[TYPO3-dev] Joining table with Typo3 ?
Yannick
ypavard at infoglobe.ca
Fri Dec 30 17:57:29 CET 2005
Bernhard Kraft wrote:
Hello
> Beware of XSS !!
> never do
> "uid=".$this->piVars[bla]
> or similar.
> if you WANT to have and INTEGER tell the interpreter to make one:
> "uid=".intval($this->piVara[bla])
> else somebody could send
> "; DELETE from be_users;"
> as piVar[bla] and you would surely not be lucky !!!
> See:
http://typo3.org/documentation/document-library/doc_core_cgl/Security_in_your_scr/#oodoc_part_4097
Oups ! Exactly, sorry ;)
> or better read the complete "Security" section of the "Project Coding
> Guidelines"
>> $sql = $db->exec_SELECTquery('f.nom_fiche, f.contenu,
>> p.nom','tx_mccfiche_fiches as f, tx_mccfiche_programme as
>> p,tx_mccfiche_contenu as c ',$where);
>> $InfosFiche = $db->sql_fetch_assoc($sql);
> Giving more than one table separated by "," (comma) is already an inner
> (?) join.
Typo3 with DBAL don't use ALIAS for example : mytable as my
See :
http://typo3.org/documentation/document-library/doc_core_cgl/Other_guidelines/
> don't know what "other" join you would like to have ?
I have change my code :
$IdFiche = isset($this->piVars[f]) ? intval($this->piVars[f]) : null;
if (isset($IdFiche etc ...)
$where = sprintf("tx_mccfiche_programme.uid=tx_mccfiche_fiches.programme AND
tx_mccfiche_fiches.uid=tx_mccfiche_contenu.fiche_id AND
tx_mccfiche_fiches.uid = %d",$IdFiche);
$sql = $db->exec_SELECTquery('tx_mccfiche_fiches.nom_fiche,
tx_mccfiche_contenu.bodytext,
tx_mccfiche_programme.nom','tx_mccfiche_fiches, tx_mccfiche_programme,
tx_mccfiche_contenu',$where);
$InfosFiche = $db->sql_fetch_assoc($sql);
It's better ?
Thank you
> greets,
> Bernhard
More information about the TYPO3-dev
mailing list