Re: When standards attack...

[Florian Weimer <fw () deneb enyo de>]

* H. D. Moore:

> The WebKit folks just added client-side SQL database support:
>  
> http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/
> http://glazkov.com/blog/html5-gears-wrapper/
>
> In addition to all of the existing attacks through a web browser, we can 
> now take into account SQLite vulnerabilities and client-side SQL 
> injection issues as well.

Interesting.  SQLite is a great piece of software, but it's not very
close to SQL, viz:

sqlite> SELECT 1 = '1';
0
sqlite> 

I wonder how the WebKit folks will bridge this gap, or if the people
behind HTML5 will standardize on whatever SQLite implements.

I'm also a bit surprised that the Javascript folks are suddenly expected
to write their programs in continuation-passing style, without much
syntactic support from the language.  It's like pre-generics Java
typing, but this time for flow control constructs.  Oh well.

> ...because letting developers choose to bind their query parameters has 
> worked so well before ;-)

What's the alternative?  A combinator library?  A language extension
that only permits static query strings?  String interpolation as
structured objects?  Most approaches require a new Ecmascript revision.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/