diff --git a/src/main/java/com/acme/sql/SQLInjectionVuln.java b/src/main/java/com/acme/sql/SQLInjectionVuln.java
index 2175f34..9aaa85e 100644
--- a/src/main/java/com/acme/sql/SQLInjectionVuln.java
+++ b/src/main/java/com/acme/sql/SQLInjectionVuln.java
@@ -5,6 +5,7 @@
 import jakarta.ws.rs.QueryParam;
 
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.SQLException;
 import java.sql.Statement;
 
@@ -12,8 +13,9 @@
 public class SQLInjectionVuln {
     @GET
     public String lookupResource(Connection connection, @QueryParam("resource") final String resource) throws SQLException {
-        Statement statement = connection.createStatement();
-        statement.executeQuery("select * from users where name = '" + resource + "'");
+        PreparedStatement statement = connection.prepareStatement("select * from users where name = ?");
+        statement.setString(1, resource);
+        statement.execute();
         return "ok";
     }
 }