I have this product installed: https://vborg.vbsupport.ru/showthread.php?t=94836

When I go to the admincp to give an award to a user, I wanted to give an award to a guy whose name contains a single quote '.
This is the source:
if ($_POST['do'] == 'dogiveaward')
{
$vbulletin->input->clean_array_gpc('p', array(
'award_id' => TYPE_INT,
'award_name' => TYPE_STR,
'award_img_url' => TYPE_STR,
'awarduserid' => TYPE_INT,
'awardusername' => TYPE_STR,
'issue_reason' => TYPE_STR,
'award_sendpm' => TYPE_INT,
));

/*if (!empty($vbulletin->GPC['awarduserid']))
{
$user = $db->query_first("
SELECT userid, username
FROM " . TABLE_PREFIX . "user
WHERE userid = ". $vbulletin->GPC['awarduserid'] ."
");
}
else if (!empty($vbulletin->GPC['awardusername']))
{*/
$user = $db->query_first("
SELECT userid, username
FROM " . TABLE_PREFIX . "user
WHERE username = '". $vbulletin->GPC['awardusername'] ."'
");
//}
You see, it does fix the string before it inserts it, but I still get this error:
Database error in vBulletin 3.8.2:

Invalid SQL:

SELECT userid, username
FROM user
WHERE username = 'bob's';
Isn't vBulletin supposed to fix the awardusername when I tell it to? or is there something I missed?

Use
$vbulletin->db->escape_string($var)
when querying.

So
$user = $db->query_first("
SELECT userid, username
FROM " . TABLE_PREFIX . "user
WHERE username = '". $vbulletin->GPC['awardusername'] ."'
");

Would change to:
$user = $db->query_first("
SELECT userid, username
FROM " . TABLE_PREFIX . "user
WHERE username = '". $vbulletin->db->escape_string($vbulletin->GPC['awardusername'])."'
");