Add a note about SQL injection

Author: snejus

CONTRIBUTING.rst

@@ -251,15 +251,19 @@ There are a few coding conventions we use in beets:
    To fetch Item objects from the database, use lib.items(…) and supply
    a query as an argument. Resist the urge to write raw SQL for your
    query. If you must use lower-level queries into the database, do
-   this:
+   this, for example:
 
    .. code-block:: python
 
        with lib.transaction() as tx:
-           rows = tx.query("SELECT …")
+           rows = tx.query("SELECT path FROM items WHERE album_id = ?", (album_id,))
 
    Transaction objects help control concurrent access to the database
    and assist in debugging conflicting accesses.
+
+   Make sure that variables are passed to the query as a tuple to prevent SQL
+   injection attacks.
+
 -  f-strings should be used instead of the ``%`` operator and ``str.format()``
    calls.
 -  Never ``print`` informational messages; use the