omg... there has been so much debate/arguing since I wrote this script... for what, for nothing...

@SirDice: yes I'm clueless concerning the fact that so many people keep saying that the script is vulnerable... although as the PoC code that it is, nobody can prove that...

I mean, the entire input is md5ed; here let me compress the entire script into one single line, assuming that when you (and everybody else) see the entire line you will argue no more on its effectiveness (no other word came to mind).

Code:
$result = mysql_query(
    "SELECT r34ln4m3 FROM 1nside0ut WHERE md5(l0gn4m3)='"
    .md5($_POST['username']).
    " AND entryw41='"
    .md5($_POST['password']). "'",

    $handle
);
ok so there are more than one line, but compacted the code so that it would be easier to understand (don't know why people won't understand the original code)...

now for those of you which want to see the working "internals".

a' OR 1=1; = 6ec741675c969f8c9a355f144c7b0c47

if you can conceive this result, than you realize that the query won't be
Code:
SELECT r34ln4m3 FROM 1nside0ut WHERE
md5(l0gn4m3)=’a’ OR 1=1; AND entryw41=’$passwd’;
but instead it will be

Code:
SELECT r34ln4m3 FROM 1nside0ut WHERE
md5(l0gn4m3)=’6ec741675c969f8c9a355f144c7b0c47' AND entryw41=’d41d8cd98f00b204e9800998ecf8427e’
an empty password will generate the above password hash...

hope that now everybody's got the picture...

by the way, sql injection don't end with ; ... you either user # or /*...

cheers