diff --git a/djb2.py b/djb2.py
new file mode 100644
index 0000000..cb2fa6e
--- /dev/null
+++ b/djb2.py
@@ -0,0 +1,9 @@
+# test_vuln.py — deliberately bad code
+import sqlite3
+
+def get_user(username):
+    conn = sqlite3.connect("users.db")
+    query = f"SELECT * FROM users WHERE name = '{username}'"  # SQL injection
+    return conn.execute(query).fetchone()
+
+SECRET_KEY = "hardcoded-secret-123"  # hard-coded secret