http://www.example.com/auction/item.php?id='[SQL]
http://www.example.com/auction/email_request.php?user_id=[malicious code]