privilege: remove any string concat (#22523)

[ti-srebot]

cherry-pick #22523 to release-3.0
You can switch your code base to this Pull Request by using git-extras:

# In tidb repo:
git pr https://github.com/pingcap/tidb/pull/22688

After apply modifications, you can push your change to this PR via:

git push git@github.com:ti-srebot/tidb.git pr/22688:release-3.0-26086b297cad

---

What problem does this PR solve?

Part of https://github.com/pingcap/tidb-test/issues/1152

What is changed and how it works?

What's Changed:

This removes any string concatenation from the privilege package, and changes it to use ExecuteInternal. Because the privilege package loads whole tables and does not need any paramaterized SQL, it should work before/after #22499 is merged.

There was no risk of injection from the previous usage, since the concat did not include any user-supplied data. But it's possible a PR in the future may misunderstand this and introduce a security issue. The new approach is to define the sqls as const. Thus, temptations are reduced.

Related changes

• Need to cherry-pick to the release branch

Check List

Tests

Convered by existing tests.

Side effects

• None

Release note

• No release note

[ti-srebot]

/run-all-tests

[ti-srebot]

@morgo please accept the invitation then you can push to the cherry-pick pull requests.
https://github.com/ti-srebot/tidb/invitations