From 220c8faceb5c8451eb9bc912cdd55b36fb88e9d9 Mon Sep 17 00:00:00 2001
From: Sameer <142401625+sameer6pre@users.noreply.github.com>
Date: Fri, 27 Mar 2026 19:43:27 +0800
Subject: [PATCH] Update sample-vuln/app.py in branch Precogs-fix-766fuey3

---
 sample-vuln/app.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 sample-vuln/app.py

diff --git a/sample-vuln/app.py b/sample-vuln/app.py
new file mode 100644
index 0000000..d82af5b
--- /dev/null
+++ b/sample-vuln/app.py
@@ -0,0 +1,15 @@
+
+app = Flask(__name__)
+
+import os  # PRECOGS_FIX: import os to access environment variables
+API_KEY = os.getenv("API_KEY")  # PRECOGS_FIX: use environment variable for API key
+
+def get_user_by_name(username):
+    conn = sqlite3.connect("test.db")
+    cursor = conn.cursor()
+    # Fixed SQL injection vulnerability using parameterized query
+    query = "SELECT * FROM users WHERE username = ?"  # PRECOGS_FIX: use parameterized query
+    cursor.execute(query, (username,))  # PRECOGS_FIX: pass username as a parameter
+    result = cursor.fetchall()
+    conn.close()
+    return result
\ No newline at end of file