--- html5/webdatabase/Overview.html 2009/10/04 10:14:19 1.36 +++ html5/webdatabase/Overview.html 2009/12/01 06:51:15 1.50 @@ -1,4 +1,4 @@ -Web Database
+

W3C

-

Web Database

-

W3C Working Draft 10 September 2009

+

Web SQL Database

-
This Version:
-
http://www.w3.org/TR/2009/WD-webdatabase-20090910/
-
Latest Published Version:
+

Editor's Draft 1 December 2009

+
Latest Published Version:
http://www.w3.org/TR/webdatabase/
Latest Editor's Draft:
http://dev.w3.org/html5/webdatabase/
-
Previous Versions:
-
http://www.w3.org/TR/2009/WD-webdatabase-20090423/ - :ZZZ --> +
http://www.w3.org/TR/2009/WD-webstorage-20090423/ +
http://www.w3.org/TR/2009/WD-webdatabase-20091029/
+
Editors:
Ian Hickson, Google, Inc.

Copyright @@ -231,8 +231,8 @@

The W3C Web Apps Working Group is the W3C working group responsible for this specification's progress along the W3C Recommendation track. - This specification is the 10 September 2009 First Public Working Draft. + This specification is the 1 December 2009 Editor's Draft.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables @@ -513,22 +513,22 @@ interface Dat instead of the user agent prompting the user for permission to increase the quota every five megabytes.

4.2 Parsing and processing SQL statements

When the user agent is to preprocess a SQL statement sqlStatement with an array of arguments arguments, it must run the following steps:

  1. Parse sqlStatement as a SQL statement, - with the exception that U+003F QUESTION MARK (?) characters can be + with the exception that U+003F QUESTION MARK characters (?) can be used in place of SQL literals in the statement. [SQL]

  2. -

    Replace each ? placeholder with the value - of the argument in the arguments array with - the same position. (So the first ? - placeholder gets replaced by the first value in the arguments array, and generally the nth ? placeholder gets - replaced by the nth value in the arguments array.)

    - -

    Substitutions for ? - placeholders are done at the literal level, not as string - concatenations, so this provides a way to dynamically insert - parameters into a statement without risk of a SQL injection - attack.

    +

    Bind each ? placeholder with the value of + the argument in the arguments array with the + same position. (So the first ? placeholder + gets bound to the first value in the arguments + array, and generally the nth ? placeholder gets bound to the nth value in the arguments + array.)

    + +

    Binding the ? placeholders + is done at the literal level, not as string concatenations, so + this provides a way to dynamically insert parameters into a + statement without risk of a SQL injection attack.

    The result is the statement.

    @@ -788,8 +788,8 @@ interface SQLError object that represents the last error to have occurred in this transaction. Rollback the transaction. Any still-pending statements in the transaction are discarded.
    3. @@ -958,9 +958,13 @@ interface S be zero).
    interface SQLResultSetRowList {
   readonly attribute unsigned long length;
   getter any item(in unsigned long index);
-};

    Implementors are encouraged to implement - SQLResultSetRowList objects lazily, or at least - asynchronously, for better performance.

    SQLResultSetRowList objects have a length +};

    For the asynchronous API, implementors are + encouraged to prefetch all the data for + SQLResultSetRowList objects when the object is + constructed (before the result set callback is invoked), rather than + on-demand, for better responsiveness. For the synchronous API, an + on-demand lazy evaluation implementation strategy is encouraged + instead, for better performance.

    SQLResultSetRowList objects have a length attribute that must return the number of rows it represents (the number of rows returned by the database). This is the length.

    Fetching the length might be expensive, and authors are thus encouraged to avoid using it (or @@ -1068,7 +1072,7 @@ interface S A lock for the transaction could not be obtained in a reasonable time. -

    5 Web SQL

    Need to define the SQL dialect.

    6 Disk space

    User agents should limit the total amount of space allowed for +

    5 Web SQL

    User agents must implement the SQL dialect supported by Sqlite 3.6.19.

    6 Disk space

    User agents should limit the total amount of space allowed for databases.

    User agents should guard against sites storing data under the @@ -1084,7 +1088,8 @@ interface S future.

    7 Privacy

    7.1 User tracking

    A third-party advertiser (or any entity capable of getting content distributed to multiple sites) could use a unique identifier stored in its - client-side database + client-side databases + to track a user across multiple sessions, building a profile of the user's interests to allow for highly targeted advertising. In @@ -1099,6 +1104,7 @@ interface S

    User agents may restrict access to the database objects + to scripts originating at the domain of the top-level document of the browsing context, for instance denying access to the API for pages from other domains running in @@ -1109,8 +1115,8 @@ interface S

    Expiring stored data
    -

    User agents may automatically delete stored data after a period - of time.

    +

    User agents may, if so configured by the user, automatically + delete stored data after a period of time.

    This can restrict the ability of a site to track a user, as the @@ -1118,10 +1124,11 @@ interface S sessions when he authenticates with the site itself (e.g. by making a purchase or logging in to a service).

    -

    However, this also puts the user's data at risk.

    +

    However, this also reduces the usefulness of the API as a + long-term storage mechanism. It can also put the user's data at + risk, if the user does not fully understand the implications of + data expiration.

    -
    @@ -1130,12 +1137,10 @@ interface S

    If users attempt to protect their privacy by clearing cookies without also clearing data stored in the - - database + relevant databases, - - feature, sites can defeat those attempts by using the two features - as redundant backup for each other. User agents should present the + sites can defeat those attempts by using the two features as + redundant backup for each other. User agents should present the interfaces for clearing these in a way that helps users to understand this possibility and enables them to delete data in all persistent storage features simultaneously. [COOKIES]

    @@ -1145,12 +1150,14 @@ interface S
    Site-specific white-listing of access to databases +

    User agents may require the user to authorize access to databases before a site can use the feature.

    +
    @@ -1240,6 +1247,9 @@ interface S JavaScript is implicitly UTF-16.

    8.5 SQL injection

    Authors are strongly recommended to make use of the ? placeholder feature of the executeSql() method, and to never construct SQL statements on the fly.

    References

    All references are normative unless marked "Non-normative".

    [COOKIES]