diff --git a/INjectionTest.cs b/INjectionTest.cs
new file mode 100644
index 0000000..f715f93
--- /dev/null
+++ b/INjectionTest.cs
@@ -0,0 +1,32 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using WebApplication1.Controllers;
+
+namespace WebApplicationDotNetCore.Controllers
+{
+    public class RSPEC3649SQLiNoncompliant : Controller
+    {
+        private readonly UserAccountContext _context;
+
+        public RSPEC3649SQLiNoncompliant(UserAccountContext context)
+        {
+            _context = context;
+        }
+
+        public IActionResult Authenticate(string user)
+        {
+            string query = "SELECT * FROM Users WHERE Username = '" + user + "'";
+
+            // an attacker can bypass authentication by setting user to this special value
+            // user = "' or 1=1 or ''='";
+
+            var userExists = false;
+            if (_context.Database.ExecuteSqlCommand(query) > 0) // Noncompliant
+            {
+                userExists = true;
+            }
+
+            return Content(userExists ? "success" : "fail");
+        }
+    }
+}