Move parameters merging to the backend and make it safe

Currently the way parameters work in Redash is that we use the query text as a Mustache template and merge the parameter values with it before running the query.

This very simple implementation has one major issue: it’s open to SQL injections. It’s a non issue when a “regular” Redash user uses parameters, as they can run any query anyway. But it limits the use of parameters to users with full access to the data source.

To provide any user with the ability to use parameters, we need to change our implementation to make it safe and SQL injections proof.

The idea is:

1. Change the API to handle all parameters merging in the backend (today we send the final query from frontend).
2. Make the API safe.

While every database driver we use (that supports DB-API) has its own way of taking query text with parameters, it’s better that we find a single way that is DB agnostic. Also need to remember that some of our datasources take queries as JSON/YAML.

It’s also preferable that we can support current parameters syntax ({{ parameter }}), but we don’t have to support the full range of Mustache functions (although it can be nice).

Some “prior art” that might be useful:

1. https://github.com/hashedin/jinjasql
2. sqlalchemy.sql.expression.text
3. psycopg2.sql module
4. https://github.com/deadpixi/dpdb