[html5] r2457 - [] (0) SQL: Clarify how ?-substitution happens, clarify that an ObjectArray is r [...]

whatwg at whatwg.org whatwg at whatwg.org
Wed Nov 26 01:32:13 PST 2008


Author: ianh
Date: 2008-11-26 01:32:12 -0800 (Wed, 26 Nov 2008)
New Revision: 2457

Modified:
   index
   source
Log:
[] (0) SQL: Clarify how ?-substitution happens, clarify that an ObjectArray is really an 'any' array.

Modified: index
===================================================================
--- index	2008-11-26 06:46:24 UTC (rev 2456)
+++ index	2008-11-26 09:32:12 UTC (rev 2457)
@@ -37856,7 +37856,7 @@
   methods invoke callbacks with <code><a href=#sqltransaction>SQLTransaction</a></code>
   objects.</p>
 
-  <pre class=idl>typedef sequence<Object> <dfn id=objectarray>ObjectArray</dfn>;
+  <pre class=idl>typedef sequence<any> <dfn id=objectarray>ObjectArray</dfn>;
 
 interface <dfn id=sqltransaction>SQLTransaction</dfn> {
   void <a href=#dom-sqltransaction-executesql title=dom-sqltransaction-executeSql>executeSql</a>(in DOMString sqlStatement);
@@ -37889,9 +37889,9 @@
    only called once a transaction has failed, and no SQL statements
    can be added to a failed transaction.)</li>
 
-   <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as an SQL statement, with the
+   <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as a SQL statement, with the
    exception that <code title="">?</code> characters can be used in
-   place of literals in the statement. <a href=#refsSQL>[SQL]</a></li>
+   place of SQL literals in the statement. <a href=#refsSQL>[SQL]</a></li>
 
    <li>
 
@@ -37901,6 +37901,12 @@
     placeholder gets replaced by the first value in the <var title="">arguments</var> array, and generally the <var title="">n</var>th <code title="">?</code> placeholder gets
     replaced by the <var title="">n</var>th value in the <var title="">arguments</var> array.)</p>
 
+    <p class=note>Substitutions for <code title="">?</code>
+    placeholders are done at the literal level, not as string
+    concatenations, so this provides a way to dynamically insert
+    parameters into a statement without risk of a SQL injection
+    attack.</p>
+
     <p>If the second argument is omitted or null, then treat the <var title="">arguments</var> array as empty.</p>
 
     <p>The result is <i>the statement</i>.</p>

Modified: source
===================================================================
--- source	2008-11-26 06:46:24 UTC (rev 2456)
+++ source	2008-11-26 09:32:12 UTC (rev 2457)
@@ -43071,7 +43071,7 @@
   methods invoke callbacks with <code>SQLTransaction</code>
   objects.</p>
 
-  <pre class="idl">typedef sequence<Object> <dfn>ObjectArray</dfn>;
+  <pre class="idl">typedef sequence<any> <dfn>ObjectArray</dfn>;
 
 interface <dfn>SQLTransaction</dfn> {
   void <span title="dom-sqltransaction-executeSql">executeSql</span>(in DOMString sqlStatement);
@@ -43111,9 +43111,9 @@
    can be added to a failed transaction.)</p></li>
 
    <li><p>Parse the first argument to the method (<var
-   title="">sqlStatement</var>) as an SQL statement, with the
+   title="">sqlStatement</var>) as a SQL statement, with the
    exception that <code title="">?</code> characters can be used in
-   place of literals in the statement. <a
+   place of SQL literals in the statement. <a
    href="#refsSQL">[SQL]</a></p></li>
 
    <li>
@@ -43127,6 +43127,12 @@
     replaced by the <var title="">n</var>th value in the <var
     title="">arguments</var> array.)</p>
 
+    <p class="note">Substitutions for <code title="">?</code>
+    placeholders are done at the literal level, not as string
+    concatenations, so this provides a way to dynamically insert
+    parameters into a statement without risk of a SQL injection
+    attack.</p>
+
     <p>If the second argument is omitted or null, then treat the <var
     title="">arguments</var> array as empty.</p>
 




More information about the Commit-Watchers mailing list