added a comment - - edited
No, your patch does not fix anything. I'm afraid you didn't catch what the bug is.
Please read my note from 2011-07-30 on this ticket: the problem is that you can't use mysql_real_escape_string() when the PHP driver is mysqli.
Even if the DB is MySQL, the driver mysql is not used (please take notice of the caps!), that's where the bug is.
BTW, PHP plan to mark mysql "obsolete" in favor of mysqli and PDO, so making sure Moodle can live without ext/mysql seems increasingly important.
Now suppose the title of a forum post is "injection', (SELECT GROUP_CONCAT( * ) FROM user LIMIT 1), '', '', '', '') – " (with no surrounding quotes).
I did not try to find the exact syntax, that's just the concept.
With mysqli, mysql_real_escape_string() won't do anything, not even a warning unless Moodle is in debug mode. So on indexing, a SQL query will insert the unescaped title.
The pseudo-code "INSERT INTO ... VALUES ('$title', '$date', ...)" would become "INSERT INTO ('injection', (SELECT GROUP_CONCAT( * ) FROM user LIMIT 1), '', '', '', '') – ', ...)".
This SQL injection would put all the content of the first row of the table "user" into the global search table. Isn't that a security problem?
(edited to remove the smileys in the SQL code)