Fix query template issues for bulk load

[michaelimas1]

closes: #42061

Refactored SQL command to interpolate duplicate_key_handling and extra_options directly, preventing unwanted quotes around strings.

Since this change, custom bulk load in mysql is broken. that change made the strings to be inserted to the query with quotes which resulted SQL error from mysql.

(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''REPLACE' INTO TABLE my_table ''' at line 1");

---

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our pre-commits will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[hussein-awala]

Could you add a unit test for this change?

[michaelimas1]

@eladkal anything else missing from my side to get this approved? it's my first PR here so i'm not sure what's the process

[potiuk]

This one introduces a security issue (one that #33328 attempted to prevent).

We absolutely cannot build an SQL query with interpolated value that can be provided from outside - this opens up all kind of possible manipulations with the query that might lead to a number of security issues.

The only way we can accept such a change if it actually checks allowed values for duplicate_key_handling and raises an exception it's not strictly one of the two values expected.

[potiuk]

Same with extra-options. This is classic SQL Injection and you have to find a way to sanitize the input in the way that it cannot be abused .

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.