diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
index 79a5270..cf6de19 100644
--- a/spec/vulnerabilities/sql_injection_spec.rb
+++ b/spec/vulnerabilities/sql_injection_spec.rb
@@ -8,6 +8,7 @@ feature "sql injection" do
     @normal_user = UserFixture.normal_user
     @admin_user = UserFixture.admin_user
   end
+  before(:each) { pending unless verifying_fixed? }
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
     expect(@admin_user.admin).to be_truthy
@@ -26,10 +27,8 @@ feature "sql injection" do
     end
     click_on "Submit"
 
-    pending if verifying_fixed?
-    @admin_user = User.where("admin='t'").first
-    expect(@admin_user.email).to eq("joe.admin@schmoe.com")
-    expect(@admin_user.admin).to eq(true)
+    @admin_user = User.where(admin: true).first
+    expect(@admin_user.email).not_to eq("joe.admin@schmoe.com")
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-SQL-Injection-Interpolation", js: true do