diff --git a/database/db.js b/database/db.js
index 683c417..b8ddba2 100644
--- a/database/db.js
+++ b/database/db.js
@@ -63,7 +63,7 @@ var db = {
 // });
 
 db.addBookmark = function(user_id, bookmark) {
-    var insertSql = "INSERT INTO `bookmarks` (`user_id`, `title`, `description`, `url`, `public`, `click_count`) VALUES ('" + user_id + "', '" + bookmark.title + "', '" + bookmark.description + "', '" + bookmark.url + "', '" + bookmark.public + "', '1')";
+    var insertSql = "INSERT INTO `bookmarks` (`user_id`, `title`, `description`, `url`, `public`, `click_count`) VALUES ('" + user_id + "', '" + bookmark.title + "', " + client.escape(bookmark.description) + ", '" + bookmark.url + "', '" + bookmark.public + "', '1')";
     var selectSql = "SELECT * FROM `bookmarks` WHERE `user_id` = '" + user_id + "' AND `url` = '" + bookmark.url + "'"
     return new Promise(function(resolve, reject) {
         client.query(selectSql, (err, result) => {
@@ -100,7 +100,8 @@ db.delBookmark = function(id) {
 }
 
 db.updateBookmark = function(bookmark) {
-    var sql = "UPDATE `bookmarks` SET `title`='" + bookmark.title + "', `description`='" + bookmark.description + "', `url`='" + bookmark.url + "', `public`='" + bookmark.public + "' WHERE (`id`='" + bookmark.id + "')";
+    var sql = "UPDATE `bookmarks` SET `title`='" + bookmark.title + "', `description`=" + client.escape(bookmark.description) + ", `url`='" + bookmark.url + "', `public`='" + bookmark.public + "' WHERE (`id`='" + bookmark.id + "')";
+    console.log("sql updateBookmark = " + sql);
     return new Promise(function(resolve, reject) {
         client.query(sql, (err, result) => {
             if (err) {
diff --git a/schema.sql b/schema.sql
index 14e223f..99b3d3e 100644
--- a/schema.sql
+++ b/schema.sql
@@ -18,7 +18,7 @@ CREATE TABLE `bookmarks` (
   `id` int(11) NOT NULL AUTO_INCREMENT,     -- id
   `user_id` int(11) DEFAULT NULL,           -- 用户id
   `title` varchar(255) DEFAULT NULL,        -- 标题
-  `description` varchar(255) DEFAULT NULL,  -- 描述
+  `description` varchar(4096) DEFAULT NULL, -- 描述
   `url` text,                               -- 链接
   `public` tinyint(4) DEFAULT '1',          -- 是否公开 1 公开，0 不公开
   `click_count` smallint DEFAULT 1,         -- 总共点击次数