- From: poot <cvsmail@w3.org>
- Date: Wed, 26 Nov 2008 18:35:02 +0900 (JST)
- To: public-html-diffs@w3.org
SQL: Clarify how ?-substitution happens, clarify that an ObjectArray is
really an 'any' array. (whatwg r2457)
5.10.2.3 Executing SQL statements
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1629.html#executing-sql-statements
executeSql(sqlStatement, arguments, callback, errorCallback)
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1629.html#dom-sqltransaction-executesql
SQLTransaction
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1629.html#sqltransaction
ObjectArray
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1629.html#objectarray
http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1628&r2=1.1629&f=h
http://html5.org/tools/web-apps-tracker?from=2456&to=2457
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1628
retrieving revision 1.1629
diff -u -d -r1.1628 -r1.1629
--- Overview.html 26 Nov 2008 06:46:28 -0000 1.1628
+++ Overview.html 26 Nov 2008 09:32:16 -0000 1.1629
@@ -30599,7 +30599,7 @@
</ol><h5 id=executing-sql-statements><span class=secno>5.10.2.3 </span>Executing SQL statements</h5><p>The <code title=dom-database-transaction><a href=#dom-database-transaction>transaction()</a></code>
and <code title=dom-database-changeVersion><a href=#dom-database-changeversion>changeVersion()</a></code>
methods invoke callbacks with <code><a href=#sqltransaction>SQLTransaction</a></code>
- objects.<pre class=idl>typedef sequence<Object> <dfn id=objectarray>ObjectArray</dfn>;
+ objects.<pre class=idl>typedef sequence<any> <dfn id=objectarray>ObjectArray</dfn>;
interface <dfn id=sqltransaction>SQLTransaction</dfn> {
void <a href=#dom-sqltransaction-executesql title=dom-sqltransaction-executeSql>executeSql</a>(in DOMString sqlStatement);
@@ -30628,9 +30628,9 @@
only called once a transaction has failed, and no SQL statements
can be added to a failed transaction.)</li>
- <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as an SQL statement, with the
+ <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as a SQL statement, with the
exception that <code title="">?</code> characters can be used in
- place of literals in the statement. <a href=#references>[SQL]</a></li>
+ place of SQL literals in the statement. <a href=#references>[SQL]</a></li>
<li>
@@ -30640,6 +30640,12 @@
placeholder gets replaced by the first value in the <var title="">arguments</var> array, and generally the <var title="">n</var>th <code title="">?</code> placeholder gets
replaced by the <var title="">n</var>th value in the <var title="">arguments</var> array.)</p>
+ <p class=note>Substitutions for <code title="">?</code>
+ placeholders are done at the literal level, not as string
+ concatenations, so this provides a way to dynamically insert
+ parameters into a statement without risk of a SQL injection
+ attack.</p>
+
<p>If the second argument is omitted or null, then treat the <var title="">arguments</var> array as empty.</p>
<p>The result is <i>the statement</i>.</p>
Received on Wednesday, 26 November 2008 09:35:41 UTC