updated: grapql query to remove sql injection problem

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: VirajAgarwal1

tutorial/markdown/nodejs/dataApi-appsync-tutorial/tutorial.md

@@ -200,7 +200,7 @@ export function request(ctx) {
 
     // Construct a SQL++ query to filter hotels by city
     // The query_context below lets us use "hotel" instead of "travel-sample.inventory.hotel"
-    const sql_query = `SELECT c.* FROM ${collection} AS c WHERE city = \"${city}\"`;
+    const sql_query = `SELECT c.* FROM ${collection} AS c WHERE city = $city`;
 
     // Build the HTTP request object for the Data API Query Service
     const requestObject = {
@@ -212,11 +212,12 @@ export function request(ctx) {
                 'Content-Type': 'application/json',
                 'Authorization': auth  // Dynamic Basic auth per request
             },
-            body: {
+            body: JSON.stringify({
                 query_context: `default:${bucket}.${scope}`,  // Namespace shortcut
                 statement: sql_query,  // The SQL++ query
+                args: { city: city }, // Pass parameters securely
                 timeout: '30m'  // Query timeout (generous for demo)
-            }
+            })
         }
     };
     return requestObject;