diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java
index e81aeee..bba0a19 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java
@@ -72,7 +72,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
 
         bar = (7 * 42) - num > 200 ? "This should never happen" : param;
 
-        String sql = "SELECT * from USERS where USERNAME=? and PASSWORD='" + bar + "'";
+        String sql = "SELECT * from USERS where USERNAME=? and PASSWORD=?";
 
         try {
             java.sql.Connection connection =
@@ -80,6 +80,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             java.sql.PreparedStatement statement =
                     connection.prepareStatement(sql, new String[] {"Column1", "Column2"});
             statement.setString(1, "foo");
+            statement.setString(2, bar);
             statement.execute();
             org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response);
         } catch (java.sql.SQLException e) {