[dustywusty]

This code's pretty riddled with SQL injection vulnerabilities. Can't imagine anyone recommending use of this for new projects.

For a single instance, https://github.com/WhatCD/Gazelle/blob/master/sections/user/...

The $UserId variable, which is used throughout the queries within this file, is set by an unfiltered GET variable.

[deeebug]

Actually they check the $_GET['id'] variable, which is used to set the $UserId variable. Check the top of the source:

if (empty($_GET['id']) || !is_numeric($_GET['id']) || (!empty($_GET['preview']) && !is_numeric($_GET['preview']))) {