diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 95f86ca023..ff806aabd9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -35,8 +35,8 @@
 import org.springframework.web.bind.annotation.RestController;
 
 /**
- * @author nbaars
- * @since 4/8/17.
+ * author nbaars
+ * since 4/8/17.
  */
 @RestController
 @AssignmentHints(
@@ -64,9 +64,10 @@ public AttackResult registerNewUser(
 
       try (Connection connection = dataSource.getConnection()) {
         String checkUserQuery =
-            "select userid from sql_challenge_users where userid = '" + username_reg + "'";
-        Statement statement = connection.createStatement();
-        ResultSet resultSet = statement.executeQuery(checkUserQuery);
+            "select userid from sql_challenge_users where userid = ?";
+        PreparedStatement statement = connection.prepareStatement(checkUserQuery);
+        statement.setString(1, username_reg);
+        ResultSet resultSet = statement.executeQuery();
 
         if (resultSet.next()) {
           if (username_reg.contains("tom'")) {