[Data] Allow parameterized queries in `read_sql`

[khoover]

Description

Allow parameterized queries when using read_sql to construct a Dataset.

Use case

Currently, the query string passed to read_sql must be fully formed and not contain any parameter bindings. This limits its applicability both in dev (need to use raw python string formatting for parameters, opportunities for mistakes) and in prod (SQL injection). It should be possible to use a parameterized query string and pass a dict/list of parameters alongside the query.

[richardliaw]

makes sense! would you be willing to contribute a PR?

[khoover]

I could give it a shot, sure.

[alexeykudinkin]

@khoover what do you expect benefits to be of such a parameterization?

[khoover]

@alexeykudinkin so currently, if I want to e.g. parameterize the query using a date window, I need to do raw string manipulation on the query at runtime. Obviously that leaves you open to SQL injection, so I'd like to close that gap.

[khoover]

@richardliaw is there a CLA for the project? Legal would want to review it before any contributions.

[richardliaw]

Hmm, I don't think we have a CLA. Sorry for the late response.