fix: use parameterized queries to prevent SQL injection

Replace string concatenation in SQL query construction with parameterized
queries using placeholders. This prevents potential SQL injection attacks
where user-supplied keywords could manipulate the query structure.

Changes:
- Convert keyword search to use ? placeholders with params list
- Parameterize trigger_type filtering conditions
- Parameterize LIMIT clause
- Pass params array to cursor.execute()