>
> Well, I guess the bug will have be fixed asap as it is a security risk.
>
> What is the proper JDBC way for filling IN lists in prepared statements?
>
I'm no JDBC expert, but the way we do it: create a prepared statement
with 100 (or whatever the max nr. of accepted params is) parameter
placeholders, and set the ones which are actually needed to their
parameter values, and set the rest to null.
The nulls will be finally ignored by the database.
Not the best solution, but it works just fine for us.
Cheers,
Csaba.