Just a plain looking login page, lets jump to the source code: So $query is being initialized with unsanitized user input via $_REQUEST[“username”] and $_REQUEST[“password”].  I wonder what would happen if we put a quotation mark(“) in either field?  Let’s try it, we’ll also include “?debug=1” in the URL because