Sorry by not especify details , but i will try.
Responsed your question, yes you need insert filter in by int in post $_POST[‘CatID’], because I can insert a malicious sql code by post. Category ID isnt automatically, is a Post, and post data is send by user. I have a prove of concept about this problem, if you have mail i will send with all details or if you autorize i can send here. I can extract data with this fail.
I hope I have helped
=)
