- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 17 Oct 2007 23:57:08 +0000 (UTC)
On Thu, 18 Oct 2007, timeless wrote: > > could you simply require that all sql statements be of the form: > > "X = ?" instead of "X = 1" > > i.e., any attempt to not use parameterized expressions throws? > > I know it's possible to screw this up, but would it at least be hard > enough? Given that "?" can be used in place of any literal, that would make many statements really obtuse. You couldn't even do things like "select ... where count > 1" without taking the 1 out into parameters. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 October 2007 16:57:08 UTC