[whatwg] Couple comments on Database storage spec.

Jonas Sicking jonas at sicking.cc
Fri Oct 26 10:52:06 PDT 2007


Ian Hickson wrote:
>> I think not having quote will make people write their own, and every so 
>> often fail at it. People that don't think about the possibility of 
>> getting exploited aren't going to use neither '?' nor quote() so they 
>> are hosed either way.
> 
> If we include examples for how to do this (embedding ? directly into the 
> query and adding the stuff to the array), will that work? It's easier to 
> do than quoting.

It does sound like a good idea to make all examples use the '?' syntax. 
I still think that providing a quote() implementation would do more good 
than harm, but admittedly I don't care that much. Especially given that 
the worst that can happen is bugs and not security breaches.

/ Jonas



More information about the whatwg mailing list