Patch was emailed to Till Krüss on February 23, 2014. If you can't wait for him to update his Downloads pepper, you can manually apply the patch below. (Note: this was hacked together in a couple of hours. I don't usually code in PHP. I'm hoping he cleans it up and fixes any mistakes.)

tracker.php.patch

--- tracker.php	2011-08-02 14:30:30.000000000 -0500
+++ blah.php	2014-02-24 10:52:23.000000000 -0600
@@ -33,12 +33,8 @@
 
 			$this->paranoid = isset($args['paranoid']) ? $args['paranoid'] : FALSE;
 			$this->db_prefix = $args['tblPrefix'];
-			$this->db_id = mysql_connect($args['server'], $args['username'], $args['password']);
-
-			mysql_select_db($args['database'], $this->db_id);
-
-			$result = mysql_query('SELECT cfg, data FROM '.$this->db_prefix.'_config LIMIT 0,1', $this->db_id);
-			$row = mysql_fetch_assoc($result);
+            $this->db = new PDO('mysql:host='.$args['server'].';dbname='.$args['database'], $args['username'], $args['password']);
+            $row = $this->db->query('SELECT cfg, data FROM '.$this->db_prefix.'_config LIMIT 0,1')->fetch(PDO::FETCH_ASSOC);
 
 			$this->pepper_cfg = $this->safe_unserialize($row['cfg']);
 			$this->pepper_id = $this->pepper_cfg['pepperLookUp']['TK_Downloads'];
@@ -51,11 +47,15 @@
 
 		function safe_unserialize($serialized) {
 
-			$serialized = stripslashes($serialized);
+            // $serialized = stripslashes($serialized); // we're using prepared statements
 			$unserialized = unserialize($serialized);
 
 			if ($unserialized === FALSE) {
-				$serialized	= preg_replace('/s:\d+:"([^"]*)";/e', "'s:'.strlen('\\1').':\"\\1\";'", $serialized);
+                $serialized = preg_replace_callback('/s:\d+:"([^"]*)";/',
+                    function ($m) {
+                        return 's:'.strlen($m[1]).':"'.$m[1].'";';
+                    },
+                    $serialized);
 				$unserialized = unserialize(stripslashes($serialized));
 			}
 
@@ -194,9 +193,11 @@
 			$track = FALSE;
 			$record = FALSE;
 			$redirect = FALSE;
-			$url = preg_replace("/^http(s)?:\/\/www\.([^.]+\.)/i", "http$1://$2", mysql_real_escape_string(rawurldecode($_GET['url']), $this->db_id));
+            $url = preg_replace("/^http(s)?:\/\/www\.([^.]+\.)/i", "http$1://$2", rawurldecode($_GET['url']));
 			$components = parse_url($url);
-			$file = $_SERVER['DOCUMENT_ROOT'].$components['path'];
+            $file = realpath($_SERVER['DOCUMENT_ROOT'].$components['path']);
+
+            // error_log("file path: '$file' vs '".realpath($file)."'");
 
 			$this->debug($this->pepper_prefs['extensions'], 'extensions');
 			foreach (explode(', ', $this->pepper_prefs['extensions']) as $extension) {
@@ -266,25 +267,34 @@
 			$this->debug($this->should_ignore(), 'mint ignore');
 			if ($record && !$this->should_ignore()) {
 
-				$checksize = $this->pepper_prefs['checksize'] ? ' AND size = '.$record : '';
-				$result = mysql_query('SELECT id FROM '.$this->db_prefix."files WHERE file = '".$url."'".$checksize, $this->db_id);
+                if ($this->pepper_prefs['checksize']) {
+                    $sth = $this->db->prepare('SELECT id FROM '.$this->db_prefix."files WHERE file = ? AND size = ?");
+                    $sth->execute(array($url, $record));
+                }
+                else {
+                    $sth = $this->db->prepare('SELECT id FROM '.$this->db_prefix."files WHERE file = ?");
+                    $sth->execute(array($url));
+                }
+                $result = $sth->fetch(PDO::FETCH_ASSOC);
 
-				$referer = empty($_SERVER['HTTP_REFERER']) || substr($_SERVER['HTTP_REFERER'], 0, 4) != 'http' ? '' : preg_replace('/#.*$/', '', preg_replace("/^http(s)?:\/\/www\.([^.]+\.)/i", "http$1://$2", mysql_real_escape_string($_SERVER['HTTP_REFERER'], $this->db_id)));
+                // $referer = empty($_SERVER['HTTP_REFERER']) || substr($_SERVER['HTTP_REFERER'], 0, 4) != 'http' ? '' : preg_replace('/#.*$/', '', preg_replace("/^http(s)?:\/\/www\.([^.]+\.)/i", "http$1://$2", $this->db->quote($_SERVER['HTTP_REFERER'])));
+                $referer = empty($_SERVER['HTTP_REFERER']) || substr($_SERVER['HTTP_REFERER'], 0, 4) != 'http' ? '' : preg_replace('/#.*$/', '', preg_replace("/^http(s)?:\/\/www\.([^.]+\.)/i", "http$1://$2", $_SERVER['HTTP_REFERER']));
 				$checksum = $this->get_checksum(preg_replace('/(^([^:]+):\/\/(www\.)?|(:\d+)?\/.*$)/', '', $referer));
-				$session = isset($_COOKIE['MintCrush']) ? mysql_real_escape_string($_COOKIE['MintCrush'], $this->db_id) : 0;
+                $session = isset($_COOKIE['MintCrush']) ? $_COOKIE['MintCrush'] : 0;
 
