engine查询增加参数化选项，修改sql参数化方式

[hhyo]

背景

• 解决非mysql的数据库查询参数处理过程中存在的SQL注入风险，主要是涉及可由用户传递库、表名等动态参数信息的地方
• 由于各类数据库参数化处理逻辑不完全一致，并未直接使用MySQLdb.escape_string处理

调整内容

• 增加escape_string方法，用于处理字符串参数化转义（仅适用于 mysql），主要是为了统一mysql转义入口（最新版的mysqlclient已经移除了escape_string方法：https://github.com/PyMySQL/mysqlclient/pull/511）
• engine的query、execute方法中扩展parameters参数，用于传递语句参数信息
• 修改engine内使用格式化动态参数的方法，调整为参数化方式

涉及数据库

• mysql、mssql、pgsql、oracle、clickhouse、phoenix

涉及模块

• SQL优化、数据查询、数据字典、数据库管理、实例用户管理、会话管理等

测试

• 针对调整的数据库重点进行了数据查询、变更工单、数据字典三个模块的测试
• mysql额外测试了参数管理、数据库管理、实例用户管理、SQL优化等可能受影响的模块
• phoenix 暂未测试

其他

• 查询、工单传递的SQL内容本身就是需要直接执行的语句，未做处理

关联问题

• SQL injection in sql_optimize.py explain method GHSL-2022-108
• SQL injection in sql_optimize.py optimize_sqltuningadvisor method GHSL-2022-107
• SQL injection in data_dictionary.py table_info method GHSL-2022-106
• Multiple SQL injections in sql/data_dictionary.py table_list method GHSL-2022-105
• Multiple SQL injections in sql/instance.py param_edit method GHSL-2022-104
• SQL injection in sql_api/api_workflow.py endpoint ExecuteCheck post method passing unsafe input to sql/engines/oracle.py explain_check method GHSL-2022-103
• Multiple SQL injections in sql_api/api_workflow.py endpoint ExecuteCheck post method GHSL-2022-102
• SQL injection in sql/instance.py endpoint describe method GHSL-2022-101

参考：https://peps.python.org/pep-0249/#paramstyle

[codecov]

Codecov Report

Patch coverage: 55.83% and project coverage change: +0.01 🎉

Comparison is base (efbaa81) 75.43% compared to head (f01d1ec) 75.44%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2112      +/-   ##
==========================================
+ Coverage   75.43%   75.44%   +0.01%     
==========================================
  Files         103      103              
  Lines       15105    15133      +28     
==========================================
+ Hits        11394    11417      +23     
- Misses       3711     3716       +5     

Impacted Files	Coverage Δ
sql/engines/phoenix.py	0.00% <0.00%> (ø)
sql/instance_account.py	10.59% <0.00%> (ø)
sql/instance_database.py	18.27% <0.00%> (ø)
sql/sql_optimize.py	58.37% <0.00%> (-0.87%)	⬇️
sql/tests.py	98.88% <ø> (ø)
sql_api/api_instance.py	69.49% <0.00%> (ø)
sql/instance.py	51.58% <25.00%> (-0.27%)	⬇️
sql/engines/oracle.py	50.68% <36.36%> (ø)
sql/engines/mssql.py	69.90% <57.89%> (-0.30%)	⬇️
sql/engines/mysql.py	77.74% <63.15%> (+0.76%)	⬆️
... and 8 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[LeoQuote]

还得是大佬, 一出手全修了

[hhyo]

还得是大佬, 一出手全修了

得空review一下... 整这些测试环境老费事