[html5] r2457 - [] (0) SQL: Clarify how ?-substitution happens, clarify that an ObjectArray is r [...]
whatwg at whatwg.org
whatwg at whatwg.org
Wed Nov 26 01:32:13 PST 2008
Author: ianh
Date: 2008-11-26 01:32:12 -0800 (Wed, 26 Nov 2008)
New Revision: 2457
Modified:
index
source
Log:
[] (0) SQL: Clarify how ?-substitution happens, clarify that an ObjectArray is really an 'any' array.
Modified: index
===================================================================
--- index 2008-11-26 06:46:24 UTC (rev 2456)
+++ index 2008-11-26 09:32:12 UTC (rev 2457)
@@ -37856,7 +37856,7 @@
methods invoke callbacks with <code><a href=#sqltransaction>SQLTransaction</a></code>
objects.</p>
- <pre class=idl>typedef sequence<Object> <dfn id=objectarray>ObjectArray</dfn>;
+ <pre class=idl>typedef sequence<any> <dfn id=objectarray>ObjectArray</dfn>;
interface <dfn id=sqltransaction>SQLTransaction</dfn> {
void <a href=#dom-sqltransaction-executesql title=dom-sqltransaction-executeSql>executeSql</a>(in DOMString sqlStatement);
@@ -37889,9 +37889,9 @@
only called once a transaction has failed, and no SQL statements
can be added to a failed transaction.)</li>
- <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as an SQL statement, with the
+ <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as a SQL statement, with the
exception that <code title="">?</code> characters can be used in
- place of literals in the statement. <a href=#refsSQL>[SQL]</a></li>
+ place of SQL literals in the statement. <a href=#refsSQL>[SQL]</a></li>
<li>
@@ -37901,6 +37901,12 @@
placeholder gets replaced by the first value in the <var title="">arguments</var> array, and generally the <var title="">n</var>th <code title="">?</code> placeholder gets
replaced by the <var title="">n</var>th value in the <var title="">arguments</var> array.)</p>
+ <p class=note>Substitutions for <code title="">?</code>
+ placeholders are done at the literal level, not as string
+ concatenations, so this provides a way to dynamically insert
+ parameters into a statement without risk of a SQL injection
+ attack.</p>
+
<p>If the second argument is omitted or null, then treat the <var title="">arguments</var> array as empty.</p>
<p>The result is <i>the statement</i>.</p>
Modified: source
===================================================================
--- source 2008-11-26 06:46:24 UTC (rev 2456)
+++ source 2008-11-26 09:32:12 UTC (rev 2457)
@@ -43071,7 +43071,7 @@
methods invoke callbacks with <code>SQLTransaction</code>
objects.</p>
- <pre class="idl">typedef sequence<Object> <dfn>ObjectArray</dfn>;
+ <pre class="idl">typedef sequence<any> <dfn>ObjectArray</dfn>;
interface <dfn>SQLTransaction</dfn> {
void <span title="dom-sqltransaction-executeSql">executeSql</span>(in DOMString sqlStatement);
@@ -43111,9 +43111,9 @@
can be added to a failed transaction.)</p></li>
<li><p>Parse the first argument to the method (<var
- title="">sqlStatement</var>) as an SQL statement, with the
+ title="">sqlStatement</var>) as a SQL statement, with the
exception that <code title="">?</code> characters can be used in
- place of literals in the statement. <a
+ place of SQL literals in the statement. <a
href="#refsSQL">[SQL]</a></p></li>
<li>
@@ -43127,6 +43127,12 @@
replaced by the <var title="">n</var>th value in the <var
title="">arguments</var> array.)</p>
+ <p class="note">Substitutions for <code title="">?</code>
+ placeholders are done at the literal level, not as string
+ concatenations, so this provides a way to dynamically insert
+ parameters into a statement without risk of a SQL injection
+ attack.</p>
+
<p>If the second argument is omitted or null, then treat the <var
title="">arguments</var> array as empty.</p>
More information about the Commit-Watchers
mailing list