Warn when PQExec is called with a non-constant to warn about SQL injection in PostgreSQL

[david-a-wheeler]

Warn when PostgreSQL's PQExec is called with a non-constant, to warn about SQL injection.

The PostgreSQL libpq C interface provides several functions, as explained in the PostgreSQL (Command Execution Functions) documentation:

• PQexec directly runs a single string command and returns a result.
• PQexecParams implements a parameterized statement. Placeholders are represented in the command as $1, $2, etc., and the parameter values are supplied as separate parameters in the same call.
• PQprepare implements a prepared statement. It takes a statement with placeholders and submits it to the database to be prepared. Users can later use the separate PQexecPrepared call to provide the placeholder parameter values and execute the resulting command.

Users should use the latter two for non-constant queries.