diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 47500b6d6..a3418e1ec 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -3,6 +3,7 @@
  - fixed #11908: Inbox messages linger after deleting a user
  - fixed #11909: Wrong message count in the inbox
  - fixed #11773: Form injection in the EMS event ordering code.
+ - fixed #11773: SQL injection vulnerability in Edit Thing form processing code.
 
 7.10.2
  - fixed #11884: Editing Templates impossible / Code editor not loaded
diff --git a/lib/WebGUI/Asset/Wobject/Thingy.pm b/lib/WebGUI/Asset/Wobject/Thingy.pm
index 2f6fecd7a..5e6c8ab50 100644
--- a/lib/WebGUI/Asset/Wobject/Thingy.pm
+++ b/lib/WebGUI/Asset/Wobject/Thingy.pm
@@ -2203,7 +2203,7 @@ sub www_editThingSave {
         my $displayInSearch = $self->session->form->process("displayInSearch_".$field->{fieldId}) || 0;
         my $searchIn = $self->session->form->process("searchIn_".$field->{fieldId}) || 0;
 
-        $self->session->db->write("update Thingy_fields set display = ".$display.", viewScreenTitle = ".$viewScreenTitle.", displayinSearch = ".$displayInSearch.", searchIn = ".$searchIn." where fieldId = ".$self->session->db->quote($field->{fieldId})." and thingId = ".$self->session->db->quote($thingId));
+        $self->session->db->write("update Thingy_fields set display = ?, viewScreenTitle = ?, displayinSearch = ?, searchIn = ? where fieldId = ? and thingId = ?",[$display, $viewScreenTitle, $displayInSearch, $searchIn, $field->{fieldId}, $thingId]);
     }
     return $self->www_manage;
 }