diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
index 52c8983bf..22e79ab66 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
@@ -6,7 +6,7 @@ Answer: No it does not
 Let us take a look at the following statement:
 
 ----
-SELECT * FROM users ORDER BY lastname;
+"SELECT * FROM users ORDER BY " + sortColumName + ";"
 ----
 
 If we look at the specification of the SQL grammar the definition is as follows:
@@ -44,4 +44,4 @@ expression.
 === Mitigation
 
 If you need to provide a sorting column in your web application you should implement a whitelist to validate the value
-of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'.
+of the `order by` statement it should always be limited to something like 'first name' or 'last name'.