Potential fix for code scanning alert no. 38: Query built from user-controlled sources

davewichers · github-advanced-security[bot] · web-flow · commit 91c62e09fd66 · 2026-02-04T13:04:24.000-05:00
Fix SQL in Benchmark00026 via JDBCtemplate.queryForRowSet()

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java
@@ -44,10 +44,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         String param = request.getParameter("Benchmark00026");
         if (param == null) param = "";
 
-        String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD='" + param + "'";
+        String sql = "SELECT  * from USERS where USERNAME='foo' and PASSWORD=?";
         try {
             org.springframework.jdbc.support.rowset.SqlRowSet results =
-                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql);
+                    org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql, param);
             response.getWriter().println("Your results are: ");
 
             while (results.next()) {
