Fix SQL injection in _quotes: escape single quotes in string values

The _quotes() method wraps values in single quotes for SQL but did not
escape internal single quotes, causing SQL syntax errors with URIs
containing XML or other special characters (e.g. BioMart queries).

Fix: double single quotes (SQL standard escaping) in both the VARCHAR
return path and the JSON serialization path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: deeenes

cachedir/_cache.py

@@ -1570,9 +1570,11 @@ def _quotes(string: str | None, typ: str = 'VARCHAR') -> str:
 
                 string = list(string)
 
-            string = f"json('{json.dumps(string)}')"
+            string = json.dumps(string).replace("'", "''")
+            string = f"json('{string}')"
 
-        return f"'{string}'" if (
+        escaped = str(string).replace("'", "''")
+        return f"'{escaped}'" if (
                 typ.startswith('VARCHAR') or
                 typ.startswith('DATETIME')
         ) else string