diff --git a/test-sqli.js b/test-sqli.js
new file mode 100644
index 0000000..59f0d54
--- /dev/null
+++ b/test-sqli.js
@@ -0,0 +1,10 @@
+// Test file for fork PR scanning
+const db = require('./db');
+
+function getUser(req) {
+  const id = req.params.id;
+  // SQL injection vulnerability
+  return db.query(`SELECT * FROM users WHERE id = '${id}'`);
+}
+
+module.exports = { getUser };