<?php
// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$username = 'aidan';
$password = "' OR ''='";
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='$username' AND password='$password'";
// This means the query sent to MySQL would be:
echo $query;
?>