From 91c62e09fd667dd614f153f038260ca7ba533a9a Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 13:04:24 -0500
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 38: Query built
 from user-controlled sources

Fix SQL in Benchmark00026 via JDBCtemplate.queryForRowSet()

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../java/org/owasp/benchmark/testcode/Benchmark00026.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
index 09f9618..313081e 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
@@ -44,10 +44,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         String param = request.getParameter("Benchmark00026");
         if (param == null) param = "";
 
-        String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD='" + param + "'";
+        String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD=?";
         try {
             org.springframework.jdbc.support.rowset.SqlRowSet results =
-                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql);
+                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql, param);
             response.getWriter().println("Your results are: ");
 
             while (results.next()) {

From ba120bea2f30ad102d917f219b14a5ac5d6ea05e Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 18:09:31 +0000
Subject: [PATCH 2/2] Fix format.

---
 src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
index 313081e..13f4ed7 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
@@ -47,7 +47,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD=?";
         try {
             org.springframework.jdbc.support.rowset.SqlRowSet results =
-                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql, param);
+                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(
+                            sql, param);
             response.getWriter().println("Your results are: ");
 
             while (results.next()) {