Fix CVE-2014-1608: mc_issue_attachment_get SQL injection

Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt martin.herfurt@nruns.com, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes 0016879

Signed-off-by: Damien Regad dregad@mantisbt.org