The issue: Using userdata in queries often causes users manipulating queries. Request: http://example.com/tests/simple.php?login=username+OR+1 ]]> The solution: Use databases extensions escape functions ]]> Hint: Even better use prepared statements prepare( 'SELECT password FROM user WHERE login = ?' ); $stmt->execute( array( $_GET['login'] ) ); ?>]]>