Hey,
> I haven't had a look if extbase is taking care of it, but please note
> that you should never ever use unescaped/unquoted POST/GET vars in
> queries due to the risk of SQL injections etc.
Exactly. You can use stored procedures for that:
$this->statement('SELECT * FROM foo WHERE title=%', array('My title'));
Greets,
Sebastian