Sanitizing property names in queries and creation commands.

[obi1kenobi]

In private discussion with @mogui we decided to resolve #169 via a pull request. The security issue was a SQL injection attack vector, exploitable in one location and potentially a few more, that allowed an attacker to change the WHERE clause in a query and cause it to return unexpected results. Here is an example query:

rat = g.animals.create(name='rat', specie='rodent')
mouse = g.animals.create(name='mouse', specie='rodent')

args = {'name': 'rat', 'name="rat" OR 1': 1}
res = g.animals.query(**args).all()
# Command: SELECT FROM animal WHERE name='rat' and name="rat" OR 1=1
#   Expected result: [
#        ('name': 'rat', 'specie': 'rodent')
#   ]
#   Actual result: [
#        ('name': 'rat', 'specie': 'rodent'),
#        ('name': 'mouse', 'specie': 'rodent')
#   ]

graph.create_vertex and graph.create_edge also do similar processing of unsanitized kwargs, but it's masked by the call to props_to_db so they are currently not exploitable, as far as I could determine.

This pull request resolves the problem by sanitizing kwarg arguments to the affected functions. Ideally, it would be merged immediately after #170, which fixes a bug where a newline character in a string field will unexpectedly terminate the query and cause an exception.

Thanks to the maintainers of this repository for promptly acting on my bug report!