diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
index c8b3f3d10e..d9eb649281 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
@@ -59,9 +59,8 @@ public AttackResult login(
           connection.prepareStatement(
               "select password from challenge_users where userid = '"
                   + username_login
-                  + "' and password = '"
-                  + password_login
-                  + "'");
+                  + "' and password = ?");
+      statement.setString(1, password_login);
       ResultSet resultSet = statement.executeQuery();
 
       if (resultSet.next()) {