Move $queryRaw() to $dangerouslyQueryRaw()

[sachinraja]

Problem

It can be confusing for newer developers that these two are not the same:

// value is escaped
queryRaw`SELECT * FROM table WHERE col=${value}` 

// open to injection
queryRaw(`SELECT * FROM table WHERE col=${value}`)

The same is true for $executeRaw. This is quite a dangerous mistake to make and so these functions should not be so close together, under the same name.

Suggested solution

Keep the tagged template literal and move $queryRaw() and executeRaw() to $dangerouslyQueryRaw() and $dangerouslyExecuteRaw() (as React has done with dangerouslySetInnerHTML).

Alternatives

Another thing worth considering is to remove the tagged template literal queryRaw because the "raw" already implies it is unsanitized. The sanitized tagged template literal could perhaps be moved under sql instead. The truly raw one could stay under queryRaw() or move to $dangerouslyQueryRaw().

Sidenotes

I know that queryRaw() is just the implementation of the tagged template literal, but it could still be moved to dangerouslyQueryRaw() and that could be the one recommended in the docs. The default implementation could also just return an error if used without any interpolation (although this would prevent people from using it even if they didn't have values to be sanitized).

[ae42faf7]

Holy 💩, I had no idea queryRaw() was unsafe.
I like the suggested solution.

[Karl-EdwardFPJeanMehu]

I agree with @cloudagon, However, renaming $queryRaw to $sql or sql can also cause some confusion considering that all the RDBMSs currently supported or will be supported has some variant of SQL. I believe simply rename it to $query is the best choice, especially considering that MongoDB support will hopefully be available and it does not use SQL whatsoever.

[pantharshit00]

Looks like @matthewmueller opened a general issue on this topic so I referenced this there: #7142

[matthewmueller]

This is done now