This script seems to be a prime target for SQL injection attacks. There are a few parameters that are taken from the URL and put into the SQL query string without any form of checking. This is bound to go wrong somewhere...
sybren (talk) 06:46, 13 May 2014 (UTC)