diff --git a/vulnerable_sql_injection.py b/vulnerable_sql_injection.py
index 4fde29f..5bda174 100644
--- a/vulnerable_sql_injection.py
+++ b/vulnerable_sql_injection.py
@@ -11,8 +11,8 @@ def login():
     conn = sqlite3.connect('users.db')
     cursor = conn.cursor()
     
-    query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"
-    cursor.execute(query)
+    query = "SELECT * FROM users WHERE username=? AND password=?"
+    cursor.execute(query, (username, password))
     
     user = cursor.fetchone()
     conn.close()