Joomla developers! Your support is needed to help make prepared statements in Joomla's database API a reality. I've started on some of this work but need help with testing and review.
Joomla's PDO driver already has provisions for prepared statement support written into it and the unsupported Oracle and SQLite drivers already make use of this.
In the Joomla! Framework Database Package I've started on work to expand this support. First, the PDO MySQL driver now has bound variable support and will fully support prepared statements.
I've opened pull requests for the MySQLi and PostgreSQL drivers to add support for prepared statements using the already defined interfaces in Joomla's database layer. Also, there is a pull request adding a PDO based PostgreSQL driver to the available options, also with prepared statement support already integrated.
This leaves only the SQL Server driver (in the Framework stack) without an active pull request to add this support.
Once these changes are well tested and reviewed, it is my intent to backport the same changes to the Joomla! CMS classes and add prepared statement support for all but one of the available drivers. I say most since the CMS still ships with and supports a database driver for the deprecated ext/mysql. Without creating an interface to emulate prepared statements, unfortunately the best we can do in the CMS is provide the API to allow prepared statements to be used but cannot actually start using them in the core APIs until support for the deprecated driver is removed.