feat: add timezone validation to prevent SQL injection

Add isValidTimeZone() utility function to validate timezone strings
before using them in SQL queries. The function ensures only safe
characters are allowed in timezone names.

Security improvements:
- Validate timezone strings against safe character regex
- Reject strings with SQL injection patterns
- Support all valid IANA timezone formats
- Length limits and empty string checks

This prevents potential SQL injection in the SET TIME ZONE command
while maintaining compatibility with all legitimate timezone values.