W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2007

[whatwg] Couple comments on Database storage spec.

From: timeless <timeless@gmail.com>
Date: Thu, 18 Oct 2007 01:51:04 +0300
Message-ID: <26b395e60710171551x2b99fbbbnd46919eada325b9d@mail.gmail.com>
On 10/18/07, Ian Hickson <ian at hixie.ch> wrote:
> What would be cool is if we could detect, through tainting, the bad
> codepaths. But I see no way to do that here.

could you simply require that all sql statements be of the form:

"X = ?" instead of "X = 1"

i.e., any attempt to not use parameterized expressions throws?

I know it's possible to screw this up, but would it at least be hard enough?
Received on Wednesday, 17 October 2007 15:51:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:37 UTC