Possible sql injection or format string exploit?