potential sql-injection

Across the codebase, on occasions like this there are sql injections which might be abused.