Savannah.gnu.org compromised

I probably mentioned it to them, yeah. But the patch itself is fairly intrusive and, as you guessed, our most recent common ancestor is more than 10 years old so it's of little practical value. Most of it is replacing db_query("SELECT foo FROM bar WHERE key='$value'") with db_query_params('SELECT foo FROM bar WHERE key=$1',array($value)), which can be semi-automated for about 80% of the queries; the only part of it that's not boring grunt-work (Perl be praised) is a mechanism to handle complex queries built on the fly with varying number of tables in the join, varying number WHERE clauses, and so on, with some combinatory explosion that excludes writing all the possible queries in advance and requires some dynamic stuff.

(If anyone's interested, https://fusionforge.org/scm/viewvc.php/trunk/src/common/i... has the implementation)