- From: João Eiras <joaoe@opera.com>
- Date: Fri, 25 Sep 2009 16:11:57 +0200
- To: "public-webapps@w3.org" <public-webapps@w3.org>
Hi. In section "4.2 Parsing and processing SQL statements", point 2 starts as "Replace each ? placeholder" but then says later "Note: Substitutions for ? placeholders are done at the literal level, not as string concatenations". By using the word "replace", that execution step may cause confusion, as I've seen, about people thinking it might be related to some sort of concatenation, although the specification clearly clarifies that's not the intended result. I would reword step 2 and the clarification as: "Bind each ? placeholder with the value of the argument in the arguments array with the same position. (So the first ? placeholder is bound the first value in the arguments array, and generally the nth ? placeholder gets bound by the nth value in the arguments array.) By binding, the result of the query must be the same as if the arguments had been literally replaced on the sql string, although this later practice is not recommended because it may risk SQL injection attacks." Using Bind for Replace makes it much more clear. -- João Eiras Core Developer, Opera Software ASA, http://www.opera.com/
Received on Friday, 25 September 2009 14:12:38 UTC