added TODO

src/DB/User.php

@@ -4,6 +4,7 @@ namespace Blog\DB;
 
 class User extends DB {
 	
+	// TODO: sql injection attack
 	public function checkUserPass($user, $pass) {
 		$sql = "SELECT COUNT(*) as count FROM users WHERE username = '" . $user . "' AND password = '" . $pass . "'";
 		$ret = $this->query($sql);