[] (0) SQL: Clarify how ?-substitution happens, clarify that an Objec…

…tArray is really an 'any' array. git-svn-id: http://svn.whatwg.org/webapps@2457 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Nov 26, 2008 · fa2c918 · fa2c918
1 parent 8aaafbc
commit fa2c918
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/index b/index
@@ -37856,7 +37856,7 @@ interface <dfn id=sqltransactionerrorcallback>SQLTransactionErrorCallback</dfn>
   methods invoke callbacks with <code><a href=#sqltransaction>SQLTransaction</a></code>
   objects.</p>
 
-  <pre class=idl>typedef sequence&lt;Object&gt; <dfn id=objectarray>ObjectArray</dfn>;
+  <pre class=idl>typedef sequence&lt;any&gt; <dfn id=objectarray>ObjectArray</dfn>;
 
 interface <dfn id=sqltransaction>SQLTransaction</dfn> {
   void <a href=#dom-sqltransaction-executesql title=dom-sqltransaction-executeSql>executeSql</a>(in DOMString sqlStatement);
@@ -37889,9 +37889,9 @@ interface <dfn id=sqlstatementerrorcallback>SQLStatementErrorCallback</dfn> {
    only called once a transaction has failed, and no SQL statements
    can be added to a failed transaction.)</li>
 
-   <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as an SQL statement, with the
+   <li><p>Parse the first argument to the method (<var title="">sqlStatement</var>) as a SQL statement, with the
    exception that <code title="">?</code> characters can be used in
-   place of literals in the statement. <a href=#refsSQL>[SQL]</a></li>
+   place of SQL literals in the statement. <a href=#refsSQL>[SQL]</a></li>
 
    <li>
 
@@ -37901,6 +37901,12 @@ interface <dfn id=sqlstatementerrorcallback>SQLStatementErrorCallback</dfn> {
     placeholder gets replaced by the first value in the <var title="">arguments</var> array, and generally the <var title="">n</var>th <code title="">?</code> placeholder gets
     replaced by the <var title="">n</var>th value in the <var title="">arguments</var> array.)</p>
 
+    <p class=note>Substitutions for <code title="">?</code>
+    placeholders are done at the literal level, not as string
+    concatenations, so this provides a way to dynamically insert
+    parameters into a statement without risk of a SQL injection
+    attack.</p>
+
     <p>If the second argument is omitted or null, then treat the <var title="">arguments</var> array as empty.</p>
 
     <p>The result is <i>the statement</i>.</p>

diff --git a/source b/source
@@ -43071,7 +43071,7 @@ interface <dfn>SQLTransactionErrorCallback</dfn> {
   methods invoke callbacks with <code>SQLTransaction</code>
   objects.</p>
 
-  <pre class="idl">typedef sequence&lt;Object> <dfn>ObjectArray</dfn>;
+  <pre class="idl">typedef sequence&lt;any> <dfn>ObjectArray</dfn>;
 
 interface <dfn>SQLTransaction</dfn> {
   void <span title="dom-sqltransaction-executeSql">executeSql</span>(in DOMString sqlStatement);
@@ -43111,9 +43111,9 @@ interface <dfn>SQLStatementErrorCallback</dfn> {
    can be added to a failed transaction.)</p></li>
 
    <li><p>Parse the first argument to the method (<var
-   title="">sqlStatement</var>) as an SQL statement, with the
+   title="">sqlStatement</var>) as a SQL statement, with the
    exception that <code title="">?</code> characters can be used in
-   place of literals in the statement. <a
+   place of SQL literals in the statement. <a
    href="#refsSQL">[SQL]</a></p></li>
 
    <li>
@@ -43127,6 +43127,12 @@ interface <dfn>SQLStatementErrorCallback</dfn> {
     replaced by the <var title="">n</var>th value in the <var
     title="">arguments</var> array.)</p>
 
+    <p class="note">Substitutions for <code title="">?</code>
+    placeholders are done at the literal level, not as string
+    concatenations, so this provides a way to dynamically insert
+    parameters into a statement without risk of a SQL injection
+    attack.</p>
+
     <p>If the second argument is omitted or null, then treat the <var
     title="">arguments</var> array as empty.</p>