Querly v1.4.2

🔒 Security fix

SQL injection hardening

Fixed a second-order SQL injection vector in filter chips and SQL
statement builders. On MySQL (where backslash is an escape character
inside string literals), a cell value containing a trailing backslash
could break out of the literal and append arbitrary SQL — turning a
column filter into a data leak.

• New sqlEscapeLiteralBody() — doubles backslashes on MySQL
  but not on Postgres/SQLite (standard-conforming strings — doubling
  would silently corrupt stored values)
• All statement builders (UPDATE, INSERT, DELETE,
  DUPLICATE) now accept a dialect parameter
• Filter clause builder propagates dialect to value-list
  IN (...) generation and single-value filters
• Numeric IN-list guard — values on "numeric" columns are now
  validated as parseable numbers before emitting unquoted, blocking
  raw SQL injection via non-numeric tokens

Reported via internal audit — no known exploit in production.