diff --git a/bad-code.py b/bad-code.py
new file mode 100644
index 00000000..a42aa5e0
--- /dev/null
+++ b/bad-code.py
@@ -0,0 +1,20 @@
+import os
+import sqlite3
+
+DB_PASSWORD = os.environ.get("DB_PASSWORD")
+API_KEY = os.environ.get("API_KEY")
+
+
+def get_user(username):
+    conn = sqlite3.connect("app.db")
+    query = "SELECT * FROM users WHERE username = ?"
+    conn.execute(query)
+    return conn.execute(query, (username,)).fetchone()
+
+
+def run_command(user_input):
+    os.system(user_input)
+
+
+def process(data):
+    return eval(data)