Refactor: parameterize SQL query values

[dihenker]

Summary

This PR updates query construction to use parameterized values instead of embedding values directly into SQL strings.

Previously, some queries injected values using Python f-strings. This lead to malformed SQL when values contained characters that require escaping (e.g. single quotes in strings). By using query parameters, value escaping and binding are delegated to the database driver.

Motivation

A concrete example is a value such as:

ref_doc_id = "O'Brien"

When embedded directly into a query string, the resulting SQL can become invalid because the single quote terminates the string literal prematurely. This was the case during deletion of nodes from vector and doc stores.

Using parameterized queries allows these values to be handled correctly without manual escaping and reduces the risk of SQL injection vulnerabilities.

Changes

• Replaced direct value injection with parameterized query arguments.
• Updated affected query execution paths to bind values through the database driver.
• Preserved existing query behavior and query structure.
• Updated __afetch_query to accept query params.

Notes

This change only parameterizes query values.

Table names, column names, and other SQL identifiers are still dynamically constructed where required, as database parameterization mechanisms generally do not support binding identifiers. Existing handling of dynamic identifiers remains unchanged.

Benefits

• Correctly handles values containing quotes and other special characters.
• Reduces reliance on manual escaping.
• Improves query safety by using the database driver's parameter binding.
• Makes query construction more consistent and maintainable.