Index: wp-admin/includes/export.php
===================================================================
--- wp-admin/includes/export.php	(revision 7627)
+++ wp-admin/includes/export.php	(working copy)
@@ -17,7 +17,7 @@
 $where = '';
 if ( $author and $author != 'all' ) {
 	$author_id = (int) $author;
-	$where = " WHERE post_author = '$author_id' ";
+	$where = $wpdb->prepare(" WHERE post_author = %d ", $author_id);
 }
 
 // grab a snapshot of post IDs, just in case it changes during the export
@@ -217,7 +217,7 @@
 <wp:attachment_url><?php echo wp_get_attachment_url($post->ID); ?></wp:attachment_url>
 <?php } ?>
 <?php
-$postmeta = $wpdb->get_results("SELECT * FROM $wpdb->postmeta WHERE post_id = $post->ID");
+$postmeta = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE post_id = %d", $post->ID) );
 if ( $postmeta ) {
 ?>
 <?php foreach( $postmeta as $meta ) { ?>
@@ -228,7 +228,7 @@
 <?php } ?>
 <?php } ?>
 <?php
-$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $post->ID");
+$comments = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d", $post->ID) );
 if ( $comments ) { foreach ( $comments as $c ) { ?>
 <wp:comment>
 <wp:comment_id><?php echo $c->comment_ID; ?></wp:comment_id>
Index: wp-admin/includes/post.php
===================================================================
--- wp-admin/includes/post.php	(revision 7627)
+++ wp-admin/includes/post.php	(working copy)
@@ -194,13 +194,13 @@
 	global $wpdb;
 
 	if (!empty ($post_date))
-		$post_date = "AND post_date = '$post_date'";
+		$post_date = $wpdb->prepare("AND post_date = %s", $post_date);
 
 	if (!empty ($title))
-		return $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$title' $post_date");
+		return $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title = %s $post_date", $title) );
 	else
 		if (!empty ($content))
-			return $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_content = '$content' $post_date");
+			return $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_content = %s $post_date", $content) );
 
 	return 0;
 }
@@ -380,11 +380,9 @@
 
 		wp_cache_delete($post_ID, 'post_meta');
 
-		$wpdb->query( "
-				INSERT INTO $wpdb->postmeta
-				(post_id,meta_key,meta_value )
-				VALUES ('$post_ID','$metakey','$metavalue' )
-			" );
+		$wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta 
+			(post_id,meta_key,meta_value ) VALUES (%s, %s, %s)",
+			$post_ID, $metakey, $metavalue) );
 		return $wpdb->insert_id;
 	}
 	return false;
@@ -394,10 +392,10 @@
 	global $wpdb;
 	$mid = (int) $mid;
 
-	$post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'");
+	$post_id = $wpdb->get_var( $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
 	wp_cache_delete($post_id, 'post_meta');
 
-	return $wpdb->query( "DELETE FROM $wpdb->postmeta WHERE meta_id = '$mid'" );
+	return $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
 }
 
 // Get a list of previously defined keys
@@ -417,7 +415,7 @@
 	global $wpdb;
 	$mid = (int) $mid;
 
-	$meta = $wpdb->get_row( "SELECT * FROM $wpdb->postmeta WHERE meta_id = '$mid'" );
+	$meta = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
 	if ( is_serialized_string( $meta->meta_value ) )
 		$meta->meta_value = maybe_unserialize( $meta->meta_value );
 	return $meta;
@@ -427,11 +425,9 @@
 function has_meta( $postid ) {
 	global $wpdb;
 
-	return $wpdb->get_results( "
-			SELECT meta_key, meta_value, meta_id, post_id
-			FROM $wpdb->postmeta
-			WHERE post_id = '$postid'
-			ORDER BY meta_key,meta_id", ARRAY_A );
+	return $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value, meta_id, post_id
+			FROM $wpdb->postmeta WHERE post_id = %d
+			ORDER BY meta_key,meta_id", $postid), ARRAY_A );
 
 }
 
@@ -443,13 +439,13 @@
 	if ( in_array($mkey, $protected) )
 		return false;
 
-	$post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'");
+	$post_id = $wpdb->get_var( $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
 	wp_cache_delete($post_id, 'post_meta');
 
 	$mvalue = maybe_serialize( stripslashes( $mvalue ));
 	$mvalue = $wpdb->escape( $mvalue );
 	$mid = (int) $mid;
-	return $wpdb->query( "UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'" );
+	return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->postmeta SET meta_key = %s, meta_value = %s WHERE meta_id = %d", $mkey, $mvalue, $mid) );
 }
 
 //
@@ -502,7 +498,7 @@
 	global $wpdb;
 	$old_ID = (int) $old_ID;
 	$new_ID = (int) $new_ID;
-	return $wpdb->query( "UPDATE $wpdb->posts SET post_parent = $new_ID WHERE post_parent = $old_ID" );
+	return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_parent = %d WHERE post_parent = %d", $new_ID, $old_ID) );
 }