From 1780974d3e1f8d2754a13799ebefd6af093da8f7 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 12:41:50 -0500
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 44: Query built
 from user-controlled sources

Fix SQLi via executeUpdate() in Benchmark00441.java:50

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../owasp/benchmark/testcode/Benchmark00441.java    | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
index 9d82da5..5703edc 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
@@ -18,6 +18,8 @@
 package org.owasp.benchmark.testcode;
 
 import java.io.IOException;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
@@ -47,12 +49,15 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                 org.owasp.benchmark.helpers.ThingFactory.createThing();
         String bar = thing.doSomething(param);
 
-        String sql = "INSERT INTO users (username, password) VALUES ('foo','" + bar + "')";
+        String sql = "INSERT INTO users (username, password) VALUES ('foo', ?)";
 
         try {
-            java.sql.Statement statement =
-                    org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();
-            int count = statement.executeUpdate(sql, new int[] {1, 2});
+            Connection connection =
+                    org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
+            PreparedStatement preparedStatement =
+                    connection.prepareStatement(sql, new int[] {1, 2});
+            preparedStatement.setString(1, bar);
+            int count = preparedStatement.executeUpdate();
             org.owasp.benchmark.helpers.DatabaseHelper.outputUpdateComplete(sql, response);
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {

From 44b9c149b572cf25cc544a15aa40a2de55ea2d87 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 18:00:03 +0000
Subject: [PATCH 2/2] Fix format.

---
 src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
index 5703edc..8d5e4a9 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00441.java
@@ -52,8 +52,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         String sql = "INSERT INTO users (username, password) VALUES ('foo', ?)";
 
         try {
-            Connection connection =
-                    org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
+            Connection connection = org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
             PreparedStatement preparedStatement =
                     connection.prepareStatement(sql, new int[] {1, 2});
             preparedStatement.setString(1, bar);