diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
index ac3a9c230e..697cc1ca1e 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
@@ -131,11 +131,12 @@ public static void log(Connection connection, String action) {
         SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
         String time = sdf.format(cal.getTime());
 
-        String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
+        String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', ?)";
 
         try {
-            Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
-            statement.executeUpdate(logQuery);
+            PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+            statement.setString(1, action);
+            statement.executeUpdate();
         } catch (SQLException e) {
             System.err.println(e.getMessage());
         }