id summary reporter owner description type status priority component severity resolution keywords cc release 8703 SQL injection vulnerability/SQL compatibility anonymous Ryan J Ollos "The arguments to the SQL statements are not properly escaped. This results in a possibility of SQL injection, and also database compatibility issues. Disclaimer - I'm not really python programmer so the attached patch may not be the optimal approach. However it does remove the % operator which is at the root of the SQL injection problem, and also removes the double quotes around the milestone value (which doesn't work with postgres 9.x)." defect reopened normal TracTicketStatsPlugin normal 0.11