diff --git a/data/static/codefixes/unionSqlInjectionChallenge_1.ts b/data/static/codefixes/unionSqlInjectionChallenge_1.ts
index 8ef9f5af173..dcccbb75fc0 100644
--- a/data/static/codefixes/unionSqlInjectionChallenge_1.ts
+++ b/data/static/codefixes/unionSqlInjectionChallenge_1.ts
@@ -3,7 +3,7 @@ module.exports = function searchProducts () {
     let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
     criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
     criteria.replace(/"|'|;|and|or/i, "")
-    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`)
+    models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name", { replacements: { criteria: `%${criteria}%` } })
       .then(([products]: any) => {
         const dataString = JSON.stringify(products)
         for (let i = 0; i < products.length; i++) {
@@ -15,4 +15,4 @@ module.exports = function searchProducts () {
         next(error.parent)
       })
   }
-}
\ No newline at end of file
+}