- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 1 Dec 2009 02:13:38 +0000 (UTC)
- To: João Eiras <joaoe@opera.com>
- Cc: "public-webapps@w3.org" <public-webapps@w3.org>
- Message-ID: <Pine.LNX.4.62.0912010211260.4718@hixie.dreamhostps.com>
On Fri, 25 Sep 2009, João Eiras wrote: > > In section "4.2 Parsing and processing SQL statements", point 2 starts as > "Replace each ? placeholder" but then says later "Note: Substitutions for > ? placeholders are done at the literal level, not as string > concatenations". > By using the word "replace", that execution step may cause confusion, as > I've seen, about people thinking it might be related to some sort of > concatenation, although the specification clearly clarifies that's not the > intended result. > > I would reword step 2 and the clarification as: > > "Bind each ? placeholder with the value of the argument in the arguments > array with the same position. (So the first ? placeholder is bound the > first value in the arguments array, and generally the nth ? placeholder > gets bound by the nth value in the arguments array.) > By binding, the result of the query must be the same as if the arguments > had been literally replaced on the sql string, although this later > practice is not recommended because it may risk SQL injection attacks." > > Using Bind for Replace makes it much more clear. Done. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 1 December 2009 02:14:07 UTC