From 3a081c4bdbfa8e992ed149035291dc799f224c06 Mon Sep 17 00:00:00 2001
From: Ayman-umme <ummez2003@gmail.com>
Date: Sat, 9 Aug 2025 22:56:34 +0530
Subject: [PATCH] fix: Patches potential SQL injection vector

Replaces an insecure f-string based database query with a safe, parameterized query to prevent SQL injection vulnerabilities.
---
 app/vulnerable_sql.py | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 app/vulnerable_sql.py

diff --git a/app/vulnerable_sql.py b/app/vulnerable_sql.py
new file mode 100644
index 00000000..ca8cb1d8
--- /dev/null
+++ b/app/vulnerable_sql.py
@@ -0,0 +1,8 @@
+from sqlalchemy.sql import text
+class UserDAO:
+    def __init__(self, db_session):
+        self.db = db_session
+    def get_user_by_username(self, username: str):
+        raw_query = text("SELECT * FROM users WHERE username = :username")
+        result = self.db.execute(raw_query, username=username)
+        return result.fetchone()
\ No newline at end of file