Justin Waddell wrote:
>> From my research into this problem it seems like prepared statements
> have been deliberately left out of the create user command as they use
> a different type of parameter; this would be fine if the security hole
> wasn't there!
The JDBC driver can only put parameters in where the server-side grammar
allows it (it does not interpolate parameter values into the actual
query, it puts $1,$2,... placeholders in place of the ? placeholders and
passes the actual parameter values out-of-line from the query itself).
If you want to change the grammar, you need to take this up with the
backend developers.. the JDBC driver can't do anything about it.
-O