From 50ee07d593a9ad6ec7f92da3d98aa0e9cabd346e Mon Sep 17 00:00:00 2001
From: Matt Nemeth <matthew.nemeth@optimizely.com>
Date: Tue, 3 Mar 2026 10:09:09 -0500
Subject: [PATCH 1/3] Create djangojunk.py

---
 python/djangojunk.py | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 python/djangojunk.py

diff --git a/python/djangojunk.py b/python/djangojunk.py
new file mode 100644
index 0000000..e69de29

From dd88a63c406c0816ee98f046581cc062ae83a946 Mon Sep 17 00:00:00 2001
From: Matt Nemeth <matthew.nemeth@optimizely.com>
Date: Tue, 7 Apr 2026 09:27:03 -0400
Subject: [PATCH 2/3] test

---
 python/djangojunk.py | 0
 python/tester.py     | 1 +
 2 files changed, 1 insertion(+)
 delete mode 100644 python/djangojunk.py
 create mode 100644 python/tester.py

diff --git a/python/djangojunk.py b/python/djangojunk.py
deleted file mode 100644
index e69de29..0000000
diff --git a/python/tester.py b/python/tester.py
new file mode 100644
index 0000000..0519ecb
--- /dev/null
+++ b/python/tester.py
@@ -0,0 +1 @@
+ 
\ No newline at end of file

From 91a93e569a1d50e5a2bd4b9b725aeca5a2a47c3c Mon Sep 17 00:00:00 2001
From: Matt Nemeth <matthew.nemeth@optimizely.com>
Date: Tue, 7 Apr 2026 09:29:19 -0400
Subject: [PATCH 3/3] Create tester1.py

---
 python/tester1.py | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 python/tester1.py

diff --git a/python/tester1.py b/python/tester1.py
new file mode 100644
index 0000000..1106427
--- /dev/null
+++ b/python/tester1.py
@@ -0,0 +1,26 @@
+# sql_injection.py
+import sqlite3
+from flask import Flask, request
+
+app = Flask(__name__)
+DB = "test.db"
+
+def init_db():
+    conn = sqlite3.connect(DB)
+    conn.execute("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)")
+    conn.execute("INSERT OR IGNORE INTO users (id, username, password) VALUES (1, 'alice', 'passw0rd')")
+    conn.commit()
+    conn.close()
+
+@app.route("/user")
+def user():
+    init_db()
+    username = request.args.get("username", "")
+    # WARNING: vulnerable to SQL injection
+    query1 = "SELECT id, username FROM users WHERE username = '%s'" % username
+    conn = sqlite3.connect(DB)
+    cursor = conn.cursor()
+    cursor.execute(query1)
+    row = cursor.fetchone()
+    conn.close()
+    return str(row)
\ No newline at end of file