The registration form is safe, however the MyReviews page not, therefore we create a username with an embedded sql injection,
this sql injection will be executed opening the MyReviews page.

prova' UNION  SELECT 1,2,3,4,flag,6,7,8 FROM secrets--