diff --git a/reference/mongo/security.xml b/reference/mongo/security.xml
index 8a85a769db..40877faba0 100644
--- a/reference/mongo/security.xml
+++ b/reference/mongo/security.xml
@@ -21,7 +21,7 @@
 
   <para>
    Someone could subvert this by getting 
-   <emphasis>http://www.example.com?password[$ne]=foo</emphasis>, which PHP 
+   <emphasis>http://www.example.com?username[$ne]=foo</emphasis>, which PHP 
    will magically turn into an associative array, turning your query into
    <literal>$collection->find(array("username" => array('$ne' => "foo")))</literal>,
    which will return all users not named "foo" (all of your users, probably).