[whatwg] Couple comments on Database storage spec.
ian at hixie.ch
Wed Oct 24 15:38:37 PDT 2007
On Wed, 17 Oct 2007, Jonas Sicking wrote:
> > Yeah. I think having quote() might do as much damage by encouraging
> > people to write codepaths that need it as it might help by having
> > people writing those codepaths anyway be saved (if, that is, they know
> > to be saved).
> > What would be cool is if we could detect, through tainting, the bad
> > codepaths. But I see no way to do that here.
> If people write codepaths that need quote(), but use quote()
> appropriately then I don't see any harm done, so I'm not sure what
> specifically you are worried about here?
I'm worried about people seeing quote(), going the path of using quote(),
and then forgetting to use it.
> I think not having quote will make people write their own, and every so
> often fail at it. People that don't think about the possibility of
> getting exploited aren't going to use neither '?' nor quote() so they
> are hosed either way.
If we include examples for how to do this (embedding ? directly into the
query and adding the stuff to the array), will that work? It's easier to
do than quoting.
> What are we trying to prevent here. The page can only attack data it
> owns, so the only thing I can think of is preventing bugs. Though that
> is certainly not unimportant.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg