Add example code for CodeQL to flag

test.py

@@ -0,0 +1,19 @@
+from django.conf.urls import url
+from django.db import connection
+
+
+def show_user(request, username):
+    with connection.cursor() as cursor:
+        # BAD -- Using string formatting
+        cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
+        user = cursor.fetchone()
+
+        # GOOD -- Using parameters
+        cursor.execute("SELECT * FROM users WHERE username = %s", username)
+        user = cursor.fetchone()
+
+        # BAD -- Manually quoting placeholder (%s)
+        cursor.execute("SELECT * FROM users WHERE username = '%s'", username)
+        user = cursor.fetchone()
+
+urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]