Fix sql injection

Author: HenrichN

.github/workflows/main.yml

@@ -42,7 +42,7 @@ jobs:
           cd $CHECKOUT_DIR/
           $GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/bin/cifuzz bundle \
             --commit $GITHUB_SHA \
-            --branch $GITHUB_REF_NAME \
+            --branch $GITHUB_HEAD_REF \
             --output $GITHUB_WORKSPACE/$CHECKOUT_DIR/$FUZZING_ARTIFACT
         shell: "bash"
       - id: start-fuzzing

cifuzz.yaml

@@ -24,6 +24,7 @@
 ## See https://llvm.org/docs/LibFuzzer.html#options
 engine-args:
   - --instrumentation_includes=com.example.**
+  - -rss_limit_mb=8192
 
 ## Maximum time to run fuzz tests. The default is to run indefinitely.
 #timeout: 30m

src/main/java/com/example/app/controller/GreetEndpointController.java

@@ -6,6 +6,7 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.SQLException;
 
 @RestController
@@ -16,11 +17,13 @@ public String greet(@RequestParam(required = false, defaultValue = "World") Stri
             try {
                 Connection conn = getDBConnection();
                 if (conn != null) {
-                    String query = String.format("INSERT INTO users (name) VALUES ('%s')", name);
-                    conn.createStatement().execute(query);
+                    PreparedStatement stmt = conn.prepareStatement("INSERT INTO users (name) VALUES (?)");
+                    stmt.setString(1, name);
+                    stmt.executeUpdate();
                     conn.close();
                 }
-            } catch (SQLException ignored) {}
+            } catch (SQLException ignored) {
+            }
         }
 
         return "Greetings " + name + "!";