[Security] Fix CodeQL alert #14: SQL query built from user-controlled sources

[devin-ai-integration]

Summary

Replaces string concatenation with a parameterized query (? placeholders + parameter tuple) in the /login endpoint of vulnerable_sql_injection.py. This prevents user-supplied username and password values from altering the SQL query structure (CWE-089).

Review & Testing Checklist for Human

• Verify the database driver is Python's sqlite3 module (which uses ?-style placeholders). If the app uses a different driver (e.g., psycopg2 uses %s, SQLAlchemy text() uses :param), the placeholder syntax needs to change.
• Test login manually: confirm valid credentials still authenticate, and that ' OR 1=1-- as username no longer bypasses auth.

Notes

• The search endpoint on line ~33 has an identical vulnerability (alert [CodeQL #13] Flask app is run in debug mode #15) and is addressed in a separate PR.
• No automated tests exist in the repo.

Link to Devin session: https://app.devin.ai/sessions/09fa16db2840475588405dabc15c3e1d
Requested by: @colin-d-fried

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.