Posted by Narno on March 3, 2009 at 10:31pm
Issue Summary
db_escape_string() function is not necessary in delicious.inc @ line 136 (and more) because you use %-modifiers with arguments in SQL queries. In your case, you double escape simple quotes.
User-supplied arguments to the query should be passed in as separate parameters so that they can be properly escaped to avoid SQL injection attacks.
Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in '') and %%.