incubyte · Shubham1632 · Jan 19, 2024
diff --git a/src/main/java/com/javatechie/crud/example/repository/ProductRepository.java b/src/main/java/com/javatechie/crud/example/repository/ProductRepository.java
@@ -13,12 +13,12 @@ public class ProductRepository {
 
   @PersistenceContext
   public EntityManager entityManager;
-
-  public Product findByName(String name) {
-      // WARNING: The following line is vulnerable to SQL injection!
-      String sql = "SELECT p FROM Product p WHERE p.name = '" + name + "'";
-      return entityManager.createQuery(sql, Product.class)
-          .getSingleResult();
+public Product findByName(String name) {
+  String sql = "SELECT p FROM Product p WHERE p.name = ?";
+  PreparedStatement statement = connection.prepareStatement(sql);
+  statement.setString(1, name);
+  return statement.executeQuery();
+}
   }
 
   @Transactional

diff --git a/test/src/main/java/com/javatechie/crud/example/repository/ProductRepositoryTest.java b/test/src/main/java/com/javatechie/crud/example/repository/ProductRepositoryTest.java
@@ -0,0 +1,25 @@
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+public class ProductTest {
+
+    @Test
+    public void testFindByName() {
+        // Arrange
+        String name = "test";
+        Product expectedProduct = new Product();
+
+        // Act
+        Product actualProduct = findProductByName(name);
+
+        // Assert
+        assertEquals(expectedProduct, actualProduct);
+    }
+
+    private Product findProductByName(String name) {
+        // WARNING: The following line is vulnerable to SQL injection!
+        String sql = "SELECT p FROM Product p WHERE p.name = '" + name + "'";
+        return entityManager.createQuery(sql, Product.class)
+            .getSingleResult();
+    }
+}