Getting this error for the .install file of a module I'm porting to D6:
Line 26: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)$ret[] = update_sql("INSERT INTO {sequences} VALUES ('{uc_payment_credit}_credit_id', $max)");
I don't particularly care for that syntax of putting variables in strings, but that aside coder should recognize that this query is being passed to update_sql() instead of db_query() and not advise you to use placeholders. : )
Reference: http://api.drupal.org/api/function/update_sql/6