Replace occurences of deprecated `db_query` API

[dregad]

In MantisBT 1.3, the db_query() function will be removed from the API (see mantisbt/mantisbt#128). The following occurences have been found in this plugin; they should be replaced by db_query_bound() calls

pages/evaluation_page.php:150:      $result = db_query( $query );
pages/evaluation_page.php:162:      $result = db_query( $query );
pages/evaluation_page.php:221:      $result = db_query( $query );
pages/evaluation_page.php:239://        $result = db_query( $query );
pages/evaluation_page.php:266:      $result = db_query( $query );
pages/evaluation_api.php:136:// $result = db_query( $query);
pages/evaluation_api.php:146:// $result = db_query( $query);
pages/evaluation_api.php:196:   $result = db_query($query_submitted );
pages/evaluation_api.php:204:       $result = db_query(str_replace("%VIEW%", "view_$state", $query_byview)  );
pages/evaluation_api.php:296:       $result = db_query($query_submitted );
pages/evaluation_api.php:303:           $result = db_query(str_replace("%VIEW%", "view_$state", $query_byview)  );
pages/evaluation_api.php:399:   $result = db_query($query_submitted );
pages/evaluation_api.php:408:       $result = db_query(str_replace("%VIEW%", "view_$state", $query_byview)  );

[dregad]

It's worth mentioning that simply replacing the function call is not sufficient; to avoid risk of sql injection attacks, any inline query parameters should be replaced by calls to db_param(). For example:

$t_query = "SELECT * FROM $table WHERE id = '$p_id'";
db_query($t_query);

Would become

$t_query = "SELECT * FROM $table WHERE id = '" . db_param() . "'";
db_query_bound($t_query, array( $p_id ) );