diff --git a/javascript/baduser.js b/javascript/baduser.js
new file mode 100644
index 0000000..ea5c6c6
--- /dev/null
+++ b/javascript/baduser.js
@@ -0,0 +1,24 @@
+const express = require('express');
+const app = express();
+const bodyParser = require('body-parser');
+const mysql = require('mysql');
+
+// Vulnerable endpoint
+app.post('/login', (req, res) => {
+    const username = req.body.username;
+    const password = req.body.password;
+// sample changes
+    const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
+
+    const connection = mysql.createConnection({
+        host: 'localhost',
+        user: 'root',
+        password: '',
+        database: 'testdb',
+    });
+
+    connection.query(query, (err, results) => {
+       //to do ...
+    });
+
+});
\ No newline at end of file
diff --git a/javascript/users.js b/javascript/users.js
index 62d6bc8..d6935b3 100644
--- a/javascript/users.js
+++ b/javascript/users.js
@@ -1,28 +1,28 @@
 
-// const express = require('express');
-// const app = express();
-// const bodyParser = require('body-parser');
-// const mysql = require('mysql');
-
-// // Vulnerable endpoint
-// app.post('/login', (req, res) => {
-//     const username = req.body.username;
-//     const password = req.body.password;
-// // sample changes
-//     const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
-
-//     const connection = mysql.createConnection({
-//         host: 'localhost',
-//         user: 'root',
-//         password: '',
-//         database: 'testdb',
-//     });
+const express = require('express');
+const app = express();
+const bodyParser = require('body-parser');
+const mysql = require('mysql');
+
+// Vulnerable endpoint
+app.post('/login', (req, res) => {
+    const username = req.body.username;
+    const password = req.body.password;
+// sample changes
+    const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
+
+    const connection = mysql.createConnection({
+        host: 'localhost',
+        user: 'root',
+        password: '',
+        database: 'testdb',
+    });
 
-//     connection.query(query, (err, results) => {
-//        //to do ...
-//     });
+    connection.query(query, (err, results) => {
+       //to do ...
+    });
 
-// });
+});
 
 
 
@@ -30,23 +30,23 @@
 
 
 // Parameterized Query
-const connection = mysql.createConnection({
-    host: 'localhost',
-    user: 'root',
-    password: '',
-    database: 'securedb',
-});
+// const connection = mysql.createConnection({
+//     host: 'localhost',
+//     user: 'root',
+//     password: '',
+//     database: 'securedb',
+// });
 
-// Secure SQL query using parameterized queries
-app.post('/user', (req, res) => {
-    const { username, email } = req.body;
-
-    const query = 'INSERT INTO users (username, email) VALUES (?, ?)';
-    connection.query(query, [username, email], (err, result) => {
-        if (err) {
-            console.error('Database error:', err);
-            return res.status(500).send('Internal Server Error');
-        }
-        res.send('User added successfully!');
-    });
-});
+// // Secure SQL query using parameterized queries
+// app.post('/user', (req, res) => {
+//     const { username, email } = req.body;
+
+//     const query = 'INSERT INTO users (username, email) VALUES (?, ?)';
+//     connection.query(query, [username, email], (err, result) => {
+//         if (err) {
+//             console.error('Database error:', err);
+//             return res.status(500).send('Internal Server Error');
+//         }
+//         res.send('User added successfully!');
+//     });
+// });