[whatwg] Couple comments on Database storage spec.
jonas at sicking.cc
Fri Oct 26 10:52:06 PDT 2007
Ian Hickson wrote:
>> I think not having quote will make people write their own, and every so
>> often fail at it. People that don't think about the possibility of
>> getting exploited aren't going to use neither '?' nor quote() so they
>> are hosed either way.
> If we include examples for how to do this (embedding ? directly into the
> query and adding the stuff to the array), will that work? It's easier to
> do than quoting.
It does sound like a good idea to make all examples use the '?' syntax.
I still think that providing a quote() implementation would do more good
than harm, but admittedly I don't care that much. Especially given that
the worst that can happen is bugs and not security breaches.
More information about the whatwg