diff --git a/insecure.php b/insecure.php
index e69de29..a3a1ed3 100644
--- a/insecure.php
+++ b/insecure.php
@@ -0,0 +1,27 @@
+<?php
+
+// First a SQL Injection attack V9
+//$var = $_POST['var'];
+//mysql_query("SELECT * FROM sometable WHERE id = $var");
+
+//
+/// XSS example
+//
+$var = $_POST['var'];
+//echo "<div>$var</div>\n";
+
+
+//
+/// 2nd XSS example
+//
+$var = $_POST['varB'];
+echo "<div>$varB</div>\n";
+
+//
+/// Forget to terminate user input after a redirect
+//
+if ($_SESSION['user_logged_in'] !== true) {
+  header('Location: /login.php');
+}
+
+// Important private logic that shouldn't happen because we've already redirected the user!
