A common mistake many developers make is using their MySQL database to validate a user name and password combination.
Here's a typical SQL query checking for the existence of a user trying to login:
SELECT 1 FROM <USERTABLE> WHERE USERNAME="<USERNAME>" AND
If a record matches, the database returns that record and the process continues.
But in MySQL, the above query allows a person with knowledge of the just the USERNAME alone to gain access to the system without much difficulty.
For instance, suppose a user keys in the value for USERNAME as <USERNAME>##" and for PASSWORD, he keys in anything. Because MySQL interprets the character "##" as a comment, the query is terminated when the "##" character is found and there definitely will be a record matching just the username. The query thus returns a record and allows this user to login.
Here's an effective query:
SELECT 1 FROM <USERTABLE> WHERE USERNAME="<USERNAME>"
Always be sure to check whether the username contatins a character like "##" and throw an appropriate error before even sending it to the database.