Intentionally bad code...

bad_code.cs

public interface IUserService
{
	User GetUser(string userName);
}

public static class UserService : IUserService
{
	public User GetUser(string userName)
	{
		using(var context = new SomeDbContext())
		{
			return context.Users.SqlQuery("SELECT * FROM [dbo].[User] WHERE [UserName]='" + userName + "'").First();
		}
	}
}

public class UserController
{
	public static int CurrentUserId { get; set; }
	private readonly IUserService _userService;
	
	public UserController(IUserService userService)
	{
		_userService = userService;
	}
	
	public ActionResult Login()
	{
		return View();
	}
	
	[HttpPost]
	public ActionResult Login(string userName, string password)
	{
		var user = _userService.GetUser(userName);
		if(user == null)
		{
			ViewBag.ErrorMessage = "User name does not exist";
		}
		else
		{
			if(user.Password == password)
			{
				CurrentUserId = user.Id;
				return RedirectToAction("Index");
			}
			else
			{
				ViewBag.ErrorMessage = "Incorrect password";
			}
		}
		
		return View();
	}
}