Use parameterized queries in SQL connectors

[bajtos]

We should use parameterized SQL commands instead of string concatenation in all our SQL-based connectors.

Advantages:

• No space for introducing SQL injection vulnerabilities. All user-provided values are always encoded by the SQL engine.
• Parameterized SQL queries have significantly better performance, as the same querying plan can be used for all queries independently of parameter values. For queries built manualy via string concatenation, at least some SQL servers (MS SQL, IIRC) will build a new querying plan for each statement.

Connectors to fix:

• loopback-connector-mysql
• loopback-connector-postgresql
• loopback-connector-oracle
• loopback-connector-mssql

[raymondfeng]

The newly released 2.x connectors use parameterized SQL.