Escape all values interpolated in SQL queries in the Perso controller

One of the parameters was correctly escaped with \Utils::asl() (a wrapper
around addslashes()), but not in the right context: it is only effective when
the value is interpolated in a SQL string.