[TYPO3-dev] Improvement against SQL injections
Martin Kutschker
martin.kutschker-n0spam at no5pam-blackbox.net
Sat Jun 16 10:40:05 CEST 2007
ries van Twisk schrieb:
> Since we have DBAL in place,
>
> why not parse all SQl statements and deny insert/delete/updates to
> tables using a rule set similar to ACL's.
And say goodby to perfomance? Use the ACL of the DB to do this.
Masi
> I am always against giving extension direct DB access (in any system)
> and I strongly believe there should be a proper DB API.
DBs have ACLs and VIEWs to releive the application of some of this burden.
> Appart from that:
> With a proper DB API you can also setup a ACL on a DB level.
But once this is broken by the attacker he has gained full access again.
Masi
More information about the TYPO3-dev
mailing list