- From: Křištof Želechovski <giecrilj@stegny.2a.pl>
- Date: Thu, 8 May 2008 18:54:40 +0200
I think it is safest not to replace the placeholders at all; the data server engine should accept queries with parameters (submitted separately). Chris -----Original Message----- From: whatwg-bounces@lists.whatwg.org [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Ian Hickson Sent: Wednesday, May 07, 2008 7:15 AM To: WHATWG Mailing List Subject: [whatwg] SQL section feedback > - 4.11.3 defines that placeholders simply have to be replaced with > values from the arguments array. As I understand, this does not per se > ban SQL injections. Will the spec define *how* to replace placeholders, > including how to escape and quote values? Yeah, this will be defined when we define the SQL language subset. On Tue, 26 Feb 2008, Ralf Stoltze wrote: > > So step 3 "Replace each ? placeholder" can be skipped if the underlying > DB architecture already has a similar mechanism. Well, the "underlying DB architecture" is part of the UA, so the UA is still doing step 3. I don't really care how. :-)
Received on Thursday, 8 May 2008 09:54:40 UTC