[whatwg] Couple comments on Database storage spec.

[Jonas Sicking]

Ian Hickson wrote:
> On Wed, 17 Oct 2007, Scott Hess wrote:
>> Honestly, something like quote() is not necessary.  It's just that 
>> constructing SQL statements via concatenation is a hole I often see 
>> people falling into.  Having quote() allows you to construct safer SQL 
>> statements, but people who construct statements directly rather than 
>> constructing a parallel statement and arg array may be beyond saving.
>>
>> Other cases I've seen where quote() could be used are dynamic 
>> construction of WHERE clauses, something like:
>>
>>    var sql = "SELECT rowid FROM t WHERE name = ?"
>>    if (color) {
>>      sql += " AND color = " + color;
>>    }
>>    ...
>>
>> and comparable constructs for INSERT and UPDATE.  As mentioned, these 
>> can generally be handled by constructing the statement with bind 
>> parameters in parallel to the arg array.  Depending on control flow, 
>> this can be pretty annoying, but my experience with this is mostly in 
>> C/C++, where it's much more annoying to change the types of things.
> 
> Yeah. I think having quote() might do as much damage by encouraging people 
> to write codepaths that need it as it might help by having people writing 
> those codepaths anyway be saved (if, that is, they know to be saved).
> 
> What would be cool is if we could detect, through tainting, the bad 
> codepaths. But I see no way to do that here.

If people write codepaths that need quote(), but use quote() 
appropriately then I don't see any harm done, so I'm not sure what 
specifically you are worried about here?

I think not having quote will make people write their own, and every so 
often fail at it. People that don't think about the possibility of 
getting exploited aren't going to use neither '?' nor quote() so they 
are hosed either way.

What are we trying to prevent here. The page can only attack data it 
owns, so the only thing I can think of is preventing bugs. Though that 
is certainly not unimportant.

/ Jonas