diff --git a/app/vulnerable_sql.py b/app/vulnerable_sql.py
new file mode 100644
index 00000000..ca8cb1d8
--- /dev/null
+++ b/app/vulnerable_sql.py
@@ -0,0 +1,8 @@
+from sqlalchemy.sql import text
+class UserDAO:
+    def __init__(self, db_session):
+        self.db = db_session
+    def get_user_by_username(self, username: str):
+        raw_query = text("SELECT * FROM users WHERE username = :username")
+        result = self.db.execute(raw_query, username=username)
+        return result.fetchone()
\ No newline at end of file