#1688 Python3: /common/SQLparsing.py Security Fixes

[Al von Ruff]

SQLGetDisambiguatedRecords:

• DISAMBIGUATED_RECORD_TYPES whitelist — maps each valid table name to the only (idfield, namefield) pair that may be used with it. Adding a new record type in the future is a deliberate, visible edit to this dictionary rather than a silent pass-through.
• Whitelist check replaces DB_ESCAPE_STRING on identifiers — the three DB_ESCAPE_STRING calls on table, id_field, and name_field are removed. They were not effective protection: escaping adds backslashes inside string literals, but these values appear as bare identifiers in the query (no surrounding quotes), so the escaping did nothing useful and gave a false sense of safety. - Returns [] on mismatch — consistent with what StandardQuery() returns for an empty result set, so callers behave correctly without needing any changes.

SQLTitlesWithPubs:

• Parameter renamed from title_list (a raw SQL string) to title_ids (a list of IDs)
• The IN clause is now built inside the function using str(int(tid)) on each element. The int() cast is the key protection — it will raise ValueError on any non-numeric input, making injection structurally impossible regardless of what the caller passes to the seriesClass.py call site
• dict_to_in_clause(variantTitles, variantSerials) → list(variantTitles) + list(variantSerials). The intermediate string-building step is eliminated; the dictionary keys (title IDs) are passed directly. The now-unused parent_string variable is also removed.