Fix SQL injection vulnerability by removing string interpolation
SECURITY: Remove buildQueryWithParams() which did dangerous string
interpolation of user-provided values before CDC hooks fired.
Changes:
- Add ExecutionRequest type to coordinator for local execution params
- Update ConnectionHandler.HandleQuery to accept params []interface{}
- Thread params through CoordinatorHandler and ReadOnlyHandler
- Update db.ExecContext to use variadic args for prepared statements
- Delete vulnerable functions: buildQueryWithParams, formatParam, escapeString
Architecture:
- Wire protocol params now passed directly to SQLite prepared statements
- DML uses row data (OldValues/NewValues) for CDC, not SQL - already safe
- DDL uses raw SQL (no user params) - already safe
- All replica replay paths verified to use parameterized queries
Tests:
- Add parameterized_query_test.go with SQL injection prevention tests
- Add CDC contract tests verifying Statement has no Params field
- Update existing tests to use new HandleQuery signature
???? Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <
[email protected]>
