Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter.