diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
index 9d82da5..8d5e4a9 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
@@ -18,6 +18,8 @@
 package org.owasp.benchmark.testcode;
 
 import java.io.IOException;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
@@ -47,12 +49,14 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                 org.owasp.benchmark.helpers.ThingFactory.createThing();
         String bar = thing.doSomething(param);
 
-        String sql = "INSERT INTO users (username, password) VALUES ('foo','" + bar + "')";
+        String sql = "INSERT INTO users (username, password) VALUES ('foo', ?)";
 
         try {
-            java.sql.Statement statement =
-                    org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();
-            int count = statement.executeUpdate(sql, new int[] {1, 2});
+            Connection connection = org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
+            PreparedStatement preparedStatement =
+                    connection.prepareStatement(sql, new int[] {1, 2});
+            preparedStatement.setString(1, bar);
+            int count = preparedStatement.executeUpdate();
             org.owasp.benchmark.helpers.DatabaseHelper.outputUpdateComplete(sql, response);
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {