def get_user(username):
    # BAD: SQL injection vulnerability using f-string
    query = f"SELECT * FROM users WHERE username = '{username}'"
    return db.execute(query)