W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [webdatabase] wording on "Parsing and processing SQL statements" section

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 1 Dec 2009 02:13:38 +0000 (UTC)
To: João Eiras <joaoe@opera.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0912010211260.4718@hixie.dreamhostps.com>
On Fri, 25 Sep 2009, João Eiras wrote:
> In section "4.2 Parsing and processing SQL statements", point 2 starts as
> "Replace each ? placeholder" but then says later "Note: Substitutions for
> ? placeholders are done at the literal level, not as string
> concatenations".
> By using the word "replace", that execution step may cause confusion, as
> I've seen, about people thinking it might be related to some sort of
> concatenation, although the specification clearly clarifies that's not the
> intended result.
> I would reword step 2 and the clarification as:
> "Bind each ? placeholder with the value of the argument in the arguments
> array with the same position. (So the first ? placeholder is bound the
> first value in the arguments array, and generally the nth ? placeholder
> gets bound by the nth value in the arguments array.)
> By binding, the result of the query must be the same as if the arguments
> had been literally replaced on the sql string, although this later
> practice is not recommended because it may risk SQL injection attacks."
> Using Bind for Replace makes it much more clear.


Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 1 December 2009 02:14:07 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC