Docs for SQL parameterization are a security risk

[roganjoshp]

The information contained here: https://github.com/NHSDigital/rap-community-of-practice/blob/main/docs/training_resources/python/using-f-strings-sql-queries.md is bad practice across the industry. You do not use f-strings to parameterise SQL queries. This is open to SQL Injection, which remains one of the biggest attack vectors across the industry.

Parameterization is standardised in the DB API with the various token options here.

If you want to pass parameters to pandas for execution, then you can use this. Specifically, the params argument to pd.read_sql_query.