diff --git a/python/tester.py b/python/tester.py
new file mode 100644
index 0000000..0519ecb
--- /dev/null
+++ b/python/tester.py
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/python/tester1.py b/python/tester1.py
new file mode 100644
index 0000000..1106427
--- /dev/null
+++ b/python/tester1.py
@@ -0,0 +1,26 @@
+# sql_injection.py
+import sqlite3
+from flask import Flask, request
+
+app = Flask(__name__)
+DB = "test.db"
+
+def init_db():
+    conn = sqlite3.connect(DB)
+    conn.execute("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)")
+    conn.execute("INSERT OR IGNORE INTO users (id, username, password) VALUES (1, 'alice', 'passw0rd')")
+    conn.commit()
+    conn.close()
+
+@app.route("/user")
+def user():
+    init_db()
+    username = request.args.get("username", "")
+    # WARNING: vulnerable to SQL injection
+    query1 = "SELECT id, username FROM users WHERE username = '%s'" % username
+    conn = sqlite3.connect(DB)
+    cursor = conn.cursor()
+    cursor.execute(query1)
+    row = cursor.fetchone()
+    conn.close()
+    return str(row)
\ No newline at end of file