1101: fix quoting in statement

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc

@@ -1,23 +1,26 @@
 == Immutable Queries
 
-These are the best defense against SQL injection.  They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
+These are the best defense against SQL injection.  They either do not have data that could get interpreted, or they treat the data as a single entity that is bound to a column without interpretation.
 
 === Static Queries
--------------------------------------------------------
-SELECT * FROM products;
--------------------------------------------------------
 
--------------------------------------------------------
+----
-SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'";
+String query = "SELECT * FROM products";
--------------------------------------------------------
+----
+
+----
+String query = "SELECT * FROM users WHERE user = '" + session.getAttribute("UserID") + "'";
+----
 
 === Parameterized Queries
--------------------------------------------------------
+
+----
 String query = "SELECT * FROM users WHERE last_name = ?";
 PreparedStatement statement = connection.prepareStatement(query);
 statement.setString(1, accountName);
 ResultSet results = statement.executeQuery();
--------------------------------------------------------
+----
 
 === Stored Procedures
+
 Only if stored procedure does not generate dynamic SQL