sql = SELECT * FROM users where username='admin' AND password=password('P4$w0rd');

What are the potential security risks in this SQL statement?
A. No input validation
B. Attackers can inject SQL code
C. Attackers can inject JavaScript code
D. A and B
E. A, B, and C