created TODO on user SQL injection

src/DB/User.php

@@ -8,6 +8,7 @@ class User extends DB
 {
     public function checkUserPass($user, $pass)
     {
+        // TODO : SQL injection attack!
         $sql = "SELECT count(*) as count FROM users WHERE username = '" . $user . "' AND password = '" . $pass . "';";
         $ret = $this->query($sql);
         $rows = $ret->fetchArray(SQLITE3_ASSOC);