Use query params for user strings

MesaFabApproval.API/Services/MRBService.cs

@@ -212,9 +212,9 @@ public class MRBService : IMRBService {
                 StringBuilder queryBuilder = new();
                 queryBuilder.Append("select (u.FirstName + ' ' + u.LastName) as OriginatorName, m.* ");
                 queryBuilder.Append("from MRB m join Users u on m.OriginatorID = u.UserID ");
-                queryBuilder.Append($"where m.Title = '{title}'");
+                queryBuilder.Append("where m.Title = @Title");
 
-                mrb = (await _dalService.QueryAsync<MRB>(queryBuilder.ToString())).FirstOrDefault();
+                mrb = (await _dalService.QueryAsync<MRB>(queryBuilder.ToString(), new { Title=title })).FirstOrDefault();
 
                 _cache.Set($"mrb{title}", mrb, DateTimeOffset.Now.AddHours(1));
             }

MesaFabApproval.API/Services/PCRBService.cs

@@ -169,9 +169,9 @@ public class PCRBService : IPCRBService {
             if (!bypassCache) pcrb = _cache.Get<PCRB>($"pcrb{title}");
 
             if (pcrb is null) {
-                string sql = $"select * from CCChangeControl where Title='{title}'";
+                string sql = "select * from CCChangeControl where Title=@Title";
 
-                pcrb = (await _dalService.QueryAsync<PCRB>(sql)).FirstOrDefault();
+                pcrb = (await _dalService.QueryAsync<PCRB>(sql, new { Title = title })).FirstOrDefault();
 
                 if (pcrb is not null) {
                     if (string.IsNullOrWhiteSpace(pcrb.OwnerName) && pcrb.OwnerID > 0)