sql query vulnerability in where clause allowing retrieval of hidden data