SQL injection vulnerability in message_box.php in OSI Codes PHP Live! 3.3 allows remote attackers to execute arbitrary SQL commands via the deptid parameter.