- From: Ralf Stoltze <ralf.stoltze@2meter3.de>
- Date: Tue, 26 Feb 2008 00:12:29 +0100
On Monday, February 25, 2008 10:56 PM, Brady Eidson wrote:
> Placeholders are the mechanism the spec mandates to prevent SQL
> injections et al. *How* seems to be an implementation detail.
> SQLite, for example, has the ? + argument structure in place already.
So step 3 "Replace each ? placeholder" can be skipped if the underlying
DB architecture already has a similar mechanism.
> > Based on 4.11.6, step 6.7, I assume the following snippet to always
> > execute in order 1, 2, 3?
> >
> > db.transaction(function(tx) {
> > tx.executeSql('query 1', null, function(tx, rs) {
> > tx.executeSql('query 2', null, function(tx, rs) {
> > });
> > });
> > tx.executeSql('query 3', null, function(tx, rs) {
> > });
> > });
>
> 4.11.3 step 6 states that if an executeSql call passed steps
> 1-5, the
> statement is queued up in the transaction.
> 4.11.6 step 6.7 says "move on to the next statement, if any"
> I trust this means "the next statement in the transaction's
> statement
> queue" and that the queue pops statements in the order they
> were queued.
>
> This means that query 1 would be queued, query 3 would be
> queued, then
> in the callback for query 1, query 2 would be queued.
> Execution order 1, 3, 2
Hmm. I'm confused.
A statement can only be queued when executeSql() is invoked.
It's not clear to me when the top-level executeSql() methods are invoked
with respect to the overall processing model from 4.11.6.
4.11.2:
"The transaction() method takes one or two arguments. When called, the
method must immediately return and then asynchronously run the
transaction steps"
That doesn't necessarily mean to me that any executeSql() is ever
invoked before the transaction steps are run. Thus, the transaction
queue would be empty (what makes no sense).
Is it meant that all top-level executeSql() methods are executed before
the transaction steps are run? In this case, I also see execution order
1,3,2.
/ralf
Received on Monday, 25 February 2008 15:12:29 UTC