It's possible to inject PHP code and to modify SQL query.
vulners.com/securityvulns/securityvulns:doc:1038
vulners.com/securityvulns/securityvulns:doc:2718