SQL injection is possible during authentication if postgresql or mysql is used.
vulners.com/securityvulns/securityvulns:doc:5180