W3C home > Mailing lists > Public > public-html-commits@w3.org > August 2009

html5/webdatabase Overview.html,1.17,1.18

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 18 Aug 2009 05:14:48 +0000
To: public-html-commits@w3.org
Message-Id: <E1MdH20-0008AM-PM@lionel-hutz.w3.org>
Update of /sources/public/html5/webdatabase
In directory hutz:/tmp/cvs-serv31376

Modified Files:
	Overview.html 
Log Message:
A brief introduction to avoiding sql injection. (whatwg r3654)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/webdatabase/Overview.html,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- Overview.html	18 Aug 2009 05:00:18 -0000	1.17
+++ Overview.html	18 Aug 2009 05:14:46 -0000	1.18
@@ -302,8 +302,8 @@
 
 function showDocCount(db, span) {
   db.readTransaction(function (t) {
-    t.executeSql('SELECT COUNT(*) FROM docids', [], function (t, r) {
-      span.textContent = rows.count;
+    t.executeSql('SELECT COUNT(*) AS c FROM docids', [], function (t, r) {
+      span.textContent = r.rows[0].c;
     }, function (t, e) {
       // couldn't read database
       span.textContent = '(unknown: ' + e.message + ')';
@@ -318,36 +318,76 @@
 }, function (e) {
   // error getting database
   alert(e.message);
-});</pre><!-- XXX
-include an example that does something like the following to show
-you should never embed strings straight into the statement, even when you
-have a variable and unknowable number of literals coming:
-   var q = "";
-   for each (var i in array)
-     q += (q == "" ? "" : ", ") + "?";
-   executeSql('SELECT rowid FROM t WHERE c IN (' + q + ')', array, ...);
---><h2 id="conformance-requirements"><span class="secno">2 </span>Conformance requirements</h2><p>All diagrams, examples, and notes in this specification are
+});</pre><hr><p>The <code title="dom-sqltransaction-executeSql"><a href="#dom-sqltransaction-executesql">executeSql()</a></code> method has
+  an argument intended to allow variables to be substituted into
+  statements without risking SQL injection vulnerabilities:<pre>db.readTransaction(function (t) {
+  t.executeSql('SELECT title, author FROM docs WHERE id=?', [id], function (t, data) {
+    report(data.rows[0].title, data.rows[0].author);
+  });
+});
+
+  <hr><p>Sometimes, there might be an arbitrary number of variables to
+  substitute in. Even in these case, the right solution is to
+  construct the query using only "?" characters, and then to pass the
+  variables in as the second argument:</p>
+
+<pre>function findDocs(db, resultCallback) {
+  var q = "";
+  for each (var i in labels)
+    q += (q == "" ? "" : ", ") + "?";
+  db.readTransaction(function (t) {
+    t.executeSql('SELECT id FROM docs WHERE label IN (' + q + ')', labels, function (t, data) {
+      resultCallback(data);
+    });
+  });
+}</pre>
+
+
+
+
+  <h2 id="conformance-requirements"><span class="secno">2 </span>Conformance requirements</h2>
+
+  <p>All diagrams, examples, and notes in this specification are
   non-normative, as are all sections explicitly marked non-normative.
-  Everything else in this specification is normative.<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
+  Everything else in this specification is normative.</p>
+
+  <p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
   NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
   "OPTIONAL" in the normative parts of this document are to be
   interpreted as described in RFC2119. For readability, these words do
-  not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a><p>Requirements phrased in the imperative as part of algorithms
+  not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a></p>
+
+  <p>Requirements phrased in the imperative as part of algorithms
   (such as "strip any leading space characters" or "return false and
   abort these steps") are to be interpreted with the meaning of the
   key word ("must", "should", "may", etc) used in introducing the
-  algorithm.<p>Some conformance requirements are phrased as requirements on
+  algorithm.</p>
+
+  <p>Some conformance requirements are phrased as requirements on
   attributes, methods or objects. Such requirements are to be
-  interpreted as requirements on user agents.<p>Conformance requirements phrased as algorithms or specific steps
+  interpreted as requirements on user agents.</p>
+
+  <p>Conformance requirements phrased as algorithms or specific steps
   may be implemented in any manner, so long as the end result is
   equivalent. (In particular, the algorithms defined in this
   specification are intended to be easy to follow, and not intended to
-  be performant.)<p>The only conformance class defined by this specification is user
-  agents.<p>User agents may impose implementation-specific limits on
+  be performant.)</p>
+
+  <p>The only conformance class defined by this specification is user
+  agents.</p>
+
+  <p>User agents may impose implementation-specific limits on
   otherwise unconstrained inputs, e.g. to prevent denial of service
   attacks, to guard against running out of memory, or to work around
-  platform-specific limitations.<h3 id="dependencies"><span class="secno">2.1 </span>Dependencies</h3><p>This specification relies on several other underlying
-  specifications.<dl><dt>HTML5</dt>
+  platform-specific limitations.</p>
+
+
+  <h3 id="dependencies"><span class="secno">2.1 </span>Dependencies</h3>
+
+  <p>This specification relies on several other underlying
+  specifications.</p>
+
+  </pre><dl><dt>HTML5</dt>
 
    <dd>
 
Received on Tuesday, 18 August 2009 05:14:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 August 2009 05:14:58 GMT