Replace string concatenation with parameterized queries for hash filtering

[Copilot]

Building IN clauses via string concatenation of MD5 hashes creates SQL injection risk and degrades performance with large hash lists (up to 1000+ items per zoom level).

Changes

• Hash filtering now uses PostgreSQL array operators: = ANY(@hashes) for inclusion, != ALL(@excludeHashes) for exclusion
• Refactored query construction: GetWhere no longer handles hash exclusion; moved to caller sites with proper parameterization
• Connection management hardening: Added try-finally blocks to ensure cleanup on exception paths

Before/After

// Before: String concatenation builds long SQL strings
var hashList = string.Join(",", hashes.Select(h => $"'{h}'"));
var query = $"WHERE MD5(...) IN ({hashList})";

// After: Parameterized with array operator
var query = "WHERE MD5(...) = ANY(@hashes)";
cmd.Parameters.AddWithValue("hashes", hashes.ToArray());

Affected methods: FilterHashesByEnvelope, GetGeometriesBoundingBox, GetGeometrySubset, CountFeaturesInBox

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.