The putStat function in kernel/sql/stat.go was building SQL queries
via string concatenation instead of using parameterized queries.
While currently only called with hardcoded internal values, this is
a defense-in-depth improvement that prevents future SQL injection
if the function is ever called with user-controlled input.
The execStmtTx helper already supports variadic args, so this is
a straightforward change to use ? placeholders.
Co-authored-by: Test User <test@example.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>