Comment 11 for bug 259776

I've got to reject this. There has been absolutely no attempt to protect this application from SQL injection.

For example:
function check_privacy($module, $table, $action, $id='', $p_uid='') {
...
  $query = "SELECT $field_pri, $field_uc FROM $table WHERE $field_id = '$id'";
  $obm_q = new DB_OBM;
  $obm_q->query($query);

...
$params = get_list_params();
...
if (! check_privacy($module, "List", $action, $params["list_id"], $obm["uid"])) {

where get_list_params is virtually untouched $_POST values.

Before this gets further review, all database use should be correctly parameterized. And it's not a short list, I'm afraid:
$ fgrep -Ri -- '->query($query);' . | wc -l
977