[whatwg] Couple comments on Database storage spec.

Ian Hickson wrote:
>> I think not having quote will make people write their own, and every so 
>> often fail at it. People that don't think about the possibility of 
>> getting exploited aren't going to use neither '?' nor quote() so they 
>> are hosed either way.
> If we include examples for how to do this (embedding ? directly into the 
> query and adding the stuff to the array), will that work? It's easier to 
> do than quoting.

It does sound like a good idea to make all examples use the '?' syntax. 
I still think that providing a quote() implementation would do more good 
than harm, but admittedly I don't care that much. Especially given that 
the worst that can happen is bugs and not security breaches.

/ Jonas

Received on Friday, 26 October 2007 10:52:06 UTC