With SQL server (if that is the database in question) somone could inject extra SQL statements where you concatenate your SQL string...
SQL server can process multiple sql statements in a batch. For instance they could enter SELECT * from users or some other statement in the username property you are using and SQL will run another query.
Here's a more detailed article on SQL injection
http://www.4guysfromrolla.com/webtech/061902-1.shtmlYou can also google "SQL injection" to find a number of articles on the subject.
Rodman
Rod Paddock
Editor in Chief CoDe Magazine
President Dash Point Software, Inc.
VP Red Matrix Technologies,Inc.