SQL injection vulnerability/SQL compatibility
|Reported by:||anonymous||Owned by:|
The arguments to the SQL statements are not properly escaped. This results in a possibility of SQL injection, and also database compatibility issues.
Disclaimer - I'm not really python programmer so the attached patch may not be the optimal approach. However it does remove the % operator which is at the root of the SQL injection problem, and also removes the double quotes around the milestone value (which doesn't work with postgres 9.x).