If an SQL Injection from a query on the address bar (like ?ID=1) affects two tables (SELECT *FROM catalogue WHERE... and SELECT *FROM reviews WHERE...) with a different amount of columns, is there a possibility a hacker could inject their SQL? For example, adding a value from dual to the text, either catalogue or reviews.