diff --git a/src/main/java/com/github/hackathon/advancedsecurityjava/test/VulnerableLogin.java b/src/main/java/com/github/hackathon/advancedsecurityjava/test/VulnerableLogin.java
new file mode 100644
index 0000000..4fd82a1
--- /dev/null
+++ b/src/main/java/com/github/hackathon/advancedsecurityjava/test/VulnerableLogin.java
@@ -0,0 +1,34 @@
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.Statement;
+import java.util.Scanner;
+
+public class VulnerableLogin {
+    public static void main(String[] args) {
+        Scanner scanner = new Scanner(System.in);
+
+        // Hardcoded credentials (bad practice)
+        String dbUrl = "jdbc:mysql://localhost:3306/testdb";
+        String dbUser = "admin";
+        String dbPassword = "password123";
+
+        System.out.print("Enter username: ");
+        String username = scanner.nextLine();
+
+        System.out.print("Enter password: ");
+        String password = scanner.nextLine();
+
+        try {
+            Connection conn = DriverManager.getConnection(dbUrl, dbUser, dbPassword);
+            Statement stmt = conn.createStatement();
+
+            // SQL Injection vulnerability
+            String query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";
+            stmt.executeQuery(query);
+
+            System.out.println("Login attempted with query: " + query);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/test/java/com/github/hackathon/advancedsecurityjava/AdvancedSecurityJavaApplicationTests.java b/src/test/java/com/github/hackathon/advancedsecurityjava/AdvancedSecurityJavaApplicationTests.java
index c358abf..0d8161a 100644
--- a/src/test/java/com/github/hackathon/advancedsecurityjava/AdvancedSecurityJavaApplicationTests.java
+++ b/src/test/java/com/github/hackathon/advancedsecurityjava/AdvancedSecurityJavaApplicationTests.java
@@ -9,5 +9,15 @@ class AdvancedSecurityJavaApplicationTests {
 	@Test
 	void contextLoads() {
 	}
-
+// Get username from parameters
+String username = request.getParameter("username");
+// Create a statement from database connection
+Statement statement = connection.createStatement();  
+// Create unsafe query by concatenating user defined data with query string
+String query = "SELECT secret FROM Users WHERE (username = '" + username + "' AND NOT role = 'admin')";
+// ... OR ...
+// Insecurely format the query string using user defined data 
+String query = String.format("SELECT secret FROM Users WHERE (username = '%s' AND NOT role = 'admin')", username);
+// Execute query and return the results
+ResultSet result = statement.executeQuery(query);
 }