From a450507f2423acded5b25cbfd1149a2d57c06354 Mon Sep 17 00:00:00 2001
From: Mobb autofixer <git@mobb.ai>
Date: Sun, 19 May 2024 20:39:08 +0000
Subject: [PATCH] mobb fix commit: 2d16221e-54a5-43d8-9b21-ec2e9c6a6833

---
 .../sqlinjection/introduction/SqlInjectionLesson8.java     | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
index ae7fbb9f44..34c60c3829 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
@@ -151,11 +151,12 @@ public static void log(Connection connection, String action) {
     String time = sdf.format(cal.getTime());
 
     String logQuery =
-        "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
+        "INSERT INTO access_log (time, action) VALUES ('" + time + "', ?)";
 
     try {
-      Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
-      statement.executeUpdate(logQuery);
+      PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+      statement.setString(1, action);
+      statement.executeUpdate();
     } catch (SQLException e) {
       System.err.println(e.getMessage());
     }