4 Sep
2007
4 Sep
'07
11:17 a.m.
I should've looked deeper into the code .. it's a very complex query that is dynamically generated, and it looks as though the constructed values string is plugged in directly rather than using %s substitution. That explains it, I guess.
This is an extremely bad practice and you will be biten by it. Though core does similar at a few places wherever I have encountered such, I added a comment why it's safe -- usually because it's an integer retrieved from the database. Complex stuff should never go without a placeholder.