Security Alert: BatchUpdateBuilder Retains Deprecated SQL Injection Vulnerabilities

A critical security flaw persists within the codebase: the `BatchUpdateBuilder` still contains two deprecated methods known to be vulnerable to SQL injection attacks. The methods, `add_update` and `build_sql`, directly interpolate unsanitized user input into SQL strings, creating a direct vector for data manipulation or exfiltration. Despite being marked as deprecated and having secure, parameterized replacements available since PR #1618, the vulnerable legacy code remains in the library, posing an ongoing risk to any downstream project that might inadvertently use it.

The vulnerability is not theoretical; it was originally documented in issue #1530. The dangerous `add_update` method accepts a `where_clause` string and a vector of column-value pairs, splicing them directly into the final SQL command without any sanitization or parameterization. Similarly, `build_sql` returns these raw, unsafe SQL strings. While the project's internal test suite (`batch_ops.rs`) is currently the only known caller, the mere presence of this code in a public API represents a latent security liability.

This situation triggers a specific clause in the project's stability policy. According to STABILITY_POLICY SP-3, breaking changes are permitted during Release Candidate phases for security vulnerabilities that necessitate API modification. The continued existence of these methods contradicts this security-first principle, as their removal would constitute a justified breaking change. The issue highlights a tension between maintaining backward compatibility and enforcing robust security hygiene, leaving a known vulnerability officially deprecated but still operational within the codebase.