[whatwg] SQL section feedback

Křištof Želechovski giecrilj at stegny.2a.pl
Thu May 8 09:54:40 PDT 2008


I think it is safest not to replace the placeholders at all; the data server
engine should accept queries with parameters (submitted separately).

Chris

-----Original Message-----
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Ian Hickson
Sent: Wednesday, May 07, 2008 7:15 AM
To: WHATWG Mailing List
Subject: [whatwg] SQL section feedback


> - 4.11.3 defines that placeholders simply have to be replaced with 
> values from the arguments array. As I understand, this does not per se 
> ban SQL injections. Will the spec define *how* to replace placeholders, 
> including how to escape and quote values?

Yeah, this will be defined when we define the SQL language subset.

On Tue, 26 Feb 2008, Ralf Stoltze wrote:
> 
> So step 3 "Replace each ? placeholder" can be skipped if the underlying 
> DB architecture already has a similar mechanism.

Well, the "underlying DB architecture" is part of the UA, so the UA is 
still doing step 3. I don't really care how. :-)







More information about the whatwg mailing list