Potential SQL-injection in {get,set}PageCache()

[AdUser]

After updating the application from 3.6.14 to 3.6.16 I noticed errors in the web interface like shown below.

I don't know the exact reason why they appeared, but something is more important.

Tracking down the problem leads me to *PageCache() family of functions, which composing sql-queries with code like sprintf("%s"). It's very insecure and error-prone way to do this, allowing potential substitution of arbitrary sql-code by remote user.

Sql_Query(sprintf('delete from %s where url = "%s"', $GLOBALS['tables']['urlcache'], $url));

For example. if i pass to this code$url with something like "; DROP TABLE phplist_listuser; -- it will also nuke your subscriptions list table. And no, url_escape() and similar functions is not an option, it still can be fooled.

So, please rewrite this and similar code pieces with prepared sql statements

https://github.com/phpList/phplist3/blob/998fde417f3f14bb1f251084d37cff7308dddf03/public_html/lists/admin/lib.php#L1032