From a7b9954d0fa8aba37d2b72050f8971cdf10aa384 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 16:53:43 +0200
Subject: [PATCH] 1101: fix quoting in statement

---
 .../lessonPlans/en/SqlInjection_content7.adoc | 21 +++++++++++--------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
index 20a3e9045..371fcf0dc 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
@@ -1,23 +1,26 @@
 == Immutable Queries
 
-These are the best defense against SQL injection.  They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
+These are the best defense against SQL injection.  They either do not have data that could get interpreted, or they treat the data as a single entity that is bound to a column without interpretation.
 
 === Static Queries
--------------------------------------------------------
-SELECT * FROM products;
--------------------------------------------------------
 
--------------------------------------------------------
-SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'";
--------------------------------------------------------
+----
+String query = "SELECT * FROM products";
+----
+
+----
+String query = "SELECT * FROM users WHERE user = '" + session.getAttribute("UserID") + "'";
+----
 
 === Parameterized Queries
--------------------------------------------------------
+
+----
 String query = "SELECT * FROM users WHERE last_name = ?";
 PreparedStatement statement = connection.prepareStatement(query);
 statement.setString(1, accountName);
 ResultSet results = statement.executeQuery();
--------------------------------------------------------
+----
 
 === Stored Procedures
+
 Only if stored procedure does not generate dynamic SQL