SQL-injection protection

[jgaskins]

All strings that can come from user input need to be filtered before being sent to the DB. AFAIK, we just need to escape the closing quote for those particular strings.

A few examples:

pg.find(Person, "' OR TRUE; --") # Generates %q{SELECT * FROM "Person" WHERE id = '' OR TRUE; --'}
pg.retrieve Person, pg.query { |o| o.email == "' OR TRUE; --" }.to_db # Generates %q{SELECT * FROM "Person" WHERE email = '' OR TRUE; --'}

If we run them through the TextValue, JSONStringValue or the yet-to-be-created TableName classes and put the filtering in there, that'll be a good start.

[jgaskins]

We now have TableName, TextValue, and JSONStringValue that can filter out characters that can wreck data.

I'm keeping this issue open because they currently don't perform this filtering.