[whatwg] SQL section feedback
giecrilj at stegny.2a.pl
Thu May 8 09:54:40 PDT 2008
I think it is safest not to replace the placeholders at all; the data server
engine should accept queries with parameters (submitted separately).
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Ian Hickson
Sent: Wednesday, May 07, 2008 7:15 AM
To: WHATWG Mailing List
Subject: [whatwg] SQL section feedback
> - 4.11.3 defines that placeholders simply have to be replaced with
> values from the arguments array. As I understand, this does not per se
> ban SQL injections. Will the spec define *how* to replace placeholders,
> including how to escape and quote values?
Yeah, this will be defined when we define the SQL language subset.
On Tue, 26 Feb 2008, Ralf Stoltze wrote:
> So step 3 "Replace each ? placeholder" can be skipped if the underlying
> DB architecture already has a similar mechanism.
Well, the "underlying DB architecture" is part of the UA, so the UA is
still doing step 3. I don't really care how. :-)
More information about the whatwg