diff --git a/public/index.php b/public/index.php
index f54c7fe..59531d0 100644
--- a/public/index.php
+++ b/public/index.php
@@ -4,6 +4,20 @@ declare(strict_types=1);
 // boot application (config, autoload, services)
 require_once __DIR__ . '/../config/fileload.php';
 
+// Staging-Access-Protection (Basic Auth)
+if (defined('APP_ENV') && APP_ENV === 'staging') {
+    $authUser = getenv('STAGING_AUTH_USER') ?: 'staging';
+    $authPass = getenv('STAGING_AUTH_PASS') ?: 'staging123';
+    $user = $_SERVER['PHP_AUTH_USER'] ?? null;
+    $pass = $_SERVER['PHP_AUTH_PW'] ?? null;
+    if ($user !== $authUser || $pass !== $authPass) {
+        header('WWW-Authenticate: Basic realm="Staging"');
+        header('HTTP/1.0 401 Unauthorized');
+        echo 'Unauthorized';
+        exit;
+    }
+}
+
 $uriPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?: '/';
 $uriPath = preg_replace('~/{2,}~', '/', $uriPath);
 $uriPath = trim($uriPath, '/');
diff --git a/src/App/Search.php b/src/App/Search.php
index 01dcd05..c7e93f9 100644
--- a/src/App/Search.php
+++ b/src/App/Search.php
@@ -87,12 +87,9 @@ final class Search
         $sql .= " LIMIT :lim";
 
         $stmt = $this->pdo->prepare($sql);
-        foreach ($params as $k => $v) {
-            $type = is_int($v) ? \PDO::PARAM_INT : \PDO::PARAM_STR;
-            $stmt->bindValue($k, $v, $type);
-        }
-        $stmt->bindValue(':lim', $limit, \PDO::PARAM_INT);
-        $stmt->execute();
+        $execParams = $params;
+        $execParams[':lim'] = $limit;
+        $stmt->execute($execParams);
         return $stmt->fetchAll(\PDO::FETCH_ASSOC) ?: [];
     }
 }