From aac79c177c5075babe12feea09bc8e7d5aab48a8 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Sat, 9 Nov 2024 03:03:26 +0000
Subject: [PATCH] Refactored to use parameterized SQL APIs

---
 src/main/java/com/acme/sql/SQLInjectionVuln.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/acme/sql/SQLInjectionVuln.java b/src/main/java/com/acme/sql/SQLInjectionVuln.java
index 2175f34..9aaa85e 100644
--- a/src/main/java/com/acme/sql/SQLInjectionVuln.java
+++ b/src/main/java/com/acme/sql/SQLInjectionVuln.java
@@ -5,6 +5,7 @@
 import jakarta.ws.rs.QueryParam;
 
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.SQLException;
 import java.sql.Statement;
 
@@ -12,8 +13,9 @@
 public class SQLInjectionVuln {
     @GET
     public String lookupResource(Connection connection, @QueryParam("resource") final String resource) throws SQLException {
-        Statement statement = connection.createStatement();
-        statement.executeQuery("select * from users where name = '" + resource + "'");
+        PreparedStatement statement = connection.prepareStatement("select * from users where name = ?");
+        statement.setString(1, resource);
+        statement.execute();
         return "ok";
     }
 }