-				if (mysql_num_rows($result)) {
-					$row = mysql_fetch_assoc($result);
-					$id = $row['id'];
-					mysql_query('UPDATE '.$this->db_prefix.'files SET hits = hits + 1 WHERE id = '.$id, $this->db_id);
+                if ($result) {
+                    $id = $result['id'];
+                    $this->db->prepare('UPDATE '.$this->db_prefix.'files SET hits = hits + 1 WHERE id = ?')->execute(array($id));
 				} else {
-					mysql_query('INSERT INTO '.$this->db_prefix."files (id, file, type, size, hits) VALUES ('', '".$url."', 'http', ".$record.", 1)", $this->db_id);
-					$id = mysql_insert_id($this->db_id);
+                    $this->db->prepare('INSERT INTO '.$this->db_prefix."files (id, file, type, size, hits) VALUES ('', ?, 'http', ?, 1)")->execute(array($url, $record));
+                    $id = $this->db->lastInsertId();
 				}
 
-				mysql_query('INSERT INTO '.$this->db_prefix."downloads (id, file, dt, ip, session, referer, checksum) VALUES ('', '".$id."', ".time().", ".$this->get_ip().", ".$session.", '".$referer."', '".$checksum."')", $this->db_id);
+                $this->db->prepare('INSERT INTO '.$this->db_prefix."downloads (id, file, dt, ip, session, referer, checksum) VALUES ('', ?, ?, ?, ?, ?, ?)")->execute(array("$id", time(), $this->get_ip(), $session, "$referer", "$checksum"));
 
-				$rawdata = mysql_fetch_assoc(mysql_query('SELECT data FROM '.$this->db_prefix.'_data WHERE id = '.$this->pepper_id, $this->db_id));
+                $sth = $this->db->prepare('SELECT data FROM '.$this->db_prefix.'_data WHERE id = ?');
+                $sth->execute(array($this->pepper_id));
+                $rawdata = $sth->fetch(PDO::FETCH_ASSOC);
 				$downloads = $this->safe_unserialize($rawdata['data']);
 
 				$today = $this->get_time('today');
@@ -305,7 +315,7 @@
 				$downloads[$id][1] = $this->prune_array($downloads[$id][1], 5);
 				$downloads[$id][2] = $this->prune_array($downloads[$id][2], 12);
 
-				mysql_query('UPDATE '.$this->db_prefix."_data SET data = '".addslashes(serialize($downloads))."' WHERE id = ".$this->pepper_id, $this->db_id);
+                $this->db->prepare('UPDATE '.$this->db_prefix."_data SET data = ? WHERE id = ?")->execute(array(serialize($downloads), $this->pepper_id));
 
 			}
 
@@ -321,6 +331,16 @@
 				if (!$track) {
 					exit('// You cannot download this file');
 				}
+                // http://stackoverflow.com/a/20432301/1781435
+                function endsWith($haystack, $needle) {
+                    return $needle ? substr($haystack, -strlen($needle)) === $needle : "";
+                }
+                function startsWith($haystack, $needle) {
+                    return substr($haystack, 0, strlen($needle)) === $needle;
+                }
+
+                if (!startsWith($file, $_SERVER['DOCUMENT_ROOT']))
+                    exit('// 404.');
 
 				if (extension_loaded('fileinfo')) {
 					$fileinfo = new finfo(FILEINFO_MIME);
@@ -337,6 +357,10 @@
 				$disposition = isset($_GET['inline']) ? 'inline' : 'attachment';
 
 				if (!$this->debug()) {
+                    // hack because chrome sucks. it also lies, says it's safari.
+                    if (endsWith($file, ".pdf") && strpos($_SERVER["HTTP_USER_AGENT"], "Chrome") !== false)
+                        $disposition = 'inline';
+
 					header('Content-Type: '.trim($mime));
 					header('Content-Disposition: '.$disposition.'; filename="'.basename($file).'"');
 					header('Content-Transfer-Encoding: binary');

The file is: mint/pepper/tillkruess/downloads/modules/http/tracker.php

4 revisions atm. There were some bugs.