diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
index 09f9618..13f4ed7 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
@@ -44,10 +44,11 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         String param = request.getParameter("Benchmark00026");
         if (param == null) param = "";
 
-        String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD='" + param + "'";
+        String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD=?";
         try {
             org.springframework.jdbc.support.rowset.SqlRowSet results =
-                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql);
+                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(
+                            sql, param);
             response.getWriter().println("Your results are: ");
 
             while (results.next()) {