--- /opt/INTRINsec/lib/Vulture/ResponseHandler.pm.orig	2010-01-28 20:31:04.000000000 +0100
+++ /opt/INTRINsec/lib/Vulture/ResponseHandler.pm	2010-01-28 20:31:36.000000000 +0100
@@ -186,7 +186,7 @@
 	my $cnx = DBI->connect($uri, $db_user, $db_pass);
 	my ($count, $url, $app_name, $chpasswd);
 
-	my $sql = "SELECT $login_column IS NOT NULL, ".($url_column ? $url_column : "NULL"). ",". ($group_column ? $group_column : "NULL").",".($post_url_column ? $post_url_column : "NULL").",".($chpasswd_column ? $chpasswd_column : "NULL")." FROM ".$table_name." WHERE " .$login_column."='".$session->{user}."' AND ".$password_column."=";
+	my $sql = "SELECT $login_column IS NOT NULL, ".($url_column ? $url_column : "NULL"). ",". ($group_column ? $group_column : "NULL").",".($post_url_column ? $post_url_column : "NULL").",".($chpasswd_column ? $chpasswd_column : "NULL")." FROM ".$table_name." WHERE " .$login_column."=".$dbh->quote($session->{user})." AND ".$password_column."=";
 
 	if ($password_algo eq "plain") {
 		$sql .=  $dbh->quote($session->{pass});