don't use string concatenation for sql

core/database.php

@@ -109,14 +109,6 @@ class Database
         }
     }
 
-    public function escape(string $input): string
-    {
-        if (is_null($this->db)) {
-            $this->connect_db();
-        }
-        return $this->db->Quote($input);
-    }
-
     public function scoreql_to_sql(string $input): string
     {
         if (is_null($this->engine)) {

ext/tag_editcloud/main.php

@@ -82,7 +82,6 @@ class TagEditCloud extends Extension
                 if (count($relevant_tags) == 0) {
                     return null;
                 }
-                $relevant_tags = implode(",", array_map([$database,"escape"], $relevant_tags));
                 $tag_data = $database->get_all(
                     "
 					SELECT t2.tag AS tag, COUNT(image_id) AS count, FLOOR(LN(LN(COUNT(image_id) - :tag_min1 + 1)+1)*150)/200 AS scaled
@@ -90,11 +89,11 @@ class TagEditCloud extends Extension
 					JOIN image_tags it2 USING(image_id)
 					JOIN tags t1 ON it1.tag_id = t1.id
 					JOIN tags t2 ON it2.tag_id = t2.id
-					WHERE t1.count >= :tag_min2 AND t1.tag IN($relevant_tags)
+					WHERE t1.count >= :tag_min2 AND t1.tag IN(:relevant_tags)
 					GROUP BY t2.tag
 					ORDER BY count DESC
 					LIMIT :limit",
-                    ["tag_min1" => $tags_min, "tag_min2" => $tags_min, "limit" => $max_count]
+                    ["tag_min1" => $tags_min, "tag_min2" => $tags_min, "limit" => $max_count, "relevant_tags"=>$relevant_tags]
                 );
                 break;
             case 'a':