When you clicked the button to make the above forum post did you see the bit saying
DO NOT REPORT NEW VULNERABILITIES HERE!
New security issues should be reported in the Moodle Tracker with an appropriate security level.
However, I don't understand what issue you think you have found. What makes "IBM Security AppScan" think there is any SQL injection there? (If there really is an issue, please do not explain here. Explain it in a security issue in the tracker.)