[TYPO3-dev] Joining table with Typo3 ?
Bernhard Kraft
kraftb at kraftb.at
Fri Dec 30 00:59:37 CET 2005
Yannick wrote:
> Allo,
>
> Can you tell me if my code is right please ?
>
> --------------
> $where = sprintf("p.uid=f.programme AND f.uid=c.fiche_id AND
> f.uid = %d",
> $this->piVars[f]
> );
Beware of XSS !!
never do
"uid=".$this->piVars[bla]
or similar.
if you WANT to have and INTEGER tell the interpreter to make one:
"uid=".intval($this->piVara[bla])
else somebody could send
"; DELETE from be_users;"
as piVar[bla] and you would surely not be lucky !!!
See:
http://typo3.org/documentation/document-library/doc_core_cgl/Security_in_your_scr/#oodoc_part_4097
or better read the complete "Security" section of the "Project Coding Guidelines"
> $sql = $db->exec_SELECTquery('f.nom_fiche, f.contenu,
> p.nom','tx_mccfiche_fiches as f, tx_mccfiche_programme as
> p,tx_mccfiche_contenu as c ',$where);
>
> $InfosFiche = $db->sql_fetch_assoc($sql);
> <...
>
> --------
>
> I have one record in this request, but I don't know do "joining table" with
> Typo3.
Giving more than one table separated by "," (comma) is already an inner (?) join.
don't know what "other" join you would like to have ?
greets,
Bernhard
More information about the TYPO3-dev
mailing list