Unless im completely missing something here, why has no one mentioned the fact that selecting a users password by password is prone to problems. For example, if two users have the same password the user who registered first will always be returned. If the query is geing used to validate a login the query is very insecure indeed. You'll need to also include the user's id, username, email or other primary key and use that to determine if the password belongs to the user.