From 5e4a384d0f9e53b17bb860d6a69ba5af0560ba11 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 12:33:08 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 45: Query built
 from user-controlled sources

Fix SQLi in Benchmark00603.java:64

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../org/owasp/benchmark/testcode/Benchmark00603.java  | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00603.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00603.java
index e935a24..3d47646 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00603.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00603.java
@@ -61,12 +61,15 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                 org.owasp.benchmark.helpers.ThingFactory.createThing();
         String bar = thing.doSomething(param);
 
-        String sql = "SELECT * from USERS where USERNAME='foo' and PASSWORD='" + bar + "'";
+        String sql = "SELECT * from USERS where USERNAME='foo' and PASSWORD=?";
 
         try {
-            java.sql.Statement statement =
-                    org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();
-            statement.execute(sql, java.sql.Statement.RETURN_GENERATED_KEYS);
+            java.sql.Connection connection =
+                    org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
+            java.sql.PreparedStatement statement =
+                    connection.prepareStatement(sql, java.sql.Statement.RETURN_GENERATED_KEYS);
+            statement.setString(1, bar);
+            statement.execute();
             org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, response);
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {