diff --git a/SqlInjection.ql b/SqlInjection.ql
index 5928bad..68f55d3 100644
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -23,7 +23,22 @@ class SqliFlowConfig extends TaintTracking::Configuration {
 
     override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
 
-    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
+    override predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
+        // Extra taint step
+        //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
+        // But snprintf is a macro on mac os.  The actual function's name is
+        //     #undef snprintf
+        //     #define snprintf(str, len, ...) \
+        //       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
+        //     #endif
+        exists(FunctionCall printf |
+            printf.getTarget().getName().matches("%snprintf%") and
+            printf.getArgument(0) = out.asExpr() and
+            // very specific: shifted index for macro.  We can generalize this to consider
+            // all trailing arguments as sources.
+            printf.getArgument(6) = into.asExpr()
+        )
+    }
 
     override predicate isSink(DataFlow::Node sink) {
         // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
@@ -34,22 +49,6 @@ class SqliFlowConfig extends TaintTracking::Configuration {
     }
 }
 
-// from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-// where conf.hasFlowPath(source, sink)
-// select sink, source, sink, "Possible SQL injection"
-
-// Extra taint step
-//     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
-// But snprintf is a macro on mac os.  The actual function's name is
-//     #undef snprintf
-//     #define snprintf(str, len, ...) \
-//       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
-//     #endif
-from FunctionCall printf, DataFlow::Node into, DataFlow::Node out
-where
-    printf.getTarget().getName().matches("%snprintf%") and
-    printf.getArgument(0) = out.asExpr() and
-    // very specific: shifted index for macro.  We can generalize this to consider
-    // all trailing arguments as sources.
-    printf.getArgument(6) = into.asExpr()
-select printf, into, out
+from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"