--- trunk/tntnet/dynamic/login.ecpp	2007/12/02 12:03:03	121
+++ trunk/tntnet/dynamic/login.ecpp	2007/12/02 16:56:14	122
@@ -41,11 +41,15 @@
 if (post_username.size() > 0 || post_password.size() > 0)
 {
 
-	std::stringstream sql;
-	sql << "SELECT realname,useradmin FROM users WHERE username = '" << post_username << "' AND ";
-	sql << "password = '" << post_password << "' AND enabled=true";
+	std::string sql;
+	sql += "SELECT realname,useradmin FROM users WHERE username = :username AND ";
+	sql += "password = :password AND enabled=true";
+
+	tntdb::Statement st = conn.prepare(sql);
+	st.setString("username", post_username).setString("password", post_password);
+
+	tntdb::Result res = st.select();
 
-	tntdb::Result res = conn.select(sql.str());
 	if (res.size() >0)
 	{
 		tntdb::Row row = res[0];