FindIdsByHref allows SQL injection

[WhyNotHugo]

Check if applicable

• I have searched the existing issues (required)
• I'm willing to help fix the problem and contribute a pull request

Describe the bug

FindIdsByHref doesn't properly escape input when building queries and allows SQL injection.

I'd prefer to wait until #642 is merged to fix this, since it would inevitably produce conflicts.

Environment

Valid as of b601cdc