Refactored to use parameterized SQL APIs

src/main/java/com/acme/search/FederalConnection.java

@@ -1,5 +1,6 @@
 package com.acme.search;
 
+import java.sql.PreparedStatement;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -21,9 +22,10 @@ String doSearch(final String searchTerm) throws SQLException {
         // connect to the federal database
         Connection conn = fedConnectionLoader.getConnection();
         // search the forecasts table for entries with the given query
-        String query = "SELECT * FROM forecasts WHERE entry_desc LIKE '%" + searchTerm + "%'";
-        Statement stmt = conn.createStatement();
-        ResultSet rs = stmt.executeQuery(query);
+        String query = "SELECT * FROM forecasts WHERE entry_desc LIKE ?";
+        PreparedStatement stmt = conn.prepareStatement(query);
+        stmt.setString(1, "%" + searchTerm + "%");
+        ResultSet rs = stmt.executeQuery();
         List<String> ids = new ArrayList<>();
         while(rs.next()) {
             String id = rs.getString("entry_id");

src/main/java/com/acme/sql/SQLInjectionVuln.java

@@ -5,15 +5,17 @@
 import jakarta.ws.rs.QueryParam;
 
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.SQLException;
 import java.sql.Statement;
 
 @Path("/unsafe-sql-injection")
 public class SQLInjectionVuln {
     @GET
     public String lookupResource(Connection connection, @QueryParam("resource") final String resource) throws SQLException {
-        Statement statement = connection.createStatement();
-        statement.executeQuery("select * from users where name = '" + resource + "'");
+        PreparedStatement statement = connection.prepareStatement("select * from users where name = ?");
+        statement.setString(1, resource);
+        statement.executeQuery();
         return "ok";
     }
 }