Multiple SQL injection vulnerabilities in PHP Surveyor 0.98 allows remote attackers to execute arbitrary SQL commands via (1) the sid, start, and id parameters