This said, there are two patches there now: Fridolyn's one that filters
on input, and my followup that parameterises the SQL to add another
layer of defence (also doing queries the way they're supposed to be
done.)
These two patches have now been tested and pushed to master [1, 2]