Sitealizer plugin vulnerable to SQL injections?

From what I’ve seen after quickly browsing through the sitealizer
(http://sitealizer.rubyforge.org/) source, it’ll make the whole
application vulnerable to SQL-injection attacks. All HTTP params are
passed directly into SQL calls without quoting.