On Fri, 26 Oct 2007, Jonas Sicking wrote:
>
> It does sound like a good idea to make all examples use the '?' syntax.
> I still think that providing a quote() implementation would do more good
> than harm, but admittedly I don't care that much. Especially given that
> the worst that can happen
Ian Hickson wrote:
I think not having quote will make people write their own, and every so
often fail at it. People that don't think about the possibility of
getting exploited aren't going to use neither '?' nor quote() so they
are hosed either way.
If we include examples for how to do this (
On Wed, 17 Oct 2007, Jonas Sicking wrote:
> >
> > Yeah. I think having quote() might do as much damage by encouraging
> > people to write codepaths that need it as it might help by having
> > people writing those codepaths anyway be saved (if, that is, they know
> > to be saved).
> >
> > What w
Ian Hickson wrote:
On Wed, 17 Oct 2007, Scott Hess wrote:
Honestly, something like quote() is not necessary. It's just that
constructing SQL statements via concatenation is a hole I often see
people falling into. Having quote() allows you to construct safer SQL
statements, but people who con
On Thu, 18 Oct 2007, timeless wrote:
>
> could you simply require that all sql statements be of the form:
>
> "X = ?" instead of "X = 1"
>
> i.e., any attempt to not use parameterized expressions throws?
>
> I know it's possible to screw this up, but would it at least be hard
> enough?
Given
On 10/18/07, Ian Hickson <[EMAIL PROTECTED]> wrote:
> What would be cool is if we could detect, through tainting, the bad
> codepaths. But I see no way to do that here.
could you simply require that all sql statements be of the form:
"X = ?" instead of "X = 1"
i.e., any attempt to not use parame
On Wed, 17 Oct 2007, Scott Hess wrote:
>
> Honestly, something like quote() is not necessary. It's just that
> constructing SQL statements via concatenation is a hole I often see
> people falling into. Having quote() allows you to construct safer SQL
> statements, but people who construct sta
On 10/17/07, Ian Hickson <[EMAIL PROTECTED]> wrote:
> On Fri, 5 Oct 2007, Scott Hess wrote:
> > It may be worthwhile for Database to export a quote(arg) function, which
> > will quote the argument in the appropriate manner for use in
> > constructing a statement. This is useful for cases where it
On Fri, 5 Oct 2007, Scott Hess wrote:
>
> It may be worthwhile for Database to export a quote(arg) function, which
> will quote the argument in the appropriate manner for use in
> constructing a statement. This is useful for cases where it is
> challenging to reduce something to a static SQL st
to
quote by hand, I am sure I am going to fail to do it right sooner or later.
Best regards
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Hess
Sent: Saturday, October 06, 2007 2:03 AM
To: WHATWG
Subject: [whatwg] Couple comments on Database
It may be worthwhile for Database to export a quote(arg) function,
which will quote the argument in the appropriate manner for use in
constructing a statement. This is useful for cases where it is
challenging to reduce something to a static SQL statement with bind
parameters. [A common case for t
11 matches
Mail list logo