See? I told you it would work. And yes I thought I specified in your case using the 'password()' function (which I would heartily say not to use since it is MySQL specific and nonstandard!) you have to use the altered version of the command.
Anyway, the cure is, as I posted before, to run your variables through addslashes and intval.
For example in your case (you can optimize the PHP code any method you would like, this is just an example):
So, that will do the following thing:
$uid = isset($_SESSION["uid"]) ? $_SESSION["uid"] : '';
// Strip out all non-numeric data
$uid = intval( $uid );
$pwd = isset($_SESSION["pwd"]) ? $_SESSION["pwd"] : '';
// Escape quotes in string
$pwd = addslashes( $pwd );
$sql = "SELECT * FROM user WHERE userid='$uid' AND password=PASSWORD('$pwd')";
P.S. If $uid is a number, then do not enclose it in quotes. It should be like this:
$uid = "4 OR userid IS NOT NULL #"; // uh-oh has code to break the query and hack in!
$uid = intval( $uid ); // $uid is now 4
$password = "') OR 1=1 -- '"; // password is unescaped!
$password = addslashes( $password ); // password is now a string and perfectly harmless
WHERE userid = $userid