Fix SQL injection in login using prepared statements part 2

2026-01-10 22:44:55 +02:00 · 2026-01-10 22:44:55 +02:00 · f94a1ebbd5
commit f94a1ebbd5
parent 75f47a76b0
1 changed files with 2 additions and 1 deletions
--- a/passman-dev/php/passman/login.php
+++ b/passman-dev/php/passman/login.php
@ -26,7 +26,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";

-		// Use a prepared statement to prevent SQL injection.
+		// SQL injection mitigation: use a prepared statement with bound parameters.
+		// User input is treated strictly as data, not as part of the SQL syntax.
 		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");

 		if ($stmt === false) {