diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
index afa2f83..d3fe111 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
@@ -55,7 +55,7 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
                                {
                                   
                                    Statement stmt = con.createStatement();  
-                                  stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"','"+about+"','default.jpg','user',1,'"+secret+"')");
+                                  stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"',"+stmt.enquoteLiteral(String.valueOf(about))+",'default.jpg','user',1,'"+secret+"')");
                                        stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('"+user+"','admin','Hi','Hi<br/> This is admin of this page. <br/> Welcome to Our Forum')");
              
                                     response.sendRedirect("index.jsp");
diff --git a/src/main/webapp/vulnerability/forum.jsp b/src/main/webapp/vulnerability/forum.jsp
index 6c71c00..5034d90 100644
--- a/src/main/webapp/vulnerability/forum.jsp
+++ b/src/main/webapp/vulnerability/forum.jsp
@@ -5,7 +5,7 @@
 --%>
 
 <%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
 <%@page import="java.sql.SQLException"%>
 
 <%@page import="java.sql.ResultSetMetaData"%>
@@ -29,7 +29,7 @@
        <form action="forum.jsp" method="POST">
        Title : <input type="text" name="title" value="" size="50"/><br/>
        Message: <br/><textarea name="content" rows="2" cols="50"></textarea>
-       <input type="hidden" name="user" value="<% if(session.getAttribute("user")!=null){out.print(session.getAttribute("user"));} else { out.print("Anonymous"); } %>" size="50"/><br/>
+       <input type="hidden" name="user" value="<% if(session.getAttribute(\"user\")!=null){out.print(session.getAttribute(\"user\"));} else { out.print("Anonymous"); } %>" size="50"/><br/>
        <input type="submit" value="Post" name="post"/>
        </form>
 
@@ -43,9 +43,12 @@
                                     String title=request.getParameter("title");
                                     if(con!=null && !con.isClosed())
                                         {
-                                           Statement stmt = con.createStatement();   
+                                           PreparedStatement pstmt = con.prepareStatement("INSERT into posts(content,title,user) values (?,?,?)");
+                                           pstmt.setString(1, content);
+                                           pstmt.setString(2, title);
+                                           pstmt.setString(3, user);
                                            //Posting Content
-                                          stmt.executeUpdate("INSERT into posts(content,title,user) values ('"+content+"','"+title+"','"+user+"')");
+                                          pstmt.executeUpdate();
                                             out.print("Successfully posted");
                                         }
                                     }
