Are Your LLM-based Text-to-SQL Models Secure? Exploring SQL Injection via Backdoor Attacks