diff --git a/flask_webgoat/auth.py b/flask_webgoat/auth.py
index 61d4a7e6..6d884ebc 100644
--- a/flask_webgoat/auth.py
+++ b/flask_webgoat/auth.py
@@ -1,6 +1,13 @@
+from urllib.parse import urlparse
 from flask import Blueprint, request, jsonify, session, redirect
 from . import query_db
 
+
+def is_safe_url(url):
+    """Check if URL is safe for redirect (relative URL only)."""
+    parsed = urlparse(url)
+    return not parsed.netloc and not parsed.scheme
+
 bp = Blueprint("auth", __name__)
 
 
@@ -14,12 +21,8 @@ def login():
             400,
         )
 
-    # vulnerability: SQL Injection
-    query = (
-        "SELECT id, username, access_level FROM user WHERE username = '%s' AND password = '%s'"
-        % (username, password)
-    )
-    result = query_db(query, [], True)
+    query = "SELECT id, username, access_level FROM user WHERE username = ? AND password = ?"
+    result = query_db(query, (username, password), True)
     if result is None:
         return jsonify({"bad_login": True}), 400
     session["user_info"] = (result[0], result[1], result[2])
@@ -42,7 +45,8 @@ def login_and_redirect():
     query = "SELECT id, username, access_level FROM user WHERE username = ? AND password = ?"
     result = query_db(query, (username, password), True)
     if result is None:
-        # vulnerability: Open Redirect
+        if not is_safe_url(url):
+            return jsonify({"error": "Invalid redirect URL"}), 400
         return redirect(url)
     session["user_info"] = (result[0], result[1], result[2])
     return jsonify({"success": True})