Whoever wrote that code did not understand the new DML api.
1/ We MUST use bound params for all LIKE searches and all other parameters.
2/ when you pass around $sql fragments you need to take the $params along with it
The solution is to fix the completion api to accept $where+$params, not only $where. Somebody has to audit all DML related code there...