diff --git a/01.workspace/heave/src/fun/sqlite_build_statement.rs b/01.workspace/heave/src/fun/sqlite_build_statement.rs
index 6f6fb9b..6d0be76 100644
--- a/01.workspace/heave/src/fun/sqlite_build_statement.rs
+++ b/01.workspace/heave/src/fun/sqlite_build_statement.rs
@@ -1,5 +1,7 @@
 use crate::*;
 
+// TODO: possible sql injection for attribute_id!!!
+
 const BASE_SELECT: &str = r#"SELECT * FROM entity"#;
 const INNER_JOIN_FRAGMENT: &str = r#"
     INNER JOIN attribute as attribute_{index}