WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter.