This exploit is incorrect. There is no SQL injection attack here. The $user variable is sanitized prior to passing to the function in common.php, and calling the file directly does nothing because it's just a function definition.