Security
========

This framework generates queries using string substitutions. This is
necessary, as server-side variable binding does not work with all
parts of SQL queries. For example, it is possible to pass parameters
to Snowflake as the ``VALUES`` of an ``INSERT`` query, but it is not
possible to use variables for a table name without resorting to
``IDENTIFIER()``.

The raw data loaded in a Data Vault model has to be stored in a table
somewhere for the framework to pick it up. Hence, it is assumed it has
already been sanitized against potential SQL injections.