exploit is now possible

src/app.py

@@ -95,7 +95,7 @@ async def login_form():
 @app.post("/login")
 async def login(login: str = Form(...), password: str = Form(...)):
     cursor.execute(
-        f"SELECT * FROM users WHERE login='{login}' AND password='{password}'"
+        f"SELECT login FROM users WHERE login='{login}' AND password='{password}'"
     )
     user = cursor.fetchall()
     if user:
@@ -124,8 +124,10 @@ async def welcome(request: Request):
     password = request.cookies.get("password")
     if not login or not password:
         return RedirectResponse(url="/login")
+    query=f"SELECT login FROM users WHERE login='{login}' AND password='{password}'"
+    print(f"executing: {query}")
     cursor.execute(
-        f"SELECT login FROM users WHERE login='{login}' AND password='{password}'"
+        query
     )
     user = cursor.fetchall()
     if user:
@@ -133,7 +135,7 @@ async def welcome(request: Request):
         <html>
         <head><title>Добро пожаловать</title>{STYLES}</head>
         <body>
-        <h1>Привет, {user}</h1>
+        <h1>Привет, {str(user)[3:-4]}</h1>
       <button onclick="
         document.cookie = 'login=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
         document.cookie = 'password=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';