Please create a tracker in joomlacode and cross reference here.

Unfortunately $item comes potentially from untrusted source, which means that the values may not be integers even if you expect them to be. To prevent SQL injection, you should at least cast the values to integers before using them in SQL query.

So instead of fixing anything (code wasn't broken), you introduced potential SQL injection vulnerability if your fix is combined with a bad input to the function.

This behavior should also be changed in the MySQL class to keep things consistent. I'd also suggest ensuring the values are type casted just to be safe since the plgFinder group is setting these values based on what a user creates.

Added type cast and changed mysql's driver too.
Joomlacode tracker is #29551

Changes aren't identical -- MySQL is both casting and escaping vs just casting the variables.

I don't know if MySQL needs quote or not when updating/inserting double
value, so I've kept existing and working code, adding check and cast only.
PostgreSQL doesn't need quote instead.

MySQL doesn't need quote either.

I'll add a commit to fix it this evening.

Change committed.

Maybe I am being really really thick but what are list_price and sale_price
doing there anyway. From what I can see they are options to sort the results
but they will never get any data. It looks like these two fields are left over
from the initial import and have no relevance to joomla

It's true that they are not used by any of the core Joomla components. However, they are very useful for third-party extensions where being able to sort on at least one numeric field is important. I would agree that they should be called something more generic than list_price and sale_price, but they are definitely needed.

We dont usually do that though do we?