SQL injection exists in Scriptzee Hotel Booking Engine 1.0 via the hotels h_room_type parameter.