...
If validuser is actually a valid user name, this SELECT statement will select the validuser record in the table. The hashed password is never checked because the expression The reason the hashed password is never checked is because username='validuser' is true and the injection of the OR which results in everything after the OR being irrelevant provided it is syntactically correct. Consequently ; consequently the items after the OR are not tested. As long as the components after the OR generate a syntactically correct SQL expression, the attacker is granted the access of validuser.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="788fa448f3fa2ca2-99fb50ef-49a445c9-a1a199c6-1c160242f75a337f19cb13e5"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9970e76186d913fd-ab767349-4f494e1f-88e89365-3be5e4bae4af7402b6871d8b"><ac:plain-text-body><![CDATA[ | [[OWASP 2007 | AA. Bibliography#OWASP 07]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9572ff1a33cc20b3-8be0f477-4f3d4e8a-9b90bf70-7107d8465fb2cb482f9ecba4"><ac:plain-text-body><![CDATA[ | [[OWASP 2008 | AA. Bibliography#OWASP 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="614f7cc366f53a26-ef6e7a3d-49ca4247-8b9bb75b-fa568b1db7cbd83a1900cb92"><ac:plain-text-body><![CDATA[ | [[W3C 2008 | AA. Bibliography#W3C 08]] | 4.4.3 Included If Validating | ]]></ac:plain-text-body></ac:structured-macro> |
...