diff --git a/routes.py b/routes.py
index 25dde68..d5f5638 100644
--- a/routes.py
+++ b/routes.py
@@ -36,7 +36,7 @@ def login():
             db = get_db()
 
             # Intentionally vulnerable to SQL Injection in the username field
-            query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{hashed_password}'"
+            query = f"SELECT * FROM users WHERE username = '{username}' AND password =  '{hashed_password}'"
             print(f"Executing SQL Query: {query}")  # Debug the SQL query being executed
 
             result = db.execute(query).fetchone()
@@ -170,6 +170,7 @@ def xss_demo():
         if 'username' not in session:
             flash("You must be logged in to access the XSS demo.", "danger")
             return redirect(url_for('login'))
+            
 
         search = request.args.get('search')
         if request.method == 'POST':
@@ -235,4 +236,4 @@ def create_ticket():
 
     @app.route('/admin/tickets')
     def view_tickets():
-        return render_template('admin_tickets.html', tickets=tickets)
\ No newline at end of file
+        return render_template('admin_tickets.html', tickets=tickets)