We should sanitize the block id before using it in sql.

[georgestephanis]

I know it's not a sqli issue, as we're previously verifying that is_numeric( $_GET['block_instances'] ) but just for code sniffing and explicitness, probably would be worth either casting as an (int) or passing through intval() inline here where we're using it:

fabrica-reusable-block-instances/fabrica-reusable-block-instances.php

Line 58 in 3a32abe

$where .= ' AND post_content LIKE \'%<!-- wp:block {"ref":' . $_GET['block_instances'] . '}%\' ';