Database layer does not escape table and field strings everywhere

The database layer makes provisions for escaping table, field and alias names before running SQL queries. However, not all query classes call their escape utility methods before returning a query string that is to be executed by the database.

This is not a problem on the currently supported databases with a default configuration, but does in fact constitute a problem for say the Drizzle database server (which errors when a non-escaped reserved keyword is used as column name) and I expect that MySQL and PostgreSQL can be configured to error out when reserved keywords are used improperly as well. The most common example of a reserved keyword being used is `timestamp`. See also: #1426084: Provide backtick escaping for MySQL in DB abstraction layer → .

Task to fix this issue

Add filtering to table names and field names.

Tasks explicitly excluded from this issue since they are larger and lower priority:

The db_query() function does not attempt to escape any table or field names at all, so even of the various query classes are fixed, any calls to db_query() can still fail if their queries use reserved keywords when they shouldn't. (Hello, flood_is_allowed() ;-)

It would be good to not use reserved SQL keywords for table and field names anywhere in core. Additionally, since db_query() can still cause problems it should be phased out altogether.

#1067802: Compare $connection->query() and $connection->select() performance → notes that there is likely a performance hit on using db_select(), so that should be addressed as well. It's all good and well to keep core fast, but that shouldn't cause breakage for databases.

1. Change table fields that are reserved key words
2. Change all instances of db_query() to their newer DBTNG equivalents (db_select, db_update, db_insert etc