In searchWHERE(): plugged a security hole that invited SQL injection.

In searchWHERE(): plugged a security hole that invited SQL injection.

The use of a leading plus sign was originally intended to allow
references to boolean columns in a WHERE clause, without requiring
an explicit comparison to true or false.  E.g. "WHERE col" instead
of the more prosaic "WHERE col = TRUE".

However the old code worked by simply concatenating unsanitized
strings, leaving the door open for SQL injection.

The new code attempts to verify that the last string to be appended
looks like an SQL identifier, with no extra SQL syntax.

git-svn-id: svn://svn.open-ils.org/ILS/trunk@12499 dcc99617-32d9-48b4-a31d-7c20da2025e4