W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2007

[whatwg] Couple comments on Database storage spec.

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 24 Oct 2007 22:38:37 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0710242226100.10579@hixie.dreamhostps.com>
On Wed, 17 Oct 2007, Jonas Sicking wrote:
> >
> > Yeah. I think having quote() might do as much damage by encouraging 
> > people to write codepaths that need it as it might help by having 
> > people writing those codepaths anyway be saved (if, that is, they know 
> > to be saved).
> > 
> > What would be cool is if we could detect, through tainting, the bad 
> > codepaths. But I see no way to do that here.
> 
> If people write codepaths that need quote(), but use quote() 
> appropriately then I don't see any harm done, so I'm not sure what 
> specifically you are worried about here?

I'm worried about people seeing quote(), going the path of using quote(), 
and then forgetting to use it.


> I think not having quote will make people write their own, and every so 
> often fail at it. People that don't think about the possibility of 
> getting exploited aren't going to use neither '?' nor quote() so they 
> are hosed either way.

If we include examples for how to do this (embedding ? directly into the 
query and adding the stuff to the array), will that work? It's easier to 
do than quoting.


> What are we trying to prevent here. The page can only attack data it 
> owns, so the only thing I can think of is preventing bugs. Though that 
> is certainly not unimportant.

True.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 24 October 2007 15:38:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:37 UTC