp_ext.get("/api/v1/email/{payment_hash}")
 async def api_smtp_send_email(payment_hash):
-    email = await get_email(payment_hash)
+    email = await get_email_by_payment_hash(payment_hash)
     if not email:
         raise HTTPException(
             status_code=HTTPStatus.BAD_REQUEST, detail="paymenthash is wrong"