From 370ed02ac7ac5f1f4604977be7cbc479d0c94de5 Mon Sep 17 00:00:00 2001
From: Ayman-umme <ummez2003@gmail.com>
Date: Sun, 10 Aug 2025 12:01:56 +0530
Subject: [PATCH] fix: Patches potential SQL injection vector

Replaces an insecure f-string based database query with a safe, parameterized query to prevent SQL injection vulnerabilities.
---
 app/vulnerable_sql.py | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 app/vulnerable_sql.py

diff --git a/app/vulnerable_sql.py b/app/vulnerable_sql.py
new file mode 100644
index 00000000..73061b88
--- /dev/null
+++ b/app/vulnerable_sql.py
@@ -0,0 +1,10 @@
+from sqlalchemy.sql import text
+
+class UserDAO:
+    def __init__(self, db_session):
+        self.db = db_session
+
+    def get_user_by_username(self, username: str):
+        raw_query = text("SELECT * FROM users WHERE username = :username")
+        result = self.db.execute(raw_query, {"username": username})
+        return result.fetchone()
\ No newline at end of file