From f94a1ebbd551e917e5a7c968fe97446466a9599b Mon Sep 17 00:00:00 2001
From: Christos Choutouridis <hoo2@hoo2.net>
Date: Sat, 10 Jan 2026 22:44:55 +0200
Subject: [PATCH] Fix SQL injection in login using prepared statements part 2

---
 passman-dev/php/passman/login.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/passman-dev/php/passman/login.php b/passman-dev/php/passman/login.php
index 5f8aadf..08a3f7d 100644
--- a/passman-dev/php/passman/login.php
+++ b/passman-dev/php/passman/login.php
@@ -26,7 +26,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";
 
-		// Use a prepared statement to prevent SQL injection.
+		// SQL injection mitigation: use a prepared statement with bound parameters.
+		// User input is treated strictly as data, not as part of the SQL syntax.
 		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
 
 		if ($stmt === false) {