Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37