CPA Lead Reward Script allows SQL Injection via the username parameter.