close security holes in patron search autocompletion
* Added authorization check - user must have a valid
session cookie to use this feature; before this change,
anybody could use circ/ysearch.pl to retrieve the entire
patron directory without authorization.
* (bug 1953) now uses SQL placeholders
Note: this does, unfortunately, noticeably slow down automcompletion;
this indicates a need for factoring of C4::Auth to make authentication
for AJAX scripts as fast as possible.