OK, so this is not a problem when we are working with the databases 'live', since they are using parameterized queries. It IS a problem when using the 'install' and 'sql' sub-commands, since those are built up using simple string concatenation.
So if all the following were true, would this be acceptable? 1. Each backend class grew a escapeChars() method that worked correctly. 2. My original change used the appropriate method when composing the sql statements. 3. We comment the function to state it is only to be used for sql string composition.
