refactor(sql): remove QuotedOrNull and convert to prepared statements

[Firehed]

Towards #10241 and #10149 (ish)

Short description of what this resolves:

Removes the duplicate QuotedOrNull function definitions (5 total) and converts the affected SQL queries to use proper prepared statements, fixing a possible SQL injection vulnerability in the process.

Changes proposed in this pull request:

• Remove dead code: QuotedOrNull in add_edit_issue.php and types_edit.php (defined but never called)
• Convert orders_results.php from SQL string concatenation to prepared statements (fixes SQL injection - the QuotedOrNull there did not escape input)
• Remove QuotedOrNull from procedure_order/common.php by inlining the empty-to-null conversion
• Convert eye_mag/save.php lists queries to prepared statements
• Use QueryUtils methods for better error handling via exceptions

Does your code include anything generated by an AI Engine? Yes / No

Yes

If you answered yes: Verify that each file that has AI generated code has a description that describes what AI engine was used and that the file includes AI generated code. Sections of code that are entirely or mostly generated by AI should be marked with a comment header and footer that includes the AI engine used and stating the code was AI.

All commits include Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> trailer. The refactored SQL queries using HEREDOC syntax and QueryUtils were generated with Claude Code assistance.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 107 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.21%. Comparing base (6e88329) to head (4a38698).
⚠️ Report is 24 commits behind head on master.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
interface/orders/orders_results.php	0.00%	56 Missing ⚠️
interface/forms/eye_mag/save.php	0.00%	46 Missing ⚠️
interface/forms/procedure_order/common.php	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             master   #10573    +/-   ##
==========================================
  Coverage     16.21%   16.21%            
  Complexity    80296    80296            
==========================================
  Files          3653     3653            
  Lines        384216   384036   -180     
==========================================
- Hits          62299    62287    -12     
+ Misses       321917   321749   -168     

Flag	Coverage Δ
apache	13.90% <0.00%> (-0.01%)	⬇️
api	2.48% <0.00%> (+<0.01%)	⬆️
common	0.54% <0.00%> (+<0.01%)	⬆️
controllers	1.90% <0.00%> (-0.01%)	⬇️
e2e	10.55% <0.00%> (-0.01%)	⬇️
email	0.52% <0.00%> (+<0.01%)	⬆️
fixtures	0.49% <0.00%> (+<0.01%)	⬆️
http	?
inferno	?
isolated	2.58% <0.00%> (-0.01%)	⬇️
mariadb11.4	?
mariadb11.8	13.90% <0.00%> (?)
php8.2	16.21% <0.00%> (+13.63%)	⬆️
php8.3	2.58% <0.00%> (-0.01%)	⬇️
php8.4	2.58% <0.00%> (-13.64%)	⬇️
php8.5	2.58% <0.00%> (-0.01%)	⬇️
php8.6	2.58% <0.00%> (-0.01%)	⬇️
services	3.00% <0.00%> (+<0.01%)	⬆️
unit	1.54% <0.00%> (+<0.01%)	⬆️
validators	0.52% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kojiromike]

This $form_return variable appears to never be set anywhere in this file. The $form_begin and $form_end are set from $_REQUEST via DateToYYYYMMDD() on lines 648-649, but there's no corresponding assignment for $form_return.

This means returndate has effectively always been NULL in the database. If that's intentional, this refactor correctly preserves that behavior. If not, it might be worth adding:

$form_return = DateToYYYYMMDD($_REQUEST['form_return'] ?? '');

Call it outside scope if you want, but if you don't address it here, please create a ticket.