...
If validuser is actually a valid user name, this SELECT statement will select the validuser record in the table. The hashed password is never checked because the expression '1'='1' is always true. Consequently the attacker is granted the access of validuser.
To comply with guideline rule MSC05-J. Store passwords using a hash function, the passwords must be hashed. Unfortunately, many small systems fail to comply; consequently, the password text added in the query string would precisely match what the user enters. An attacker could supply a string for <PASSWORD> such as:
...
This noncompliant code example may also violate guideline rule ERR06-J. Do not allow exceptions to expose sensitive information if the information contained in the exceptions is considered sensitive.
...
Search for other vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Bibliography
...