I think it is safest not to replace the placeholders at all; the data server engine should accept queries with parameters (submitted separately).
Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ian Hickson Sent: Wednesday, May 07, 2008 7:15 AM To: WHATWG Mailing List Subject: [whatwg] SQL section feedback > - 4.11.3 defines that placeholders simply have to be replaced with > values from the arguments array. As I understand, this does not per se > ban SQL injections. Will the spec define *how* to replace placeholders, > including how to escape and quote values? Yeah, this will be defined when we define the SQL language subset. On Tue, 26 Feb 2008, Ralf Stoltze wrote: > > So step 3 "Replace each ? placeholder" can be skipped if the underlying > DB architecture already has a similar mechanism. Well, the "underlying DB architecture" is part of the UA, so the UA is still doing step 3. I don't really care how. :-)
