*: introduce new API ParseWithParams (#22499)

[ti-srebot]

cherry-pick #22499 to release-5.0-rc
You can switch your code base to this Pull Request by using git-extras:

# In tidb repo:
git pr https://github.com/pingcap/tidb/pull/22547

After apply modifications, you can push your change to this PR via:

git push git@github.com:ti-srebot/tidb.git pr/22547:release-5.0-rc-ae0057da714e

---

What problem does this PR solve?

Problem Summary: This PR adds a new API ParseWithParams to help process unsafe arguments than just fmt.Sprintf. Also a helper API ExecuteInternal that is using ParseWithParams and ExecuteStmt.

I did not use PrepareStmt since it is not possible to use placeholder like select * from t where c in ?. But we do have such requirement.

ExecuteInternal is redefined to use ParseWithParams and always use utf8 charset for safety. But it is still needed to modify cases like ExecuteInternal(fmt.Sprintf(...)).

ExecRestrictedSQL is too large, thus it is both annoying and duplicated to write a new RestrictedSQLExecutor based on ParseWithParams. From the git history, this is a very legacy API that is 4 or 5 years old. It should be removed/refactored in further works. So the current plan is, write like ExecRestrictedSQL(session.EscapeSQL(sql, args...)). And it will goes to the modified ExecuteInternal eventually to use utf8 charset to prevent attacks based on charsets.

Check List

Tests

• Unit test
• Integration test

Release note

• No release note

[ti-srebot]

/run-all-tests

[ti-srebot]

@xhebox you're already a collaborator in bot's repo.

[morgo]

LGTM

[ti-srebot]

@morgo, Thanks for your review. The bot only counts LGTMs from Reviewers and higher roles, but you're still welcome to leave your comments. See the corresponding SIG page for more information. Related SIGs: execution(slack),sql-infra(slack).

[morgo]

LGTM

[bb7133]

LGTM

[bb7133]

/merge

[ti-srebot]

/run-all-tests