diff --git a/db_utils.py b/db_utils.py
new file mode 100644
index 0000000..1ab7127
--- /dev/null
+++ b/db_utils.py
@@ -0,0 +1,19 @@
+import sqlite3
+ 
+ 
+def get_user(username):
+    conn = sqlite3.connect("users.db")
+    cursor = conn.cursor()
+    # SQL injection vulnerability - user input concatenated directly into query
+    query = "SELECT * FROM users WHERE username = '" + username + '"
+    cursor.execute(query)
+    return cursor.fetchone()
+
+def login(username, password):
+    conn = sqlite3.connect("users.db")
+    cursor = conn.cursor()
+    # Another SQL injection - no parameterized query
+    sql = "SELECT id FROM users WHERE username = '" + username + ' AND password = '" + password + '"
+    cursor.execute(sql)
+    return cursor.fetchone() is not None
+