Async mysql queryf and prepared statements

[DemiMarie]

The async MySQL queryf method needs to use server-side prepared statements, not client-side emulated prepared statements. This is to avoid SQL injection problems related to locales.

[fredemmott]

As connections are re-used and queries are multiplexed, this isn't possible with the current architecture.

If you have found a security issue with queryf()/escapeString(), report it with here with additional details: https://www.facebook.com/whitehat/report/ - do not provide additional details on github

Note that these do use server-side escaping via the connection object.

[shtse8]

As many libraries are supported prepared statements in connection pool, I believe it is possible. Once a connection is prepared for a query, every binding for that query will use the same connection. Once the prepared connection is busy, try to get a ready connection to prepare again.