I think the SQL API should be more explicit on the requirements for a SQL statement. http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#executesql In particular, should the statement (before substitution) be something that a SQL engine could prepare? Are quote marks around the question marks expected and/or required? Is the replacement value restricted to be a single token? Is the final ";" expected or required? To make that more concrete, which of the following are valid? Statement = "?" Arguments = ["select * from mytable;"] Statement = "sel?table;" Arguments = ["lect * from my"] Statement = "select * from mytable where x = ?;" Arguments = ["1 and y=2"] Statement = "select * from mytable where x = ?;" Arguments = ["1;select * from yourtable;"] /* note the lack of ";" */ Statement = "select * from mytable" Statement = "select * from mytable where x='?';" Arguments = ["1';select * from yourtable where y='1"] -jJReceived on Thursday, 1 November 2007 03:35:29 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:44:23 UTC