from flask import Flask, render_template, request

app = Flask(__name__)


@app.route('/')
def hack_me():
    username = request.args.get("username", "")
    password = request.args.get("password", "")
    if username != "":
        #
        # MAJOR ISSUE: never concatenate user input with code!
        #
        sql = ("SELECT id FROM account WHERE username = '"
               + username + "' AND password = '" + password + "'")
    else:
        sql = ""
    return render_template("hack.html", username=username, password=password, sql=sql)