Escape all values interpolated in SQL queries in the Perso controller
One of the parameters was correctly escaped with \Utils::asl() (a wrapper around addslashes()), but not in the right context: it is only effective when the value is interpolated in a SQL string.