W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

[webdatabase] wording on "Parsing and processing SQL statements" section

From: João Eiras <joaoe@opera.com>
Date: Fri, 25 Sep 2009 16:11:57 +0200
To: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.u0tgd7ls2q99of@id-c0981>


In section "4.2 Parsing and processing SQL statements", point 2 starts as
"Replace each ? placeholder" but then says later "Note: Substitutions for
? placeholders are done at the literal level, not as string
By using the word "replace", that execution step may cause confusion, as
I've seen, about people thinking it might be related to some sort of
concatenation, although the specification clearly clarifies that's not the
intended result.

I would reword step 2 and the clarification as:

"Bind each ? placeholder with the value of the argument in the arguments
array with the same position. (So the first ? placeholder is bound the
first value in the arguments array, and generally the nth ? placeholder
gets bound by the nth value in the arguments array.)
By binding, the result of the query must be the same as if the arguments
had been literally replaced on the sql string, although this later
practice is not recommended because it may risk SQL injection attacks."

Using Bind for Replace makes it much more clear.


João Eiras
Core Developer, Opera Software ASA, http://www.opera.com/
Received on Friday, 25 September 2009 14:12:38 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:18 UTC