diff --git a/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1 b/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1
index c449536a662c..37eb69628182 100644
--- a/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1
+++ b/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1
@@ -4,7 +4,7 @@ param(
 
 # BAD: The user input is directly interpolated into the SQL query string
 $query1 = "SELECT * FROM users WHERE name = '$userinput'"
-Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query1
 
 # GOOD: Using parameters to prevent SQL injection
 $query2 = "SELECT * FROM users WHERE name = @username"
@@ -13,4 +13,4 @@ $params = @{
   username = $userinput
 }
 
-Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query -QueryParameters $params
\ No newline at end of file
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query2 -QueryParameters $params
\ No newline at end of file