From d48293e909eaa3bd101840beeb737b57da28e503 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 12:26:35 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 46: Query built
 from user-controlled sources

Fix SQL injection in Benchmark00839.java:75

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java
index e81aeee..bba0a19 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00839.java
@@ -72,7 +72,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
 
         bar = (7 * 42) - num > 200 ? "This should never happen" : param;
 
-        String sql = "SELECT * from USERS where USERNAME=? and PASSWORD='" + bar + "'";
+        String sql = "SELECT * from USERS where USERNAME=? and PASSWORD=?";
 
         try {
             java.sql.Connection connection =
@@ -80,6 +80,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             java.sql.PreparedStatement statement =
                     connection.prepareStatement(sql, new String[] {"Column1", "Column2"});
             statement.setString(1, "foo");
+            statement.setString(2, bar);
             statement.execute();
             org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response);
         } catch (java.sql.SQLException e) {