Encoding of IO lists is unsafe (missing escaping)

[maximedenes]

Queries executed with IO list arguments are not correctly escaped, leading to possible code injections:

emysql:execute(mypool, <<"SELECT * FROM foo WHERE id = ?">>, [["te'st"]]).

I believe the culprit is in emysql_conn.erl:

encode(Val, binary) when is_list(Val) ->
    list_to_binary(quote(Val));

if Val is an iolist, quote will have no effect and list_to_binary will happily construct an unescaped (binary) string.

[maximedenes]

Having such a critical vulnerability unaddressed for more than three years is probably a sign that a strong disclaimer should be added to the landing page, advising against using this package in production.