From 42b6ea33fc85e2da7a038b5739b9f37e99a2637b Mon Sep 17 00:00:00 2001
From: alan-hacktron <alan@hacktron.ai>
Date: Mon, 22 Jun 2026 19:23:21 +0800
Subject: [PATCH 1/2] add db utils

---
 db_utils.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 db_utils.py

diff --git a/db_utils.py b/db_utils.py
new file mode 100644
index 0000000..3520fb1
--- /dev/null
+++ b/db_utils.py
@@ -0,0 +1,18 @@
+import sqlite3
+
+def get_user(username):
+    conn = sqlite3.connect("users.db")
+    cursor = conn.cursor()
+    # SQL injection vulnerability - user input concatenated directly into query
+    query = "SELECT * FROM users WHERE username = '" + username + '"
+    cursor.execute(query)
+    return cursor.fetchone()
+
+def login(username, password):
+    conn = sqlite3.connect("users.db")
+    cursor = conn.cursor()
+    # Another SQL injection - no parameterized query
+    sql = "SELECT id FROM users WHERE username = '" + username + ' AND password = '" + password + '"
+    cursor.execute(sql)
+    return cursor.fetchone() is not None
+

From e2160fed9e892ac582edfd60c8f6b4cd99bbb798 Mon Sep 17 00:00:00 2001
From: alan-hacktron <alan@hacktron.ai>
Date: Mon, 22 Jun 2026 19:28:00 +0800
Subject: [PATCH 2/2] Apply suggestion from @alan-hacktron

---
 db_utils.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/db_utils.py b/db_utils.py
index 3520fb1..1ab7127 100644
--- a/db_utils.py
+++ b/db_utils.py
@@ -1,5 +1,6 @@
 import sqlite3
-
+ 
+ 
 def get_user(username):
     conn = sqlite3.connect("users.db")
     cursor = conn.cursor()