MDL-46148 qtype_calculated: low-level defence against bad formulas

This catches things like:
 * Malicious equations coming from backup files.
 * Malicious equations in old questions in the database.

question/type/calculated/question.php

@@ -419,6 +419,10 @@ public function get_values() {
      * @return float the computed result.
      */
     public function calculate($expression) {
+        // Make sure no malicious code is present in the expression. Refer MDL-46148 for details.
+        if ($error = qtype_calculated_find_formula_errors($expression)) {
+            throw new moodle_exception('illegalformulasyntax', 'qtype_calculated', '', $error);
+        }
         return $this->calculate_raw($this->substitute_values_for_eval($expression));
     }