diff --git a/flask_webgoat/users.py b/flask_webgoat/users.py
index a72e698e..cc9aa4ff 100644
--- a/flask_webgoat/users.py
+++ b/flask_webgoat/users.py
@@ -34,14 +34,10 @@ def create_user():
             402,
         )
 
-    # vulnerability: SQL Injection
-    query = (
-        "INSERT INTO user (username, password, access_level) VALUES ('%s', '%s', %d)"
-        % (username, password, int(access_level))
-    )
+    query = "INSERT INTO user (username, password, access_level) VALUES (?, ?, ?)"
 
     try:
-        query_db(query, [], False, True)
+        query_db(query, [username, password, int(access_level)], False, True)
         return jsonify({"success": True})
     except sqlite3.Error as err:
         return jsonify({"error": "could not create user:" + err})