Thanks for reporting the bug.
In Sources/TPmodules.php find:
// insert the comment
tp_query("INSERT INTO " . $tp_prefix . "variables (value1,value2,value3,type,value4,value5)
VALUES('". $title. "','". $comment. "','$ID_MEMBER','article_comment','$time',$article)", __FILE__, __LINE__);
Replace with this:
// insert the comment
tp_query("INSERT INTO " . $tp_prefix . "variables (value1,value2,value3,type,value4,value5)
VALUES('". mysql_real_escape_string($title). "','". mysql_real_escape_string($comment). "','$ID_MEMBER','article_comment','$time',$article)", __FILE__, __LINE__);