quite interesting indeed since the query you have is in showphoto.php
Content visible to verified customers only.
Now photo is typecast as INT so it should be null if it is not an integer so I dont understand how that query can be ran.
Same thing goes for the next query in showgallery $ppuser is typecast as INT so I do not know how the external.php is being injected there
Let me do some checking and shall see if I come up with anything