[TYPO3-dev] Joining table with Typo3 ?
Arne Skjaerholt
arnsholt at broadpark.no
Fri Dec 30 04:31:27 CET 2005
On Fri, 2005-12-30 at 00:59 +0100, Bernhard Kraft wrote:
> Yannick wrote:
> > Allo,
> >
> > Can you tell me if my code is right please ?
> >
> > --------------
> > $where = sprintf("p.uid=f.programme AND f.uid=c.fiche_id AND
> > f.uid = %d",
> > $this->piVars[f]
> > );
>
> Beware of XSS !!
>
> never do
>
> "uid=".$this->piVars[bla]
>
> or similar.
>
> if you WANT to have and INTEGER tell the interpreter to make one:
>
> "uid=".intval($this->piVara[bla])
>
> else somebody could send
>
> "; DELETE from be_users;"
>
Have another look at the code. He's not interpolating the variable
directly into the text, he's using sprintf(). So if the data doesn't fit
the %d specifier (that is, can't be converted into an integer), you'll
get a run-time exception or something along those lines (I can't
remember the exact error in PHP). Perhaps not an ideal solution, but not
a security risk (at least, not unless PHP has a boneheaded
implementation of sprintf() =).
Arne
:wq
More information about the TYPO3-dev
mailing list