A SQL injection vulnerability in Razor v0.8.0.
In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187,
$description
is controlled by users and has few restrictions on its format.
$this->form_validation->set_rules('description', lang('v_man_au_updateLog'), 'trim|required|xss_clean');
$this->form_validation->set_rules('versionid', lang('v_man_au_versionID'), 'trim|required|xss_clean|callback_versionid_check');
//......
$description = $this->input->post('description');