Simple Injection and secure code

sqlinjection.py

from flask import Flask
import sqlite3
import os
from time import sleep

app = Flask(__name__)

def gen_test_data():
    ## Complete rebuild the db before build
    try:
        os.remove("test.db")
    except: # first run
        pass 

    ## Create some test data
    conn = sqlite3.connect("test.db")
    c = conn.cursor()

    c.execute('''CREATE TABLE USER
            (ID INT PRIMARY KEY NOT NULL,
            NAME TEXT NOT NULL,
            EMAIL TEXT NOT NULL,
            PASSWORD TEXT NOT NULL);''')

    c.execute("INSERT INTO USER (ID,NAME,EMAIL,PASSWORD) \
        VALUES (1, 'Admin', 'admin@test.com', '6C569AABBF7775EF8FC570E228C16B98' )")
    c.execute("INSERT INTO USER (ID,NAME,EMAIL,PASSWORD) \
        VALUES (2, 'Sam', 'sam@test.com', '6C569AABBF7775EF8FC570E228C16B98' )")
    c.execute("INSERT INTO USER (ID,NAME,EMAIL,PASSWORD) \
        VALUES (3, 'Paul', 'paul@test.com', '6C569AABBF7775EF8FC570E228C16B98' )")
    conn.commit()


@app.route("/")
def index():
    return """
Go to: /secure/getuser/&lt;uid&gt; <br><br>
or:  /insecure/getuser/&lt;uid&gt;

"""


# Secure
@app.route('/secure/getuser/<uid>')
def secure(uid):
    conn = sqlite3.connect("test.db")
    c = conn.cursor()
    sql = 'SELECT NAME FROM USER WHERE ID = ?'
    c.execute(sql, (uid,))
    data = c.fetchall()
    return str(data)

# Insecure
@app.route('/insecure/getuser/<uid>')
def insecure(uid):
    ## try /insecure/getuser/1 or 1=1
    conn = sqlite3.connect("test.db")
    c = conn.cursor()
    sql = 'SELECT NAME FROM USER WHERE ID = ' + uid
    c.execute(sql)
    data = c.fetchall()
    return str(data)



if __name__ == "__main__":
    app.run(debug=True)