diff -r a141f344305bfe24b29481084c9195debfb41576 -r 11c2799225975ff2cc3c3fb721a9c3eb6da8d0df otp.c
--- a/otp.c	Sat Aug 10 20:21:43 2013 -0500
+++ b/otp.c	Sat Aug 24 23:06:15 2013 -0500
@@ -218,6 +218,7 @@
 User * getMySQLUser(char * user, DB * db)
 {
 	char q[512];
+        char q2[512];
 	int strp = 0;
 	MYSQL_RES *result;
 	MYSQL_ROW row;
@@ -259,20 +260,35 @@
 	strp += strlen(db->dbtable);
 	strncpy(q + strp, " WHERE login = '", 16);
 	strp += 16;
-	strncpy(q + strp, user, strlen(user));
-	strp += strlen(user);
+	mysql_real_escape_string(con, q2, user, strlen(user));
+	strncpy(q + strp, q2, strlen(q2));
+	strp += strlen(q2);
 	strncpy(q + strp, "' LIMIT 1", 9);
-	if (mysql_query(con, q))
+	if (mysql_query(con, q) > 0)
 	{
+		mysql_close(con);
+		free(u);
 		return NULL;
 	}
 
 	result = mysql_store_result(con);
-	
+	if (result == 0)
+	{
+		mysql_close(con);
+		free(u);
+		return NULL;
+	}	
 	row = mysql_fetch_row(result);
-
-	u->user = user;
-	u->password = row[0];
+	if (row != NULL)
+	{
+		u->user = user;
+		u->password = row[0];
+	} else {
+		mysql_free_result(result);
+		mysql_close(con);
+                free(u);
+		return NULL;
+	}
 	if (strcmp(row[1], "") != 0)
 		u->otp = row[1];
 
@@ -388,6 +404,7 @@
 	int ik = 0;
 	int i;
 	int nibs[2];
+	int retcode = 1;
 	char buf10[256];
 	char buf16[256];
 	time_t now = time(NULL);
@@ -399,21 +416,31 @@
 	//db = readConfig(getenv("OTPCONFIG"));
 	db = readConfig("/etc/apache2/configotp");
 	user = getMySQLUser(user_name, db);
+	if (user == NULL)
+	{
+		free(db);
+                exit(1);
+	}
 	// if user does not have a OTP set - just verify password
 	if (user->otp == NULL) 
 	{
 		hash("SHA1", user_passwd, strlen(user_passwd), outHash);
 		ret = b64encode(outHash, 20);
 		if (strcmp(ret, user->password) == 0)
-			exit(0);
+			retcode = 0;
 		else
-			exit(1);
+			retcode = 1;
+		free(db);
+                free(user);
+		exit(retcode);
 	} else {
 		// password should be in the form {OTP}{PASSWORD}
 		// ie 123456password
 		if (strlen(user_passwd) < 7) // 6 OTP digits and 1 char for password
 		{
 			printf("password not long enough!");
+			free(db);
+			free(user);
 			exit(1);
 		}
 		for(keylen = 0; keylen < sizeof(newkey) && user->otp[ik] != '\0'; keylen++)
@@ -437,8 +464,12 @@
 		ret2 = b64encode(outHash, 20);
 		if (strcmp(ret2, user->password) == 0 && strcmp(buf10, inotp) == 0)
 		{
+			free(user);
+			free(db);
 			exit(0);
 		} else {
+			free(user);
+			free(db);
 			exit(1);
 		}
 	}