diff --git a/vulns/sql_injection/sql_injection_login.py b/vulns/sql_injection/sql_injection_login.py
index c7a2930..acfdbb9 100644
--- a/vulns/sql_injection/sql_injection_login.py
+++ b/vulns/sql_injection/sql_injection_login.py
@@ -17,6 +17,7 @@ def sql_injection_login_api(request, app):
     password = form.get('password')
     password_hash = _hash_password(password)
 
+    sql = f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'"
     sql = f"SELECT * FROM users WHERE username='{username}' AND password='{password_hash}'"
     flask.render_template_string(username)
 
@@ -42,4 +43,4 @@ def sql_injection_login_api(request, app):
 
 def _hash_password(password):
     md5_pass = hashlib.md5(password.encode('utf-8')).hexdigest()
-    return md5_pass
\ No newline at end of file
+    return md5_pass