Currently, all parameters except MySQL strings are formatted on the main thread and interpolated into the query.
This is dangerous as it increases the risk of SQL injection attacks. Although there is no immediately known impact, this increases the risk in the future and relies on the correct implementation of integer formatting code, which is not guaranteed to be secure.
Furthermore, bound parameters do not need a formatting-parsing roundtrip and is likely to bring better performance for the query sending process.
Currently, all parameters except MySQL strings are formatted on the main thread and interpolated into the query.
This is dangerous as it increases the risk of SQL injection attacks. Although there is no immediately known impact, this increases the risk in the future and relies on the correct implementation of integer formatting code, which is not guaranteed to be secure.
Furthermore, bound parameters do not need a formatting-parsing roundtrip and is likely to bring better performance for the query sending process.