Update SQL generators to use sanitization of strings used in query

We currently use prepared statements to sanitize our fields and block injection based attacks. There is a few fields where, with enough effort, the checks could potentially be circumvented. An example of this is the field name in the order by clause of the HQLGenerator class. Usage of this class is still rare, so the risk is low but we should fix this hole sooner rather than later.