Support parameter binding in `db.query()`

[findolor]

• Add parameter binding support to db.query(sql, params) so callers can pass replacements for ?/?1 placeholders when
  executing SQL.
• Currently only raw SQL strings are supported; developers must manually interpolate values, which is error-prone and
  insecure (risk of SQL injection, data formatting issues).
• Accept arrays as the second argument (e.g., await db.query('INSERT ... VALUES (?1)', ['not_a_number'])) and bind them
  in order to the positional placeholders.
• Preserve existing behavior when no params are provided; reject mismatched counts (extra placeholders or params) with
  clear errors.
• Update documentation/examples to show the new overload; add tests covering simple insert/update queries and type
  conversion edge cases.