- From: poot <cvsmail@w3.org>
- Date: Tue, 18 Aug 2009 14:15:07 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: A brief introduction to avoiding sql injection. (whatwg r3654)
http://dev.w3.org/cvsweb/html5/webdatabase/Overview.html?r1=1.17&r2=1.18&f=h
http://html5.org/tools/web-apps-tracker?from=3653&to=3654
===================================================================
RCS file: /sources/public/html5/webdatabase/Overview.html,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- Overview.html 18 Aug 2009 05:00:18 -0000 1.17
+++ Overview.html 18 Aug 2009 05:14:46 -0000 1.18
@@ -302,8 +302,8 @@
function showDocCount(db, span) {
db.readTransaction(function (t) {
- t.executeSql('SELECT COUNT(*) FROM docids', [], function (t, r) {
- span.textContent = rows.count;
+ t.executeSql('SELECT COUNT(*) AS c FROM docids', [], function (t, r) {
+ span.textContent = r.rows[0].c;
}, function (t, e) {
// couldn't read database
span.textContent = '(unknown: ' + e.message + ')';
@@ -318,36 +318,76 @@
}, function (e) {
// error getting database
alert(e.message);
-});</pre><!-- XXX
-include an example that does something like the following to show
-you should never embed strings straight into the statement, even when you
-have a variable and unknowable number of literals coming:
- var q = "";
- for each (var i in array)
- q += (q == "" ? "" : ", ") + "?";
- executeSql('SELECT rowid FROM t WHERE c IN (' + q + ')', array, ...);
---><h2 id="conformance-requirements"><span class="secno">2 </span>Conformance requirements</h2><p>All diagrams, examples, and notes in this specification are
+});</pre><hr><p>The <code title="dom-sqltransaction-executeSql"><a href="#dom-sqltransaction-executesql">executeSql()</a></code> method has
+ an argument intended to allow variables to be substituted into
+ statements without risking SQL injection vulnerabilities:<pre>db.readTransaction(function (t) {
+ t.executeSql('SELECT title, author FROM docs WHERE id=?', [id], function (t, data) {
+ report(data.rows[0].title, data.rows[0].author);
+ });
+});
+
+ <hr><p>Sometimes, there might be an arbitrary number of variables to
+ substitute in. Even in these case, the right solution is to
+ construct the query using only "?" characters, and then to pass the
+ variables in as the second argument:</p>
+
+<pre>function findDocs(db, resultCallback) {
+ var q = "";
+ for each (var i in labels)
+ q += (q == "" ? "" : ", ") + "?";
+ db.readTransaction(function (t) {
+ t.executeSql('SELECT id FROM docs WHERE label IN (' + q + ')', labels, function (t, data) {
+ resultCallback(data);
+ });
+ });
+}</pre>
+
+
+
+
+ <h2 id="conformance-requirements"><span class="secno">2 </span>Conformance requirements</h2>
+
+ <p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
- Everything else in this specification is normative.<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
+ Everything else in this specification is normative.</p>
+
+ <p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this document are to be
interpreted as described in RFC2119. For readability, these words do
- not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a><p>Requirements phrased in the imperative as part of algorithms
+ not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a></p>
+
+ <p>Requirements phrased in the imperative as part of algorithms
(such as "strip any leading space characters" or "return false and
abort these steps") are to be interpreted with the meaning of the
key word ("must", "should", "may", etc) used in introducing the
- algorithm.<p>Some conformance requirements are phrased as requirements on
+ algorithm.</p>
+
+ <p>Some conformance requirements are phrased as requirements on
attributes, methods or objects. Such requirements are to be
- interpreted as requirements on user agents.<p>Conformance requirements phrased as algorithms or specific steps
+ interpreted as requirements on user agents.</p>
+
+ <p>Conformance requirements phrased as algorithms or specific steps
may be implemented in any manner, so long as the end result is
equivalent. (In particular, the algorithms defined in this
specification are intended to be easy to follow, and not intended to
- be performant.)<p>The only conformance class defined by this specification is user
- agents.<p>User agents may impose implementation-specific limits on
+ be performant.)</p>
+
+ <p>The only conformance class defined by this specification is user
+ agents.</p>
+
+ <p>User agents may impose implementation-specific limits on
otherwise unconstrained inputs, e.g. to prevent denial of service
attacks, to guard against running out of memory, or to work around
- platform-specific limitations.<h3 id="dependencies"><span class="secno">2.1 </span>Dependencies</h3><p>This specification relies on several other underlying
- specifications.<dl><dt>HTML5</dt>
+ platform-specific limitations.</p>
+
+
+ <h3 id="dependencies"><span class="secno">2.1 </span>Dependencies</h3>
+
+ <p>This specification relies on several other underlying
+ specifications.</p>
+
+ </pre><dl><dt>HTML5</dt>
<dd>
Received on Tuesday, 18 August 2009 05:15:44 UTC