XSS & SQL injection vulnerability