[whatwg] Couple comments on Database storage spec.

[timeless]

On 10/18/07, Ian Hickson <ian at hixie.ch> wrote:
> What would be cool is if we could detect, through tainting, the bad
> codepaths. But I see no way to do that here.

could you simply require that all sql statements be of the form:

"X = ?" instead of "X = 1"

i.e., any attempt to not use parameterized expressions throws?

I know it's possible to screw this up, but would it at least be hard enough?