unfortunately it is not possible inside the connector. You are also limited to the following data types
String Integer Float (it is a double actually) and Boolean. You cannot pass null explicitly, if you do not pass anything it will be converted into NULL
As you said, you can define it in the your business object. As it is still a prepared statement on the underlying JDBC-driver SQL injections can only occur when your statement itself is not a prepared statement.
The following statement as a provided request:
SELECT * FROM MYTABLE WHERE user = :user:String:
will be interpreted as a prepared statement with the parameter user whereas
SELECT * FROM MYTABLE WHERE user = “myUser”
will be interpreted as a prepared statement without parameters.
So by defining the request in a parameterized in your BO and passing it to the connector with the appropriate parameters you can avoid injections without your own sanitation logic.
However, this does not mean that by defining statements in a non-parameterized way is wrong, as there are enough use cases, which are relaying on dynamically created SQL-Statements.
