$username = $_POST['username']; SELECT * FROM users WHERE username = '$username'; $username = jagdeep SELECT * FROM users WHERE username = 'jagdeep'; $username = jd SELECT * FROM users WHERE username = 'jd'; $username = jagdeep' OR '1=1; SELECT * FROM users WHERE username = 'jagdeep' OR '1=1'; $username = jagdeep'; DELETE FROM users;--; sanitize 1. SELECT * FROM users WHERE username = 'jagdeep'; 2. DELETE FROM users; 3. --';   Minimum protection: $username = mysql_real_escape_string($_POST['username']);