On Thu, 18 Oct 2007, timeless wrote: > > could you simply require that all sql statements be of the form: > > "X = ?" instead of "X = 1" > > i.e., any attempt to not use parameterized expressions throws? > > I know it's possible to screw this up, but would it at least be hard > enough?
Given that "?" can be used in place of any literal, that would make many statements really obtuse. You couldn't even do things like "select ... where count > 1" without taking the 1 out into parameters. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
