Create prepared vulnerable code

src/components/login_component.py

@@ -0,0 +1,27 @@
+import sqlite3
+
+
+def get_db():
+    return sqlite3.connect('tutorialpoc.db')
+
+
+def authorize_login(email, password):
+    """
+    This method checks if a user is authorized and has admin privileges.
+    :param email: The email address of the user.
+    :param password: The password of the user.
+    :return: A tuple, the first element is the email address if the user exists,
+    and None if they don't; the second element is a boolean, which is True if
+    the user has admin privileges.
+    """
+    conn = get_db()
+    sql_statement = '''SELECT email, is_admin FROM users
+                       WHERE email="{}" AND password="{}"'''
+    # The problem with this approach is that it substitutes any value received
+    # from the user, even if it is a valid SQL statement!
+    result = conn.execute(sql_statement.format(email, password)).fetchone()
+    if result is None:
+        return None, False
+    else:
+        email, is_admin = result
+        return email, is_admin == 1