added fixmes for sql injection vulnerabilities

ruby/lib/jam_ruby/models/base_search.rb

@@ -102,6 +102,7 @@ module JamRuby
     def self.search_target_class
     end
 
+    # FIXME:  SQL INJECTION
     def _genres(rel, query_data=json)
       gids = query_data[KEY_GENRES]
       unless gids.blank?
@@ -112,6 +113,7 @@ module JamRuby
       rel
     end
 
+    # FIXME:  SQL INJECTION
     def _instruments(rel, query_data=json)
       unless (instruments = query_data[KEY_INSTRUMENTS]).blank?
         instsql = "SELECT player_id FROM musicians_instruments WHERE (("