Strings and literals in SQL not escaped

[wonder-sk]

There are many places in the code where the code should be doing of escaping when running some SQL queries.

Try having some tables with spaces or quotes in names and things will break...