Looking at the code, I saw that Flourish uses PDO for Mysql queries (at least for MySQL), but disable prepared statement (MYSQL_ATTR_DIRECT_QUERY to 1).
I'm aware that MySQL prepared statement were a "theoretical performance hit and source of annoyance" (http://stackoverflow.com/a/13239868/330867), but it seems to evolve in the good way now (quote: "Starting with MySQL 5.1.17, some but not all prepared statements can now use the query cache. The other minor concerns are still present.").
But in Flourish, queries generated with fDatabase, and managed through fStatement are simply used as a query storage. Even more, PDOStatement::bindParam/bindValue escape quotes which prevent some sql injections attacks, but Flourish don't do that at all : https://github.com/flourishlib/flourish-classes/blob/master/fStatement.php#L741
Why this choice ? Is it planned in the future to use prepared statement for MySQL ?
Thanks for the reply.