It's possible to inject SQL to report if it uses lexical references without parameter validation.
vulners.com/securityvulns/securityvulns:doc:9722