Joomla 1.5 with a custom PHP CMS embedded using Iframes 😥

And no escaping on `$_GET` params, concatenated directly into `mysql_query()`I presume?

right on @rozzzly

At least you can do fix those sqli vulns in 15 minutes with some copy/pasta of `mysql_real_escape_string` and technically, truthfully say, "well I fixed 90% of the issues" ......without having to address any of the fundamental design concerns that most definitly exist.