Actually Ben went through our 3.x codebase and added a bunch of "validate integer" calls to block obvious SQL smuggling attacks.
So yes, I guess a good question is to ask whether or not you're validating your query variables in your custom pages, too, or whether or not a standard page is exploitable because it got missed in Ben's sweep.