SQL injection for certain queries with variables

For some queries, specific variable values can modify the query
rather than just the variable. This can occur if:

1. the query’s data source uses different escaping than the Rails database OR
2. the query has a variable inside a string literal

Since Blazer is designed to run arbitrary queries, the impact will typically be low.
Users cannot run any queries they could not have already run. However, an attacker
could get a user to run a query they would not have normally run. If the data source
has write permissions, this could include modifying data in some cases.