SQL injection vulnerability in index.php in Subdreamer Light, when magic_quotes_gpc is enabled, allows remote attackers to execute arbitrary SQL commands via certain parameters that are used as global variables, as demonstrated using the imageid para