diff --git a/passman-dev/php/passman/login.php b/passman-dev/php/passman/login.php
index 5f8aadf..08a3f7d 100644
--- a/passman-dev/php/passman/login.php
+++ b/passman-dev/php/passman/login.php
@@ -26,7 +26,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		// }
 		require_once __DIR__ . "/config.php";
 
-		// Use a prepared statement to prevent SQL injection.
+		// SQL injection mitigation: use a prepared statement with bound parameters.
+		// User input is treated strictly as data, not as part of the SQL syntax.
 		$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
 
 		if ($stmt === false) {