diff --git a/test1.py b/test1.py
new file mode 100644
index 0000000..9b0c860
--- /dev/null
+++ b/test1.py
@@ -0,0 +1,8 @@
+# Intentional error: variable 'result' is used before being defined ,
+
+def add_numbers(a, b):
+    return a + b
+
+print("Sum is the:", result)   # <-- ERROR: 'result' is not defined
+
+result = add_numbers(5, 10)
diff --git a/test2.py b/test2.py
new file mode 100644
index 0000000..340950c
--- /dev/null
+++ b/test2.py
@@ -0,0 +1,38 @@
+# app.py
+# INTENTIONAL_VULN: HARD_CODED_SECRET, SQL_INJECTION, STORED_XSS
+from flask import Flask, request, render_template_string
+import sqlite3
+
+app = Flask(__name__)
+
+# INTENTIONAL_VULN: hard-coded secret
+API_KEY = "supersecretapikey123"  # INTENTIONAL_VULN: HARD_CODED_SECRET
+
+def get_db():
+    conn = sqlite3.connect('test.db')
+    return conn
+
+@app.route("/search")
+def search():
+    q = request.args.get("q", "")
+    # INTENTIONAL_VULN: SQL concatenation (SQL Injection)
+    conn = get_db()
+    cursor = conn.cursor()
+    sql = "SELECT id, title FROM articles WHERE title LIKE '%" + q + "%';"
+    cursor.execute(sql)
+    results = cursor.fetchall()
+    conn.close()
+    # INTENTIONAL_VULN: using render_template_string with user data (stored XSS risk when content comes from DB)
+    html = "<h1>Search results</h1>"
+    for r in results:
+        html += "<div><strong>{}</strong>: {}</div>".format(r[0], r[1])
+    return render_template_string(html)
+
+if __name__ == "__main__":
+    # create db for testing (unsafe convenience code)
+    conn = sqlite3.connect('test.db')
+    conn.execute("CREATE TABLE IF NOT EXISTS articles (id INTEGER PRIMARY KEY, title TEXT);")
+    conn.execute("INSERT INTO articles (title) VALUES ('Hello World');")
+    conn.commit()
+    conn.close()
+    app.run(debug=True)