It's reasonable to treat prepared statement parameters as part of sql.
See https://github.com/spring-projects/spring-boot/issues/36640#issuecomment-1657394103
Comment From: wilkinsona
Thanks for the suggestion, but I don't think we should do this. If it were "reasonable to treat prepared statement parameters as part of sql", I think the Hibernate team would have included them in the org.hibernate.SQL logger that's already part of the sql logging group. I suspect that they're not included and have to be enabled separately as logging the actual parameters increases the risk of the logs including sensitive data. I think we should continue to align with that and require separate configuration to enable the logging of the actual parameter values.
Comment From: quaff
I suspect that they're not included and have to be enabled separately as logging the actual parameters increases the risk of the logs including sensitive data.
Fair enough, I didn't notice this.