diff --git a/views/search.ejs b/views/search.ejs
index dd66a962..91196e06 100644
--- a/views/search.ejs
+++ b/views/search.ejs
@@ -2,6 +2,8 @@
 
 <h2>Results for: <%- in_query %></h2>
 
+<h3>The Query param that came in was: <%- in_query %><h3>
+
 <% if (products.length == 0) { %>
 <h3 style="color: red;">Products not found</h3>
 <% } else {%>
@@ -31,4 +33,4 @@
     </table>
 </div>
 
-<% } %>
\ No newline at end of file
+<% } %>
diff --git a/vulnerable.js b/vulnerable.js
new file mode 100644
index 00000000..2d44f7db
--- /dev/null
+++ b/vulnerable.js
@@ -0,0 +1,39 @@
+var express = require('express')
+var bodyParser = require('body-parser')
+const { Pool } = require('pg')
+
+const pool = new Pool({
+    user: 'dbuser',
+    host: 'database.server.com',
+    database: 'mydb',
+    password: process.env.POSTGRES_PASSWORD,
+    port: 3211,
+})
+
+var test;
+var app = express()
+app.use(bodyParser.json())
+app.use(bodyParser.urlencoded({
+    extended: true
+}));
+
+
+app.get("/", function(req, res){
+    const search = req.params.q
+
+    if (search != "") {
+        var squery = "SELECT * FROM users WHERE name = \"" + search + "\""
+        pool.query(squery, (err, res) => {
+            console.log(err, res)
+            pool.end()
+        })
+    }
+})
+
+app.listen(8000, function () {
+    console.log("Server running");
+});
+
+  let drinks = ['lemonade', 'soda', 'tea', 'water'];
+  let food = ['beans', 'chicken', 'rice'];
+  let iban = "DE012345678910112345"