W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2008

[whatwg] SQL section feedback

From: Křištof Želechovski <giecrilj@stegny.2a.pl>
Date: Thu, 8 May 2008 18:54:40 +0200
Message-ID: <A9CF13E30224466887492675C65C5A44@IBM42F76C011DF>
I think it is safest not to replace the placeholders at all; the data server
engine should accept queries with parameters (submitted separately).

Chris

-----Original Message-----
From: whatwg-bounces@lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Ian Hickson
Sent: Wednesday, May 07, 2008 7:15 AM
To: WHATWG Mailing List
Subject: [whatwg] SQL section feedback


> - 4.11.3 defines that placeholders simply have to be replaced with 
> values from the arguments array. As I understand, this does not per se 
> ban SQL injections. Will the spec define *how* to replace placeholders, 
> including how to escape and quote values?

Yeah, this will be defined when we define the SQL language subset.

On Tue, 26 Feb 2008, Ralf Stoltze wrote:
> 
> So step 3 "Replace each ? placeholder" can be skipped if the underlying 
> DB architecture already has a similar mechanism.

Well, the "underlying DB architecture" is part of the UA, so the UA is 
still doing step 3. I don't really care how. :-)
Received on Thursday, 8 May 2008 09:54:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:02 UTC