the wiki code is not using sql query bound parameters properly, example:
return $DB->get_records_select('wiki_pages', "subwikiid=$swid AND (cachedcontent LIKE '%$search%' OR title LIKE '%$search%')");

We must use ? or :named parameters for all variables, you must not embed variables directly into SQL because there are no magic quotes any more, there is no way to add quotes even if you wanted to.

Please go through all SQL code in wiki and fix all similar problems there. Please note the official recommended coding style is to type SQL as one "long string in double quotes", not multiple concatenated single quote strings