Is it safe to state this possible SQL injection can only be executed by logged in users of my FA installation and not by unauthorised visitors crawling by?

Reversing the same line to what was in 2.4.7 does resolve the issue. But why it was changed as you asked?

echo sales_items_list($name, $selected_id, $all_option, $submit_on_change,
        '', array('cells'=>true));

The field will be changed to 255 chars in 2.5.

Joe

CREATE TABLE `0_sql_trail` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `sql` text NOT NULL,
  `result` tinyint(1) NOT NULL,
  `msg` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB ;

Compare lines 946-7 in includes\ui\ui_lists.inc:

    echo sales_items_list($name, $selected_id, $all_option, $submit_on_change,
        '', array('cells'=>true, 'max'=>50)); // maximum is set to 50 and not default 255.

Why was it reduced to 50 characters?

Commits on 2019-07-04 and 2019-07-18 did this change.

1. Existing DB field is preserved..ie an old invoice of 255 char..all char are displayed and can be saved as is.
2. Editing is allowed only on deleting  the content (some or all) ... Once deleted one cant insert a substitute..even before saving.

I tested with 2.4.7 and its OK. Only 2.4.8 where I faced the problem.

Its easily reproducible. Both my 2.4.7 and 2.4.8 are vanilla.

My test DB is imported  2.4.4 live DB with no changes to the structure of 2.4.7 or .8 default COA empty or demo US db.

And with that, is it reversible once updated to v2.4.8 or are the relating fields in the existing DB trimmed to 50 characters?

I am unable to enter more than 50 char in either SQ or PO or Invoice or Direct Delivery using 2.4.8.
I can enter 255 Char in 2.4.4 without a problem